In a recent post, Bruce Schneier says that “CIA Director John Brennan Pretends Foreign Cryptography Doesn't Exist”, and suggests that Brennan is either lying or ignorant. Bruce cites, in full, the relevant quote from the hearing:
"US companies dominate the international market as far as encryption technologies that are available through these various apps, and I think we will continue to dominate them," Brennan said. "So although you are right that there's the theoretical ability of foreign companies to have those encryption capabilities available to others, I do believe that this country and its private sector are integral to addressing these issues."
Bruce then points to a survey he did earlier this year listing 546 non-theoretical products from 54 non-U.S. countries. Bruce is of course correct that there are many other sources of encrypted apps available from overseas, and I myself have argued in Congressional testimony that trying to stop their use in the United States entirely would be a fool’s errand. On the other hand, Brennan’s not entirely wrong, though he didn’t say what he should have said very well.
It IS true that U.S. companies dominate the technologies for which encryption capabilities are available. Brennan is arguing that if the U.S. companies can be made to fall in line, it will have benefits for the law enforcement and national security community even if foreign companies have the “theoretical ability” make those encryption capabilities available to others.
What Brennan should have said is that foreign companies have the “theoretical ability” make those encryption capabilities WIDELY available to others—they don’t have it now, because of American dominance of that market. The real issue, which neither Brennan nor Bruce address or even mention, is whether U.S. companies doing what U.S. law enforcement authorities want them to do will shift the market shares of U.S. vs foreign companies.
An article in the Register provides one point of view on this matter. This article says that “If US firms are mandated to install backdoors, sales of encryption products are going to change very quickly.” This is the unstated punch line of Bruce’s post too—that the availability of foreign products will frustrate any shift in U.S. policy that requires exceptional access.
A contrasting point of view is that by and large, consumers don’t care much about having the best security that technology can produce. All else being equal, they would prefer better security, but the really important things to them are cool interfaces, interesting apps, and the social cache that comes from having a beautiful and elegant product—and if they have to pay for those things with a little less security, that’s a bargain that they would be willing to make.
Brennan’s point of view makes considerable sense when it is viewed through this latter lens. If consumers buy products more because of non-security features, then obviously security matters less in their buying decisions. And until foreign companies learn to compete on those cool non-security features, any shifts in the market towards foreign companies who offer higher security functionality but less cool features (**edited -- an earlier post said "feathers" rather than "features"!) will be small and marginal.
So for me, it comes down to an argument about how much consumers value security compared to other things. I make just two observations on this point.
First, privacy and security advocates care deeply about security. They are very aware of security features and understand what’s involved with security very well, at least compared to the general public. And to protect their security, they are more willing than the average consumer to take measures to protect themselves.
Second, over many decades it’s pretty much been shown that most consumers (aka the general public) will trade away their privacy for very small benefits in cost or convenience. Does the same hold for benefits in “coolness” or other functionality? I don’t know, but I suspect it does (**edited - earlier post had this point reversed by mistake**). Bottom line here--sentiment among privacy and security advocates may not reflect that of the consumer population at large.
So -- if the LE/NS goal is to suppress entirely the availability of encryption without exceptional access, that’s a fool’s errand for the reasons that Bruce pointed out—the widespread of encryption products from foreign sources. But if the LE/NS goal is to impede the spread of encryption-on-by-default devices that are widely used and that don’t require special efforts to encrypt (and such an outcome would confer many benefits to the LE/NS community, though not all that they wish), then Brennan has a point. And I think that’s what he was trying to say.