The New Warning Label

I think it’s time to channel my inner Spock and analyze the encryption debate from a purely logical point of view. I know — these days, what’s logic got to do with anything?  But sometimes we get so caught up in what we hope, wish, or believe to be true that we ignore plainly obvious facts and conclusions.

The History of Misled Legislation

In the U.S. over the past century, we’ve tried banning our way out of many things only to learn that magic doesn’t exist — but Newton’s and Murphy’s laws do. In the 1920s, Prohibition laws that were intended to curtail the production, transport, and consumption of alcohol led to the rise of organized crime instead, a situation summed up so succinctly by Robert De Niro in his portrayal of a pragmatic Al Capone in the 1987 film The Untouchables: “People are going to drink.” 

We’ve spent the last 50 years fighting the War on Drugs and it’s still not clear if our efforts have done any more to reduce drug use or drug-related violence than “Just Say No” campaigns or other awareness efforts. Decades of increasingly progressive gun control laws haven’t ended the gun violence that plagues many of our cities, either.

Recently, lawmakers proposed the Lawful Access to Encrypted Data Act. Here we go again. I’ve argued against encryption bans before on technical, moral, and legal grounds. This time, let’s forget about whether it’s right or wrong and simply apply logic and common sense. What does banning encryption intend to accomplish and will it work?

The bill forbids companies like Wickr from building products with so-called “warrant-proof” encryption. By warrant-proof, they mean end-to-end (E2E) encryption that prevents the service provider from accessing and turning over meaningful user data in response to a legal demand. It’s pretty clear that they hold a very negative view of E2E encryption.

The Development of End-to-End Encryption

It’s important to realize that the rise of E2E followed many failings of other forms of encryption over the years. As it turns out, implementing encryption properly is almost as tricky as the math behind it. It’s not just picking an algorithm — it’s using it correctly, creating keys properly, sharing keys securely, using the right randomness, etc. etc. etc. Many products and services have failed miserably at these things, leading to painful losses for users.

It’s been particularly difficult to get encryption right in messaging. Traditional “point to point” or client-to-server encryption (e.g., HTTPS, TLS) may be easy to implement, and may even be fine to secure traffic between web browsers and online banking services, but for sending messages between users, it’s not so great. 

Using client-to-server encryption for messaging is like speaking with your friends and coworkers through a third party — a scribe who tells you what your counterpart said and forwards your messages in return. Is it so difficult to predict where such a system is likely to fail? Of course not. Compromise the third party (i.e. the back-end messaging service) and it’s game over. It doesn’t even matter if it’s encrypted on the wire. End-to-end encryption is the technical equivalent of good old-fashioned common sense that asks why you would trust anyone other than the intended recipient with a private message?

Over the past decade, E2E has dramatically improved the security afforded to private consumer and enterprise communication. Like VPNs and a precious few other leaps forward in usable security technology, E2E has greatly reduced risk for global business and has quite literally saved lives in various worldwide struggles against government oppression. In the current state of the art, it is the best we can do.

Logical Conclusions of This Legislation 

So, what will happen if we’re forced to remove end-to-end encryption in Wickr?  Simple — users will abandon us and find something else that meets their needs.

What if our users can’t find another U.S.-built product with adequate encryption and security? Simple — they’ll find a foreign product.

What if no foreign product exists? They’ll hire someone and build it themselves.

The basic truth is this: no matter what Congress says about what companies like Wickr can and can’t build, users still need security. And one way or another, they’re going to get it. 

Some of our customers are the most patriotic, service-oriented people I’ve ever met, but I’ll tell you one thing — no matter what Congress says, they’re not going to stand by while we compromise our service and put their data at greater risk, just for the theoretical benefit of making criminals who misuse it easier to catch. Nor should they.

What about the problem the legislature was trying to address? Not solved. The same criminals will end up using the same encryption on different services and law enforcement still won’t be able to access the data.

I hate it when criminals misuse privacy technology as much as anyone. However, I don’t see how compromising security for everyone will do anything but create more victims, and creating more victims is a terrible crime-fighting strategy.

The New Warning Label 

Ultimately, the Lawful Access to Encrypted Data Act will do nothing but put U.S. companies out of business and U.S. citizens at risk. That’s the bottom line. Ironically, Congress is proposing legislation like this while at the same time the President is pushing for bans on foreign technology providers like Huawei and TikTok for potentially cooperating with their government’s spying efforts. I wonder how this action is being viewed around the world.

It would seem that the moral high ground is beginning to crumble under our feet. “Made in the USA” used to mean built to the highest standards. Legislation like this would turn that phrase into a warning label.