Encryption Deba
I sympathize with both sides of the discussion around the level of security that should be inserted into products. The Government argues that enabling strong encryption enables and emboldens criminals such as terrorists and child traffickers. Technology companies argue that weakening encryption puts the law abiding public at risk of malicious actors who gain access to people’s accounts through malware or phishing attacks.
In this case however, I need to side with the Government’s argument while using the technology companies’ argument as a constraint. I believe strong encryption can be implemented with controls in place to allow legitimate government oversight when appropriate.
Utilizing a cryptographic function known as “secret sharing”, strong encryption keys can be broken into pieces where multiple government agencies or watchgroup organizations are able to hold a part of the decryption key. Breaking the key into five (5) segments where 2/5 of the segments are held by several groups, three (3) groups would have to cooperate in order to access the decryption key. One might propose utilizing the Department of Energy, the Federal Communications Commission, and the Food and Drug Administration as three (3) federal agencies that have a strong cyber presence without a direct law enforcement function. The US Postal Service, and the Technology Company itself could round out the remaining five (5) organizations who would need to cooperate whenever a legal warrant was presented to decrypt information. If this isn’t acceptable to privacy advocates, one might consider Federally Funded Research and Development Centers (FFRDC) as less directly government organizations.
This isn’t new technology, in the early 2000’s we utilized Secret Sharing at Lotus Development Corporation, a one-time division of IBM, to enable pass-phrase recovery capabilities. It allowed companies to select people who could apply their keys against a shared secret to recover the passphrase of different individuals. The technology even enabled us to have different people in the pool for different organizations; the individuals who could recover the pass-phrase of the R&D department might be a different group of individuals to recover the pass-phrases of the Accounting department.
The point is, technology could enable strong encryption while also protecting against malicious actors. Neither side’s position is mutually exclusive - if legislation is enacted, I would recommend it balances both sides’ concerns.
