The concept of the “golden key,” a backdoor for computer applications that would supposedly only be used with a court order, has been the subject of a bitter fight between law enforcement officials, software engineers, telecom providers and privacy advocates for years.
The “golden key” for each particular application’s encryption would be hypothetically safeguarded by law enforcement. But privacy advocates and the tech companies themselves have argued that such tools would fundamentally undermine all encryption and thus violate the privacy of otherwise law abiding citizens, as there would be no guarantee that the exploits and backdoors that comprise the conceptual golden key couldn’t be found by any hacker or programmer.
FBI Director James Comey has repeatedly cited concerns of a phenomenon called “going dark,” where law enforcement would be unable to covertly obtain the information it seeks without serving warrants on, and thus alerting, the targeted holders of the devices. And US law enforcement uses the predictable scare tactic argument that such a key is necessary to protect against terrorists and pedophiles.
The fight dates back to the early 1990s, when the NSA developed a Clipper Chip, a built-in backdoor chip to be put into every telephonic device and that would allow for law enforcement to wiretap phones based on PGP keys that were given to the government in escrow; that is, they could only be given to law enforcement with a court order.
Clipper Chip was ultimately abandoned because the encryption algorithm was classified as secret by the NSA, which kept it from being peer reviewed by the public, and thus made manufacturers weary of their bottom line. US Senators John Kerry and John Ashcroft opposed Clipper Chip because it would infringe on individuals’ ability to use and export encryption.
However, since 9/11, officials have sung an entirely different tune, as they have been willing to do just about anything to prevent more terrorist attacks. Meanwhile, tech giants like Apple, Google and Microsoft have grown into global behemoths. Further complicating matters is the exponentially more connected world that we live in that crosses sovereign and jurisdictional boundaries, which has created an interjurisdictional legal phalanx that has largely been superseded in the name of fighting terrorism.
It has also led to the rise of zero-day vendors, such as the disgraced Hacking Team of Italy, which has sold their subscription suite of encryption exploits to law enforcement organizations around the world.
In one ongoing case, Microsoft has resisted complying with a warrant for the communications records of a drug trafficking suspect in December 2013 because the emails the DOJ seek are stored on a Microsoft server in Dublin. Microsoft argues that the DOJ would need to get a court order from the Irish court jurisdiction if the company is to hand over the emails.
The Justice Department has repeatedly argued that the venue of a corporation allows them unilateral jurisdiction — in the case of Microsoft, being a global company headquartered in the United States — to any server they maintain in the world. They pursued an identical venue-based argument during the 2013 prosecution of Andrew ‘weev’ Auernheimer, by claiming jurisdiction of his alleged “hack” of AT&T servers because the company was headquartered in New Jersey and thus trying him there despite none of his alleged criminal conduct taking place inside of that state, arguing they should have “venue anywhere” as it pertains to cybercrime. Auernheimer’s prosecution was later vacated in the 3rd Circuit of Appeals due to the demonstrated lack of venue.
Since Snowden’s revelations, tech companies and privacy advocates have taken a harder line against law enforcement demands for backdoors. Law enforcement has sought an update for CALEA (Communications Assistance of Law Enforcement Act), which was passed in 1994, in order to make companies like Apple and Google comply with demands for a golden key, but any such update by Congress seems unlikely. Nor is a protracted legal showdown between tech giants and the feds likely to happen either, a batter that could result in the driving of hardware manufacturing and innovation entirely to foreign shores.
The forecast for the future appears to have more of the same: attritious legal battles over definitions of venues and encryption standards within the confines of a legal system still trying to fundamentally understand the advanced technology that has changed our world over the past three decades.
At stake, at least for the United States, is the grasp of power it has had on the technology, when said technology does not comprehend the sovereign borders and laws man has drawn around it.