Last week, news broke of the recall of 1.4 million Fiat Chrysler vehicles due to software flaws that allowed hackers to remotely control the cars, cutting brakes and shutting down the engine. Days later, the U.S. National Highway Traffic Safety Administration (NHTSA) hit Chrysler with a $105 million fine for legal violations like misleading and obstructing regulators, inadequate and lagging repairs, and dragging their feet to alert car owners. While the fine is not tied to any one specific recall, it is clear that recalls due to software flaws can result in financial penalties for car makers.
It’s not just NHTSA that has been looking at technical security and encryption. Many federal agencies have encouraged—even required—that companies provide extensive cybersecurity protections.
The Department of Health and Human Services offers guidance for encrypting health information, the Federal Trade Commission has compiled a collection of practical tips for protecting personal information, the Federal Communications Commission has published a Cyber Security Planning Guide, and the Office of Management and Budget announced that all federal websites be encrypted using HTTPS by 2016. Even the FBI has recommended that individuals encrypt their phones to protect their data – or at least they used to.
For the past month, FBI Director Jim Comey has been making the rounds, asking Congress to force tech companies to create a “backdoor” into any mobile device and communication tool that uses end-to-end encryption. He’s been joined by others in the law enforcement community like Sally Quillian Yates, Deputy U.S. Attorney General, and Cyrus Vance, District Attorney for Manhattan, New York, insisting that there must be a way to do it and that experts haven’t really “tried.”
Despite complaints by law enforcement that lack of access to encrypted communications means they’re “going dark,” and a series of gut-wrenching anecdotes involving murder, kidnapping, drug crimes, rape, and other heinous crimes, the FBI struggles to put forward a single concrete case where access to encrypted communications (and that access only) would have allowed the agency to bring a case or convict a criminal.
But, as nearly every technologist weighing in on the subject has said, there’s no way to insert a backdoor without weakening encryption. The day before Director Comey testified that encryption experts weren’t adequately studying encryption, those experts put out an extensive study showing that government-mandated backdoors would significantly weaken encryption. Worse, those backdoors then become go-to targets for hackers and bad actors and increase the likelihood of a breach.
ACT’s Morgan Reed explains the importance of strong encryption to a House Judiciary Committee Hearing earlier this week.
And there is real and concrete evidence of mass breaches of consumer data. Last year, half of American adults have had their personal data stolen by hackers. The latest in those noteworthy breaches was the breach at the U.S. Office of Personnel Management which resulted in hackers obtaining the employment documents of 21.5 million current and former federal government employees. Breaches are so common that the New York Times recently released an interactive infographic to tell you what personal information has been exposed to hackers.
We need to be making security and encryption of data stronger, not weaker. The plethora of recent massive data breaches show that there is significant need for the strongest possible encryption techniques. Consumers are demanding better protection of their data and technology companies must provide it—or risk losing those customers.
Technology continues to expand, the Internet of Things grows more pervasive, and more and more data is found online; we must not hinder the ability of security measures like encryption to protect our information and our lives.