Susan Landau, WPI professor of cybersecurity policy, was one of four individuals to testify Tuesday (March 1) before a hearing of the U.S. House Judiciary Committee, titled “The Encryption Tightrope: Balancing Americans’ Security and Privacy.” Also testifying were James Comey, director of the Federal Bureau of Investigation (FBI); Bruce Sewell, senior vice president and general counsel for Apple Inc.; and New York County district attorney Cyrus Vance.
The hearing focused on the balance between the need for strong security measures to protect private, sensitive, and commercially valuable information kept on smartphones and the desire of the FBI and other law enforcement agencies to access information on those phones when they become evidence in the investigation of criminal cases or acts of terrorism, such as the December 2015 attack on the Inland Regional Center in San Bernardino, Calif., committed by Syed Rizwan Farook and his wife, Tashfeen Malik.
Landau argues that technology that keeps mobile devices secure is vital to national security and that instead of seeking to weaken those protections to make law enforcement investigations easier, Congress should invest in strengthening the FBI’s capabilities.
At the FBI’s request, a judge on the Central California District Court has ordered Apple to write new software that will permit the FBI to circumvent built-in security safeguards that are preventing investigators from unlocking Farook’s iPhone and gaining access to the encrypted information it contains. The FBI has argued that the safeguards are hindering an investigation that could reveal future security threats. Apple has contested the order, arguing that if it is forced to create this software to circumvent the security features on one phone, such software could fall into the hands of criminals or foreign governments, putting all iPhones at risk. “It would be the equivalent of a master key, capable of opening hundreds of millions of locks,” Apple wrote in a communications to its customers.
Watch Susan Landau’s testimony on C-SPAN here at the 2:27:20 mark.
In her testimony, Landau urged Congress to weigh the intelligence gains that might be realized by unlocking a single phone against the potential risks of making all smartphones vulnerable to attack. She noted that because smartphones are now ubiquitous, and because most people use a single phone for both personal use and work, our phones contain all manner of proprietary information: “And so access to U.S. intellectual property lies not only on corporate servers—which may or may not be well protected—but on millions of private communications devices.”
Landau said weakening built-in security on smartphones could worsen the serious security threat the national already faces. “In the last decade, the United States has been under an unprecedented attack,” she wrote in her submitted testimony. “In 2010, the Department of Defense Deputy Undersecretary William Lynn said the theft of U.S. intellectual property ‘may be the most significant cyber threat that the United States will face over the long term.'” Protecting U.S. intellectual property, including protecting data on smartphones, “is crucial to U.S. economic and national security,” Landau wrote.
CRUCIAL TO SECURITY
Landau noted that using smartphones instead of passwords to log into services and servers can make online transactions more secure (“a smartphone is something you have, which makes it more secure than ‘something you know,'” she wrote). “Where security matters, authenticating through the device that is always in your pocket and owned by you is a much more secure way to handle your login credentials than the systems we’ve been using up to now.
“… That’s why locking down the phone is so crucial to security. Rather than providing us with better security, the FBI’s efforts will torpedo it.”
She noted that for this method of authentication to be effective and secure, the contents of the phone need to be protected and accessible only to the phone’s owner. “That’s why locking down the phone is so crucial to security,” she wrote. “Rather than providing us with better security, the FBI’s efforts will torpedo it.”
She argued that the FBI continues to use a 20th century approach to investigations, which leads it to seek weaker, not stronger, forms of security “in the misguided desire to preserve simple, but outdated, investigative techniques.”
Before joining the WPI faculty, Landau was a senior staff privacy analyst at Google and a Distinguished Engineer at Sun Microsystems. She is the author ofSurveillance or Security: The Risks Posed by New Wiretapping Technologies (MIT Press), which won the 2012 Surveillance Studies Book Prize from the Surveillance Studies Network. With Whitfield Diffie, the inventor of public-key cryptography, she wrote Privacy on the Line: The Politics of Wiretapping and Encryption (MIT Press 1998; revised in 2007), which received the 1998 Donald McGannon Communication Policy Research Award and the 1999 IEEE-USA Award for Distinguished Literary Contributions Furthering Public Understanding of the Profession.
Landau has written about security issues in Science, the Washington Post, theChicago Tribune, Scientific American, and other publications. She is a fellow of the Association for Computing Machinery and the American Association for the Advancement of Science, and she was recently inducted into the Cybersecurity Hall of Fame.