'Golden Key' Password Idea Is Getting Little Support

Activists are working to get President Obama to notice their campaign against a so-called “golden key” that law enforcement would use to unlock encrypted communications.

Calling it a nightmare for consumer privacy and a liability for foreign tech sales, the Electronic Frontier Foundation, a “nonprofit organization defending civil liberties in the digital world,” is circulating a petition directed at Obama that calls for the White House to “reject any law, policy, or mandate that would undermine our security.” It has generated more than 52,000 signatures.

Mark Jaycox, a legislative analyst for the EFF, tells Inverse one of the group’s chief concerns was economics, in addition to those of privacy.

“By providing the government access and forcing companies to decrypt their customers, there’s a very real fear this will contribute to the Balkanization of technology,” Jaycox says. “We’ve seen the U.S. tech sector decrease in foreign sales, and the issue would foreign companies take this into account and would this further impact foreign tech sales.

“The other concern is, if the U.S. asks a company to do this, and the company does it, what does that mean when they get requests from other countries? If Russia or China asks, what stops them from saying yes?”

The argument for a “golden key” was laid out in a Washington Post editorial last year, using the phrase to describe a speculative way to unlock consumer information tech companies should design for the public good. The editorial board called it a necessary compromise on the next generation of smartphones to ensure data was accessible to law enforcement in possession of “valid, court-approved search warrants.” The Post writes:

“A police “back door” for all smartphones is undesirable — a back door can and will be exploited by bad guys, too. However, with all their wizardry, perhaps Apple and Google could invent a kind of secure golden key they would retain and use only when a court has approved a search warrant. Ultimately, Congress could act and force the issue, but we’d rather see it resolved in law enforcement collaboration with the manufacturers and in a way that protects all three of the forces at work: technology, privacy and rule of law.”

And there The Post shows it doesn’t understand tech. Regardless of the euphemism you ascribe, a built-in “golden key” is itself a security vulnerability and essentially a “back door” inviting any hacker with the time and inclination a way to access consumer data. No “wizardry” will change that. Consider August’s IRS data breach, or that same month’s Ashley Madison hack. People have enough trouble maintaining a reliable standard of security already.

But those risks are worth it to golden key supporters like FBI Director James Comey, who wrote in a July op-ed for security blog Lawfare: “When the government’s ability — with appropriate predication and court oversight — to see an individual’s stuff goes away, it will affect public safety. That tension is vividly illustrated by the current ISIL threat, which involves ISIL operators in Syria recruiting and tasking dozens of troubled Americans to kill people, a process that increasingly takes part through mobile messaging apps that are end-to-end encrypted, communications that may not be intercepted, despite judicial orders under the Fourth Amendment.”

The EFF may have already won this battle. When FBI official Amy S. Hess told the House Oversight Committee that encrypted phone tech was keeping the agency from gathering data, politicians on the left and right did that rarest of things, joined hands, and called bullshit in unison. Law enforcement may want to hack your phone, but the lawmakers seem to have little interest in giving them the tools to do it.

Still, private sector leaders are already lining up in favor of consumer protection. Apple’s Tim Cook has been a vocal supporter of customers’ right to encryption, saying, “we at Apple reject the idea that our customers should have to make tradeoffs between privacy and security” at an Electronic Privacy Information Center event this June.

White House policy says any petition with at least 100,000 signatures will receive a response, a rule the administration has held to even when it means publicly refusing to build a Death Star.

“We need to make sure the White House comes out on this issue and stands for strong encryption and users’ private content. The administration has done some good things, but they need to come out stronger,” Jaycox says. “The second thing is to ensure proper encryption.”