Encrypt It All

I’ve had several of my non-technical friends ask me about Apple’s recent plan to encrypt everything on your smart phone. Of course, Google has been moving to this plan for quite some time already. But the recent announcement has led to the government’s formal claim that this is a threat to national security. What is the truth?

Court Orders are not Required
The first problem facing Apple, Google, and others is that even in America, many of the agencies requesting private data do so without a court order of any kind. Most American citizens think that the US would never do this – but in fact it happens almost every day. As you can see from the Google Transparency Report, there are nearly twice as many requests without court orders as requests with court orders. If you were Google, how would you decide when a request needs to be obeyed and when it should be rejected? Is there any policy that Google, or any company, could possibly apply that would be correct?

Unfortunately, government agencies believe they can simply make these requests and expect the company to comply. If the company does not comply, the company is threatened by that agency – sometimes with threats of jailtime under laws that appear to undermine our constitution. How does the company know whether a request should be obeyed when there is no court order? How can a company remain objective when government agencies are not required to follow due process?

Too Many Governments
The other sad fact is that there are simply too many governments and too many laws. Tech companies are global and need to respect global law. Unfortunately, this means fielding requests from all over the world. How much legal time should a company expect to spend answering requests from agencies around the world? How do you know if a request is authentic? What if you received a request for private data, and complied, but it turned out to be a fraudulent request? Attempting to comply could lead to more damage than not trying to comply. Unfortunately, our governments do nothing to help keep us, the citizens, safe from fraudulent requests. They simply demand information as though they are entitled.

The Only Solution Is Not To Know
The result is that all companies will eventually opt for the only solution that makes sense – encrypt everything. In the wise words of Commander Klink, “I know nothing” is the only way to deal with these requests. If you don’t hold the keys to your customer’s information, you can’t possibly give it to anyone. Unfortunately, since government agencies make too many subjective and illegal requests for information, companies must defend themselves by simply dropping all knowledge. This is the approach we take at BitGo. We will comply with all court-ordered requests, but we know absolutely nothing, so don’t bother asking.

There is a silver lining to this for users, which is that their data will be more private and more secure. But it should be a warning to all of us, even here in America. When your government can spy on you illegally, you do not live in “the land of the free”.