National Security Agency Director Adm. Mike Rogers has been one of the loudest voices cautioning that the strong encryption that now comes standard on consumer devices including cellphones will make it harder to catch criminals and terrorists.
But in testimony to the Senate Intelligence Committee Thursday, Admiral Rogers admitted that one proposed way for law enforcement or intelligence officials to decrypt data on consumer devices could also pose a security risk by opening the door for bad actors to access the data.
When asked by Sen. Ron Wyden (D) of Oregon whether a plan that requires tech firms to create multiple encryption keys so that US officials can decrypt data also creates "more opportunities for malicious hackers or foreign hackers to get access to the keys," Rogers admitted that was a legitimate concern.
"If you want to paint it very broadly, as a yes or a no," Rogers replied, "I would probably say yes."
In recent months, Rogers has called for a "front door" to access the encrypted data with multiple "big locks." According to The Washington Post, which also on Thursday revealed the technical options the Obama administration explored to allow officials to unlock encrypted communications, Rogers had proposed creating and storing multiple keys so that no one agency or organization could decrypt the data on its own.
So Rogers's public acknowledgement of the risks that come with this sort of split-key encryption is sure to be welcome news to many supporters of strong encryption on consumer devices. Many technologists and experts say that building in a channel for the US government to circumvent strong encryption is tantamount to a "back door" and can never be secure.
Senator Wyden also seemed satisfied by Rogers's answer. "When there are multiple keys ... the good guys are not the only people with the keys," he said. "That creates more opportunities for the kinds of hacks and damaging conduct by malicious actors – and that makes your job harder."
This issue also came up at a Passcode event earlier this month, when senior FBI and Justice Department officials said they support strong encryption in the private sector, but as Kiran Raj, the Justice Department’s senior counsel to the deputy attorney general, put it: "We don't want situations where there's warrant-proof encryption."
Since there's no one-size-fits-all solution, the companies should come up with a solution themselves, Mr. Raj said. "When we hear 'master key,' or 'golden backdoor,' we have to be clear no one is asking for that."
But Jon Callas, chief technologist of encrypted communications company Silent Circle, pushed back: "You're not asking for the golden key – you're asking for the magic rainbow unicorn key."
It's not possible to create a mechanism to access encryption for only the "good guys" to access, Mr. Callas said, while still maintaining device security. "We are putting in the encryption to stop crime, precisely to stop espionage ... but now that we're doing it, we're being criticized for doing it."