NSA Wants Your Encrypted Data And Is Pushing Tech Companies To Provide ‘Split Key’ Access
Here we go again. This past November, the US' Department of Justice latched onto public heartstrings by saying that encryption on mobile phones could lead to the death of children, and in January, president Obama followed-up to plainly say that encryption should under no circumstance hinder police and spy agencies.
The government can say what it wants, of course, but that doesn't mean that whatever it suggests will be kosher as far as our civil liberties go. Looking beyond the fact that criminals can benefit from encryption (just as they can benefit from a slew of other things), it stands to reason that citizens have the right to protect themselves from the prying eyes of the government. Even with encryption, the amount of data the government has on us is truly mind-blowing, so I don't think things need to be made even worse by us giving up our right to encryption. What's next? NSA-sponsored cameras in all of our homes?
What's right or wrong in human rights rarely matters that much to the government; if there's a roadblock it wants to get around, it will work to get around it. So far, the US hasn't won its encryption battle, but that isn't stopping it from coming up with alternate ideas to try to sway companies like Apple and Google. Take Admiral Michael S. Rogers, for example. He's the Commander of the US Cyber Command, and he suggests that to appease both sides of this coin, we should consider a "split key" encryption design.
With this design, the user would have their own key, allowing them to use the device as normal. Then the FBI, as an example, and Apple, Google, et cetera, would each have a piece of a key - perhaps 50% of the same key the user has. In the event data is needed, these halves would be combined to grant access.
For a number of different reasons, a split key design is complicated. If devices ship with a static key that can't be changed, in order for half to be given to the vendor and the other half to the government, that ruins the user's ability to refresh their encryption. If the design actually involves a type of encryption that responds to two entirely different keys, then that will involve its own technological hurdles. An easy solution would be to hash the password and data two separate times, but that brings the caveat of wasted storage space and reduced performance.
As usual, this will be interesting to see play out. It's clear the government isn't going to stop until it gets the access to our data it wants, and admittedly, this split key design is better than the government having its own back door to enter into. Nothing beats the current implementation, however, where even the vendor is unable to gain access.