FBI might make some billionaires
The first rule of having an adult conversation is to know what you’re talking about. FBI director James Comey, who wants an ‘adult conversation’ about encryption, clearly does not. In that lies a big business opportunity for non-US software firms.
Addressing a conference last month, Comey harped on about a pet subject: that of criminals ‘going dark’ and the need for law enforcement to be able to access encrypted data and communications. He wants US companies to implement backdoors into their encryption systems. In fact, he likes to call it a ‘front door’, presumably thinking of SWAT teams ramming them down in pursuit of people to terrorise.
The problem is that there is no theoretical way in which a government agency can hold a golden key to encrypted data without making encryption insecure by definition. If it’s not abused by law enforcement, which is far from given, it will be exploited by hackers and criminal syndicates, guaranteed. This will make all business communications and data storage affected by the backdoor inherently insecure, and means nobody can comply with business and legal requirements to keep certain data – like medical records, attorney-client correspondence, sensitive R&D, financial and banking data, or private customer information – confidential.
If the FBI is successful in forcing American software companies to create backdoors in encryption, either those companies conduct their encryption-related business from jurisdictions without stupid laws, or customers will take their business elsewhere.
A global business
This isn’t the first time the US has made this mistake. Back in the 1990s, strong encryption was classified as military munitions, and subject to strict export restrictions. South African entrepreneur Mark Shuttleworth started a company specialising in X.509 certificates for public key encryption. Four years later, his company, Thawte, had about 50% of the global market for browser-based encryption, and was bought for $575 million by his major competitor, VeriSign.
Today, Shuttleworth is a rand-billionaire who paid for a trip to space and started the most popular Linux distribution in the world, Ubuntu. Thanks, America!
The point is that you can’t place national controls on software. It’s a global business, written wherever people have access to the internet, and much of it consists of open-source code that is freely distributable and adaptable.
Even if one does pass laws that apply to companies that provide encrypted services, such as Google or Apple, it’s relatively simple to encrypt data or communication without depositing keys with a company subject to such laws. Terrorists and criminals who aren’t happy to hide in plain sight are unlikely to turn to insecure systems that require them to surrender their encryption keys to a third party.
To this day, the US maintains restrictions on the export of military-grade encryption, as do countries that are party to the Wassenaar Arrangement on Export Controls for Conventional Arms and Dual-Use Goods and Technologies, which includes South Africa.
South Africa sensibly does not require implicit back-door access to encrypted data or communications. By analogy to a real-world search warrant, it requires key holders to surrender their keys under a court order to do so. Failure to do so is a criminal offence, with a penalty of a R2 million fine or ten years in prison.
Local companies that have developed military-grade encryption solutions already exist. Here’s hoping South Africa lets them export this stuff, and the Federal Bureau of Idiots makes them all billionaires. Then we can all have adult conversations, without James Comey listening in.