Does anyone really want the government deciding encryption policy?

If people spent half as much time protecting their data as they do trying to prevent the data being protected, we'd all be far better off.

Security and privacy debates are highly nuanced, allowing for much interpretation, balancing acts and differences of opinion. For that reason, I try and be tolerant of a wide range of views on the subject. Every so often, though, some executive says something so divorced from logic and reality that silence is not an option. Enter AT&T CEO Randall Stephenson and his attack on Apple's encryption efforts.

Far be it from me to suggest that AT&T is really the last company on the planet that should be wading onto a public debate on privacy issues. As The Verge observed: "Documents leaked by Edward Snowden portray the relationship between AT&T and the government as rather cozy. AT&T is credited as being 'highly collaborative' and has installed far more surveillance equipment than its fellow U.S. wireless carriers. The government has paid AT&T millions of dollars in return."

But there's no reason to go there. The encryption argument falls apart on its own merits.

Let's start with what the AT&T CEO told The Wall Street Journal last week at the World Economic Forum in Davos, Switzerland. Stephenson was discussing Apple CEO Tim Cook's many comments that Apple devices will not create a backdoor for government agents to use to monitor communication.

“I don’t think it is Silicon Valley’s decision to make about whether encryption is the right thing to do. I understand Tim Cook’s decision, but I don’t think it’s his decision to make,” Stephenson said. “I personally think that this is an issue that should be decided by the American people and Congress, not by companies."

The American people and Congress? Is he envisioning some sort of a national referendum on encryption policy? Let's assume he meant "the American people via Congress," which is frightening enough on its own.

Members of Congress overwhelmingly choose from positions argued by different lobbying forces—and AT&T is one of the most prominent. (And, in fairness, so is Apple.) There are no well-funded advocates for privacy in those chats, so it's a rather one-sided discussion.

Members of the intelligence community argue their need for data access, along the lines of "if it's a device that terrorists can use, it's a device that we need to be able to monitor." That's a fair point. Apple's counter is that any backdoor that the intelligence community can use is also going to be a way for bad guys to listen in. And "bad guys" in this reference means terrorists and cyberthieves as well as rank-and-file burglars and murderers looking to track targets.

Of course, Apple's motivation is not to protect privacy as much as to give consumers a reason to buy watches, phones and tablets from Apple instead of somebody else.

In short, Apple's argument is that a backdoor would cause as much—if not more—harm as it would good and AT&T's argument is that the wise minds in Congress should make this decision.

Personally, I don't trust any of these players. But given a choice, I'd rather companies make the choice for their own products. Then the people as consumers would vote with their money how they want this played. If you compare the percentage of Americans who vote with the percentage of Americans who buy phones, tablets and wearables, I think the marketplace is the more participatory an approach.

But this encryption insanity doesn't just include the CEOs of Apple and AT&T. A bill was introduced in the California Assembly last week that would "require a smartphone that is manufactured on or after January 1, 2017, and sold in California, to be capable of being decrypted and unlocked by its manufacturer or its operating system provider." If they don't, they would get fined a civil penalty of $2,500 for each smartphone sold or leased.

This bill is as good as giving data to the government, as the government could simply subpoena that data. Apple's move sidesteps that by never collecting the data.

By the way, if you think that this is all U.S. insanity and that European countries like the U.K. treat privacy with more respect, think again. Courtesy of security guru Bruce Schneier's blog comes this scary tidbit: "The UK government is pushing something called the MIKEY-SAKKE protocol to secure voice. Basically, it's an identity-based system that necessarily requires a trusted key-distribution center. So key escrow is inherently built in, and there's no perfect forward secrecy. The only reasonable explanation for designing a protocol with these properties is third-party eavesdropping. And GCHQ (British Intelligence operation) previously rejected a more secure standard, MIKEY-IBAKE, because it didn't allow undetectable spying. Both the NSA and GCHQ repeatedly choose surveillance over security."

Let's take this all up a level. For the moment, set aside all of the lobbying and marketing interests ("What will get us the most money, in terms of revenue?") as well as the congressional political issues ("What will get us the most votes?" as well as "What will get us the most money, in terms of corporate contributions and PACs and Super PACs?").

If we assume altruistic motivations for all (I know no one involved has altruistic motives, but stick with me for a moment—it's my column) this argument boils down to: What is the best way to keep everyone safe from the various bad guys out there?

In one limited sense, this shares an argument from the U.S. gun debates. Is it safer for an individual to have a gun or is it more likely that the bad guy would simply take that gun and use it against the citizen? In the encryption argument, the question is whether it's safer to let the government have full access or will that just make it easier for the bad guys to steal that full access? (Notice how I avoided the specific issues of privacy versus security, as that forces us into the "privacy as a right" debate. Not going there today.)

Framed in that "which truly makes us safer" perspective, I think there are good arguments on both sides. But if that technology-oriented question is going to be answered by any individual, I'm somehow more comfortable with the Tim Cooks making that call than some politician. At least Tim Cook is honest about his motivation.

Join the CSO newsletter!

Error: Please check your email address.

More about AppleApple.BillGCHQNSASwitzerlandWall Street

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Evan Schuman

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place