Charlie Harvey

Obama crypto leak: no mandatory broken encryption. Yet.

A recent leak published in the Washington Times seems to point to the Obama administration backing down on recent proposals to include backdoors in encryption products following pushback from the public, crypto experts and some of the big US tech companies.

The memo, which was published last week, lists 3 possible options that the administration might adopt:

  • Disavow legislation and other compulsory actions
  • Defer on legislation and other compulsory actions
  • Remain undecided on legislation or other compulsory actions

Here it is. Download the leaked memo.

You will note that legislation does not appear to be on the table except as a bargaining chip to pressure Facebook and co. to rat their users out to the Feds voluntarily.

The paper doesn’t go as far as acknowledging the technical impossibility of building encryption that is both secure and insecure at the same time — for example by requiring companies or the state to hold a master key to all crypto products — that the FBI and David "no safe spaces for terrorists" Cameron have called for.

It does, however, acknowledge that effective cryptography is an important part of keeping cyberspace safe and that broken crypto leads to a less secure internet, saying:

People around the world rely on the security of U.S. products in their daily lives. Mandating the design of those systems to include known vulneribilities makes all of us less safe and undermines trust in these digital services.

I couldn’t have put it better myself.

No safe spaces for terrorists means no safe spaces for the rest of us either

Requiring that companies produce only flawed encryption products is unlikely to stop anyone from using encryption products that are not flawed, because maths.

By which I mean that there are a number of well-researched, strong encryption protocols in existence. Excellent free software implementations exist. Unless we are going to have a fully balkanized internet and stop researchers from talking to each other and burn all existing crypto books and check every single digital device, the knowledge of how to implement those protocols will continue to be available. And anyone with a sufficient interest in communicating securely will continue to do so.

The safe space for criminals will remain untouched by government mandated software flaws.

However, requiring that tools that citizens rely on to go about their daily business contain security holes is a recipe for a less secure internet. As we saw with the cloning of TSA baggage keys this week, if there is a master key and people have access to it, sooner or later it will end up in the wrong hands. And there goes the banking system.

Compulsory legislation is off the table

Back to the leaked memo. Apparently, an earlier draft did contain the option of legislation. But, according to the Times:

No one, including law enforcement, officials said, thinks it is a realistic option today.

Interesting to me is the prediction that countries like the UK, Netherlands and France who want to spy on their populations are likely to see a disavowal of legislation as endangering the safety of their citizens.

Perhaps that indicates that coming out in support of the benefits of strong encryption will be a step too far for the administration and we might see them adopt one of the more half-arsed options from this document.

What does seem clear is that Cameron’s no safe spaces nonsense is seen, by the US administration at least, as UK policy, even in advance of any public debate in Britain.


  • Be respectful. You may want to read the comment guidelines before posting.
  • You can use Markdown syntax to format your comments. You can only use level 5 and 6 headings.
  • You can add class="your language" to code blocks to help highlight.js highlight them correctly.

Privacy note: This form will forward your IP address, user agent and referrer to the Akismet, StopForumSpam and Botscout spam filtering services. I don’t log these details. Those services will. I do log everything you type into the form. Full privacy statement.