Most encryption products far beyond reach of US law enforcement
Anyone seeking to keep their data hidden could use hundreds of encryption services offered by companies outside the US if Washington compels tech companies to decrypt communications.
If Washington forces American tech companies to give law enforcement access to encrypted communication, it might not provide the advantage investigators want when tracking terrorists or criminals.
Companies outside the US are responsible for nearly two-thirds of tech products that offer some form of encryption, according to a study released Thursday from renowned cryptographer Bruce Schneier. Because those firms are beyond the reach of US laws, he said, anyone who wants to avoid American intelligence agencies or police eavesdropping could simply switch to another secure platform.
"There's this weird belief that if the US law makes a change, that it affects things," said Schneier, chief technology officer of the security firm Resilient Systems and a fellow at Harvard University's Berkman Center for Internet and Society. "This is a much more international market."
Schneier analyzed 865 hardware and software products in 54 countries (including the US) that offer some form of encryption. Some of the smaller firms, he found, capitalize on the protection the international market offers by storing source code in multiple countries, making it easier for them to relocate if the laws in one country become unfavorable to encryption.
The study comes as the American tech sector is mired in a debate with senior law enforcement and intelligence officials over access to communication that's encrypted on consumer devices. Some law enforcement officials, for instance, want companies such as Apple and Google to ensure the government can access encrypted data when agents have a warrant.
At a Senate hearing this week, FBI director James Comey said encryption has prevented his bureau from getting into a phone belonging to one of the perpetrators of the San Bernardino, Calif., terrorist attack.
While some FBI officials have acknowledged there could be security cost associated with giving agencies ways to access encrypted communications, many in law enforcement say it's worth the risk if it means thwarting a terrorist attack.
But Schneier wants to debunk that reasoning.
"The argument is that that vulnerability is worth it because police can catch criminals," said Schneier. "Well, that’s not true because the criminals will switch [products]. So you’re left with the cost and not getting the benefit."
Privacy advocates and most tech companies agree that building a so-called "backdoor" into encrypted communications puts consumers at a greater risk of being targeted by criminal hackers. What's more, privacy advocates argue, if tech companies give the US government access to encrypted data, other governments could seek similar avenues to surveil activists, journalists, and political dissidents.
But even buying products from companies based outside the US doesn't necessarily guarantee data is immune from US snooping. Britain and the US are currently in talks to potentially allow the US to compel British tech companies to hand over American data, and give Britain the same power in the US.
Schneier’s survey replicated a 1999 study that looked at the availability of foreign encryption products after the US government placed export restrictions on encryption software. That ban gave rise to region-specific markets for those looking to evade government surveillance by using encryption. Geographic location matters much less in today's market, however, because the Internet allows consumers to buy encryption products from around the world.
Secure communications company Silent Circle, for instance, is based in Switzerland but has customers in many different countries. It moved its headquarters to Le Grand-Saconnex outside Geneva in 2014 specifically because the Swiss enjoy constitutional data protections.
"Having a pro-privacy stance from the government [of the country] that the company was based in was not only valuable to us as a statement to our customers, but also valuable to the mission itself where you at least have a backing for it,” said Jon Callas, cofounder of Silent Circle.
Given the nature of the digital economy and the Internet, Mr. Callas said, the US simply can't exercise its power when it comes to encryption. "The idea that any one country can control what is essentially applied mathematics is just absurd."