DA Is Dead Wrong on Encryption
District Attorney Bonnie Dumanis and her colleagues argue that a new bill requiring tech companies to weaken the security of their products would assist law enforcement, but they fail to mention the cost: the safety of all Americans’ data.
The last person San Diego should trust with their computers and smartphones is District Attorney Bonnie Dumanis.
Last week, Dumanis joined district attorneys in Los Angeles and Manhattan in supporting a fundamentally flawed Senate proposal they’re trying to brand as the National Technology Bill. If anything, the legislation sponsored by Sens. Richard M. Burr and Dianne Feinstein is an anti-technology bill, since it would require tech companies to weaken the security of their products and break encryption meant to protect their customers.
Dumanis and her colleagues argue that this bill would assist law enforcement, but they fail to mention the cost: the safety of all Americans’ data.
One needs only look at Dumanis’ track record on technology to understand that the district attorney is not credible on this issue.
In 2012, Dumanis spent $25,000 in public money on 5,000 copies of a piece of “parental monitoring” software called ComputerCop. This CD-ROM, which was distributed to families throughout the county for free, included a video from Dumanis promoting the program as the “first step” in protecting your children online.
This first step, however, involved parents installing keylogger software on their home computers. This type of technology is a favorite tool of malicious hackers, since it captures everything a user types, including personal information such as passwords and credit card numbers. Not only did ComputerCop store keylogs in an unencrypted file on the person’s computer, but it also transmitted some of that information over unsecured connections to a mysterious third-party server. If your child was sitting at a coffee shop, connecting a laptop with ComputerCop to an open Wi-Fi network, any two-bit hacker, identity thief or cyber-bully could snatch what your child typed right out of the air.
In other words, Dumanis was promoting software that installed faulty backdoors into home computers. The software did the opposite of its intent: Rather than protecting families, it actually made families less safe.
When this was revealed in 2014, Dumanis acknowledged the problem and issued a warning to families not to use that function and to uninstall it immediately.
In many ways, the ComputerCop debacle mirrors the current debate over the Burr-Feinstein anti-technology bill. Dumanis and her cohorts want Congress to force tech companies to create backdoors into your computers and devices or to simply remove basic security protections on the devices and software we all use every day.
Computer scientists and security researchers around the country have slammed the proposals, asserting that there is no way whatsoever to create a backdoor that can’t be exploited by malicious hackers or even foreign governments.
Dumanis’ support for Burr-Feinstein is tone-deaf to the concerns of the tech community, which has fought hard to restore its credibility in the wake of the NSA spying scandal. One way tech companies have tried to be responsive to the security concerns of users is by adding strong encryption to their technology so that even their technicians can’t access it. These companies – including Apple, Whatsapp and others – recognize that whenever possible, sensitive data should be controlled by the user and the user alone.
In addition, many of these pro-user tech companies believe that requiring this kind of access is not only costly but a violation of the First Amendment protected right to write and distribute software. This bill would undoubtedly hamstring the region’s innovation economy.
Dumanis does not seem to recognize the importance of encryption, which makes all our online communications and business transactions safe. The district attorney’s website fails to use HTTPS, the protocol that has become the industry standard for secure browsing online. This means that residents, including crime victims, whistleblowers and witnesses, cannot visit her site with confidence that their browsing won’t be intercepted or manipulated by third parties.
Dumanis’ support for the Burr-Feinstein anti-technology bill runs counter to her duty to the safety of her constituents. We shouldn’t have to wait years after its adoption for her to realize and publicly announce that she was, once again, dead wrong on digital security.
Dave Maass is an investigative researcher at the Electronic Frontier Foundation, a San Francisco-based nonprofit that defends civil liberties at the crossroads of technology and the law. Previously, Maass was a staff writer for San Diego CityBeat. Maass’ commentary has been edited for style and clarity. See anything in there we should fact check? Tell us what to check out here.