<img src="https://ad.doubleclick.net/ddm/activity/src=11631230;type=pagevw0;cat=pw_allpg;dc_lat=;dc_rdid=;tag_for_child_directed_treatment=;tfua=;npa=;gdpr=${GDPR};gdpr_consent=${GDPR_CONSENT_755};ord=1;num=1?" width="1" height="1" alt=""> The FBI Must Change Its Tune on End-to-End Encryption
Data-Centric Security
Commentary
December 05, 2024

The FBI Must Change Its Tune on End-to-End Encryption

By John and Will Ackerly

TABLE OF CONTENTS

    See Virtru In Action

    { content.featured_image.alt }}

    It’s time for the FBI to acknowledge the elephant in the room: Encryption backdoors are a threat to our national security. 

    In the wake of the massive Salt Typhoon cyber attack on U.S. telecommunications giants like AT&T and Verizon, the vulnerabilities of backdoor systems like those mandated under the Communications Assistance for Law Enforcement Act (CALEA) are once again painfully clear. This is not just a breach; it is a cautionary tale that underscores the inherent dangers of building intentional vulnerabilities into critical systems. While the FBI has confirmed that CALEA systems were, indeed, a vector for China’s access to these systems, it has stopped short of advocating for end-to-end encryption, instead recommending “responsibly managed encryption,” which is partly what got us into this mess. 

    American citizens’ private data deserves better. As Virtru’s co-founders, we have long warned that backdoors — regardless of their original intent — represent weak points that will inevitably be exploited. 

    What was meant to enable lawful surveillance has now facilitated one of the largest intelligence compromises in U.S. history. It’s a sobering irony that the same agencies historically resistant to end-to-end encryption are now recommending its use to protect against the very vulnerabilities their policies created

    Salt Typhoon Was a Predictable Tragedy

    CALEA’s mandated backdoors were implemented in 1994 to allow law enforcement agencies, including the FBI, to access communications with court authorization. Thirty years ago when the CALEA legislation was being debated, certain members of Congress raised concerns. In a recent letter to the U.S. Attorney General and the FCC Chair, Oregon Senator Ron Wyden recalled: “During the Congressional hearings for CALEA, cybersecurity experts warned that these backdoors would be prime targets for hackers and foreign intelligence services. However, these concerns were dismissed by then-FBI Director Louis J. Freeh, who testified to Congress that experts’ fears of increased vulnerability were ‘unfounded and misplaced.’” 

    Yet, here we are, 30 years later, with these “unfounded and misplaced” concerns now a sobering reality. As we’ve seen with the Salt Typhoon attack, vulnerabilities designed for "the good guys" can just as easily be exploited by bad actors. The Chinese state hackers leveraged these systems to spy on U.S. citizens, intercepting metadata, live calls, and even systems tied to classified surveillance court orders. 

    The reality is simple: A backdoor is still a door. It can be opened, not just by those we intend to authorize, but by anyone skilled enough to find it.

    The FBI Must Support End-to-End Encryption

    On a news call this week, an FBI official called for the American public to use “a cellphone that automatically receives timely operating system updates, responsibly managed encryption, and phishing resistant MFA for email, social media and collaboration tool accounts.” 

    The term “responsibly managed encryption” is part of the problem: It is vague and intentionally leaves room for what the FBI refers to as “lawful access,” such as the backdoors mandated by CALEA, detailed above. 

    For years, the FBI has been pushing back on true end-to-end encryption, targeting companies like Apple for their use of the privacy-preserving technology. In 2016, Will Ackerly raised the warning flag in a Chicago Tribune article that would go on to be referenced in court documents related to the FBI’s attempt to gain access to a criminal’s seized iPhone. “It’s a very dangerous proposition to claim that this capability could not be re-used,” Will said. And he was right.

    As the FBI now grapples with the Salt Typhoon hack — which is still ongoing, with no timeline for resolution — officials must now admit that “responsibly managed encryption” is not good enough. It’s clear that encryption with backdoors is not responsible at all. It is time for the FBI to acknowledge and support end-to-end encryption as a stronger protection against foreign adversaries.  

    As Jeff Greene of CISA aptly stated on this week’s press call alongside the FBI: “Encryption is your friend.” This endorsement of encryption validates what privacy advocates (including Virtru) have long argued: The best way to secure data is to encrypt it end-to-end and ensure it remains protected, regardless of where it travels or who might intercept it​.  

    Virtru’s Perspective: Trust Through Encryption

    At Virtru, we believe security should empower privacy, not compromise it. Our solutions, built on the Trusted Data Format (TDF), ensure that sensitive data remains protected with military-grade encryption and granular access controls, no matter where it moves. Unlike CALEA’s static backdoor approach, TDF provides dynamic, policy-driven protection that follows the data, offering cryptographic proof of control.

    The Path Forward for Zero Trust

    To truly protect our nation’s communications and information, we need to shift away from backdoor-dependent architectures and toward Zero Trust principles that assume every system and user could be compromised. This includes:

    • End-to-End Encryption: Ensuring data is encrypted at all stages.
    • Attribute Based Access Controls: Define and enforce granular policy on data
    • Open Standards: Utilizing frameworks like TDF to avoid vendor lock-in and ensure interoperability.

    A Call to Action: No More Backdoors

    The lesson from Salt Typhoon is painfully clear: backdoors are not the solution; they are the problem. As we confront the complexities of modern cyber threats, let’s commit to building a future defined by data-centric security and end-to-end encryption, not backdoors. It is time for the FBI to change its public position on end-to-end encryption, specifically. We must take advantage of the moment to end the debate over “backdoors” and give control back to the data owner once and for all. 

    We wrote this in 2018, and it bears repeating: “Governments, corporations, and the public must collectively take steps to restore public trust by safeguarding society against direct threats to our individual and collective liberty. Our daily lives leave a massive footprint of personal information out in the wild, controlled by others whose interests may not align with our best interests. We must all work together to address this problem. We are at a crucial moment in our journey as human beings. As more of our property is digitized, we must safeguard the rights that have allowed Western Democracy to flourish, and ensure all who come after have the right to life, liberty, and the pursuit of privacy.”  

    To learn how Virtru can help you protect your sensitive data with end-to-end encryption and dynamic policy controls, view our data security product portfolio, or contact our team directly.

    See Virtru In Action