INSUBCONTINENT EXCLUSIVE:
David Gurle
Contributor
Share on Twitter
David Gurle is the founder and chief executive of
Bill Harrington
Contributor
Bill Harrington is a former federal prosecutor and a partner at the law
Criminals and terrorists, like millions of others, rely on smartphone encryption to protect the information on their mobile devices
But unlike most of us, the data on their phones could endanger lives and pose a great threat to national security.
The challenge for law
enforcement, and for us as a society, is how to reconcile the advantages of gaining access to the plans of dangerous individuals with the
cost of opening a door to the lives of everyone else
It is the modern manifestation of the age-old conflict between privacy versus security, playing out in our pockets and palms.
One-size-fits
all technological solutions, like a manufacturer-built universal backdoor tool for smartphones, likely create more dangers than they prevent
While no solution will be perfect, the best ways to square data access with security concerns require a more nuanced approach that rely on
non-technological procedures.
The FBI has increasingly pressed the case that criminals and terrorists use smartphone security measures to
avoid detection and investigation, arguing for a technological, cryptographic solution to stop these bad actors from &going dark.& In fact,
there are recent reports that the Executive Branch is engaged in discussions to compel manufacturers to build technological tools so law
enforcement can read otherwise-encrypted data on smartphones.
But the FBI is also tasked with protecting our nation against cyber threats
Encryption has a critical role in protecting our digital systems against compromises by hackers and thieves
And of course, a centralized data access tool would be a prime target for hackers and criminals
As recent events prove & from the 2016 elections to the recent ransomware attack against government computers in Atlanta & the problem will
Anything that weakens our cyber defenses will only make it more challenging for authorities to balance these &dual mandates& of
cybersecurity and law enforcement access.
There is also the problem of internal threats: when they have access to customer data, service
providers themselves can misuse or sell it without permission
Once someone data is out of their control, they have very limited means to protect it against exploitation
The current, growing scandal around the data harvesting practices on social networking platforms illustrates this risk
Indeed, our companySymphonyCommunications, a strongly encrypted messaging platform, was formed in the wake of a data misuse scandal by a
service provider in the financial services sector.
(Photo by Chip Somodevilla/Getty Images)
So how do we help law enforcement without
making data privacy even thornier than it already is A potential solution is through a non-technological method, sensitive to the needs of
all parties involved, that can sometimes solve the tension between government access and data protection while preventing abuse by service
providers.
Agreements between some of our clients and the New York State Department of Financial Services (&NYSDFS&), proved popular enough
that FBI Director Wray recently pointed to them as a model of &responsible encryption& that solves the problem of &going dark& without
compromising robust encryption critical to our nation business infrastructure.
The solution requires storage of encryption keys — the
codes needed to decrypt data — with third party custodians
Those custodians would not keep these client encryption keys
Rather, they give the access tool to clients, and then clients can choose how to use it and to whom they wish to give access
A core component of strong digital security is that a service provider should not have access to client unencrypted data nor control over a
client encryption keys.
The distinction is crucial
This solution is not technological, like backdoor access built by manufacturers or service providers, but a human solution built around
Such arrangements provide robust protection from criminals hacking the service, but they also prevent customer data harvesting by service
providers.
Where clients choose their own custodians, they may subject those custodians to their own, rigorous security requirements
The clients can even split their encryption keys into multiple pieces distributed over different third parties, so that no one custodian can
access a client data without the cooperation of the others.
This solution protects against hacking and espionage while safeguarding against
the misuse of customer content by the service provider
But it is not a model that supports service provider or manufacturer built back doors;our approach keeps the encryption key control in
clients& hands, not ours or the government&s.
A custodial mechanism that utilizes customer-selected third parties is not the answer to every
part of the cybersecurity and privacy dilemma
Indeed, it is hard to imagine that this dilemma will submit to a single solution, especially a purely technological one
Our experience shows that reasonable, effective solutions can exist
Technological features are core to such solutions, but just as critical are non-technological considerations
Advancing purely technical answers & no matter how inventive & without working through the checks, balances and risks of implementation
