Most encryption products far beyond reach of US law enforcement
Anyone seeking to keep their data hidden could use hundreds of encryption services offered by companies outside the US if Washington compels tech companies to decrypt communications.
FBI Director James Comey (l.), Director of National Intelligence (DNI) James Clapper (c.) and CIA Director John Brennan (r.) testify before a Senate Intelligence Committee hearing on Feb. 9 in which Mr. Comey said his agency's efforts are hampered by encrypted communications.
Carlos Barria/Reuters
If Washington forces American tech companies to give law enforcement access to encrypted communication, it might not provide the advantage investigators want when tracking terrorists or criminals.
Companies outside the USare responsible for nearly two-thirds of tech productsthat offer some form of encryption, according to a study released Thursday from renowned cryptographer Bruce Schneier. Because those firms are beyond the reach of US laws, he said, anyone who wants to avoid American intelligence agencies or police eavesdroppingcould simply switch to another secure platform.
"There's this weird belief that if the US law makes a change, that it affects things," said Schneier, chief technology officer of the security firm Resilient Systems and a fellow atHarvard University's Berkman Center for Internet and Society."This is a much more international market."
Schneier analyzed865 hardware and software products in 54 countries (including the US) that offer some form of encryption. Some of the smaller firms, he found, capitalize on the protection the international market offers by storing source code in multiple countries, making it easier for them to relocate if the laws in one country become unfavorable to encryption.
The study comes as the American tech sector ismired in a debatewithsenior law enforcement and intelligence officialsover access to communication that's encrypted on consumer devices. Some law enforcement officials, for instance,want companies such asApple and Google toensure the government can access encrypted datawhen agents have a warrant.
this week, FBI director James Comey said encryption has prevented his bureau from getting into a phone belonging to one of the perpetrators of theSan Bernardino, Calif., terrorist attack.
While some FBIofficials have acknowledged there could be security costassociated with givingagencies ways to access encryptedcommunications, many in law enforcement say it's worth the risk if it means thwarting a terrorist attack.
But Schneier wants to debunk that reasoning.
"The argument is that that vulnerability is worth it because police can catch criminals," saidSchneier. "Well, that’s not true because the criminals will switch [products]. So you’re left with the cost and not getting the benefit."
Privacy advocates and most tech companies agree that building a so-called "backdoor" intoencrypted communications puts consumers at a greater risk of being targeted by criminal hackers. What's more, privacy advocates argue, if tech companies give the US government access to encrypted data, other governments could seek similar avenues to surveil activists, journalists, and political dissidents.
But even buying products from companies based outside the US doesn't necessarily guarantee data is immune from US snooping. Britain and the US to potentially allow the US to compel British tech companies to hand over American data, and give Britain the same power in the US.
Schneier’s surveythatlooked at the availability of foreign encryption products after the US government placed export restrictions on encryption software. That ban gave rise to region-specific markets for those looking to evade government surveillance by using encryption. Geographic location matters much less in today's market, however, because the Internet allows consumers to buy encryption products from around the world.
Secure communications company Silent Circle, for instance, is based in Switzerland but has customers in many different countries. It moved its headquarters toLe Grand-Saconnex outside Geneva in 2014 specifically because the Swiss enjoy
"Having a pro-privacy stance from the government [of the country] that the company was based in was not only valuable to us as a statement to our customers, but also valuable to the mission itself where you at least have a backing for it,” said Jon Callas, cofounder of Silent Circle.
Given the nature of the digital economy and the Internet, Mr. Callas said, the US simply can'texercise its power when it comes to encryption."The idea that any one country can control what is essentially applied mathematics is just absurd."