CAMBRIDGE, Ma.—The National Security Agency came out in support of encryption again Wednesday, but privacy advocates were quick to contest the agency’s stance, criticizing it for having a different definition of the term than others.
Glenn Gerstell, general counsel for the NSA, stressed that the agency believes in strong encryption multiple times during a panel, “Privacy vs. Security: Beyond the Zero-Sum Game,” at Cambridge Cyber Summit here at MIT, on Wednesday.
Another panelist, Cindy Cohn, executive director of the Electronic Frontier Foundation, took offense and said that when the NSA uses the word encryption, it should really place an asterisk at the end.
“I think there should be an asterisk most of the time. I’ve been in meetings with people from the NSA and FBI and when they say we support strong encryption… what they really mean is strong encryption that only they have access to,” Cohn said.
“It sounds disingenuous, it seems what they mean by strong encryption isn’t the same as what the rest of us mean,” Cohn said.
Gerstell was echoing sentiments previously made by NSA director Adm. Mike Rogers, and General Michael Hayden, former director of the CIA and NSA. Both have gone on record this year that they support encryption but also admitted that robust crypto provides them with challenges in their day-to-day work.
Gerstell said the NSA was focused on encryption but called it “more of a law enforcement issue than an NSA or foreign intelligence issue,” alluding to the difficulties the government faces when terrorist groups like ISIL use encrypted messaging apps to communicate.
Likening what the NSA does to gain intelligence as “going spotty, not dark,” Gerstell said at one point though that encryption doesn’t have to be an impenetrable wall and that there can be ways around it.
“Just because there’s end-to-end encryption doesn’t mean that’s the end of the problem, Gerstell said, “sometimes people lose passwords to their encrypted devices, someone might forget a password, they might have to reset it – that exposes vulnerabilities. All these things provide an opportunity to exploit that system.”
“The government shouldn’t be in the business of breaking our technology, they should be in the business helping make it more secure,” Cohn quipped.
The panel, moderated by the Washington Post’s Ellen Nakashima, quickly developed into a spirited privacy versus security debate. Gerstell at one point was forced to defend accusations from Cohn that the NSA frequently hoarded zero-day vulnerabilities and failed to report them to companies, leaving users vulnerable. Gerstell insisted that the NSA discloses the majority of vulnerabilities it encounters, roughly 95 percent. Sometimes however equipment can be out of cycle, or not supported by manufacturers, and that the agency has to withhold them for national security reasons, he said.
Cohn fired back, citing the NSA’s “extremely vague” response to a FOIA request the EFF filed regarding the government’s Vulnerability Equities Process in 2014. Cohn told Gerstell the government’s level of being forthcoming around the issue is far below what the general public expects.
While we’re almost half a year removed from this spring’s FBI vs. Apple encryption debacle, it clearly hasn’t halted the conversation, or vitriol, around the topic of encryption.
Another panelist, Daniel Weitzner, the founding director of MIT’s Internet Policy Research Initiative and a principal research scientist at MIT CSAIL, said that we’re getting tripped up on the encryption debate – something, he said, was really just a narrow slice of the conversation.
“Let’s find a solution,” Weitzner said, “I believe the technical community has an obligation to help the intelligence community investigate crime and terrorism. We should be talking about all the other ways law enforcement can be effective with encryption.”
Near the panel’s end, the professor said that we’ll likely never have perfectly secure systems, but that end-to-end encryption will soon be ubiquitous and that the world needs to adapt.
“It’s very clear that end-to-end encryption is going to be widely available, all around the world, non-U.S. sources, terrorists will be able to use it,” Weitzner said.
“That’s not a good thing but I don’t think that’s a thing that we can control. The question now is; where are our strategic interests – in the security and trust of users overall or guaranteeing this can be used in law enforcement investigation? I think given the numbers, we have to err on the side of protecting the law-abiding users,” Weitzner said.
