What’s driving Silicon Valley to become ‘radicalized’
What’s driving Silicon Valley to become ‘radicalized’
By Elizabeth Dwoskin May 24 at 5:00 PM
SAN FRANCISCO — Like many Silicon Valley start-ups, Larry
Gadea’s company collects heaps of sensitive data from his customers.
Recently, he decided to do something with that data trove
that was long considered unthinkable: He is getting rid of it.
The reason? Gadea fears that one day the FBI might do to
him what it did to Apple in their recent legal battle: demand that he give the
agency access to his encrypted data. Rather than make what he considers a
Faustian bargain, he’s building a system that he hopes will avoid the situation
entirely.
“We have to keep as little [information] as possible so
that even if the government or some other entity wanted access to it, we’d be
able to say that we don’t have it,” said Gadea, founder and chief executive of
Envoy. The 30-person company enables businesses to register visitors using iPads
instead of handwritten visitor logs. The technology tracks who works at a firm,
who visits the firm, and their contact information.
In Silicon Valley, there’s a new emphasis on putting up
barriers to government requests for data. The Apple-FBI case and its aftermath
have tech firms racing to employ a variety of tools that would place customer
information beyond the reach of a government-ordered search.
The trend is a striking reversal of a long-standing
article of faith in the data-hungry tech industry, where companies including
Google and the latest start-ups have predicated success on the ability to
hoover up as much information as possible about consumers.
Now, some large tech firms are increasingly offering
services to consumers that rely far less on collecting data. The sea change is
even becoming evident among early-stage companies that see holding so much data
as more of a liability than an asset, given the risk that cybercriminals or
government investigators might come knocking.
Start-ups that once hesitated to invest in security are
now repurposing limited resources to build technical systems to shed data, even
if it hinders immediate growth.
“Engineers are not inherently anti-government, but they
are becoming radicalized, because they believe that the FBI, in particular, and
the U.S. government, more broadly, wants to outlaw encryption,” said prominent
venture capitalist Marc Andreessen in a recent interview. Andreessen’s firm,
Andreessen Horowitz, is an investor in Envoy.
The government abandoned its effort to force Apple to
help unlock the iPhone of one of the San Bernardino terrorists and paid
professional hackers to crack the phone instead. But experts say that the issue
is far from settled, and will probably be the subject of court and legislative
battles.
Start-ups are particularly wary, Andreessen said, of
legislation proposed recently by Sens. Richard Burr (R-N.C.) and Dianne
Feinstein (D-Calif.) that would compel tech companies to build technical
methods to share customers’ encrypted data, at a court’s request.
“They believe there’s this window of opportunity that if
we build strong encryption now, we can make it a fait accompli. But if we let
five years pass, it may never happen,” Andreessen said.
In the past two years, more companies have embraced
encryption, which scrambles information so that it looks like a stream of
unintelligible characters to an outsider who accessed it without permission.
What’s changed more recently, industry officials say, is that companies are
encrypting data and throwing away the key to prevent their gaining access, a
move that started with Apple but is spreading across the Valley.
This latter tactic is the most worrisome to law
enforcement. Government officials have said repeatedly they do not want to
outlaw encryption; FBI Director James B. Comey has called strong encryption a
vital means of protecting the public’s personal information from hackers.
But officials insist that there must be a technical means
to access that information when companies are served with warrants. Otherwise,
there will be “profound consequences for public safety,” Comey told Congress in
March. Terrorists and criminals are already using messaging services to which
tech companies have thrown away the key, he said. Investigators say two such
services, WhatsApp and Telegram, were used by terrorists in the Paris attacks
last November.
“This is a Silicon Valley delusion that the government wants
to outlaw encryption,” Stewart A. Baker, a former National Security Agency
general counsel, said in an interview. “I grant that there is a radicalized
subculture of engineers that is very prone to that delusion, but it is a
delusion.”
Surely not every company will resort to building such
systems. Many simply can’t. Their business relies on targeted advertising or
the mining of customer data, and cutting off access would be a recipe for
failure. But many start-ups that wouldn't have considered it before the Apple
FBI fight are now doing so and discussing the accompanying trade-offs, said
Bret Taylor, formerly Facebook’s chief technology officer and now chief
executive of the start-up Quip.
The trade-offs can be significant: Heavy encryption risks
slowing down your service. It limits the ability to analyze customer behavior
or introduce new features. (Encrypting email, for example, would make it harder
to search through email.) Once you give customers the only key to their data,
you can’t give them a backup if they lose it.
Such efforts over the past few years have been described
as part of an arms race between large tech companies and potential invaders,
spurred largely by the growing threat of cyberattacks. To some extent, they’ve
also been prompted by a newfound wariness of government after Edward Snowden’s
revelations about government surveillance, as well as a growing awareness among
entrepreneurs of the sheer sensitivity of the data on their services.
Apple led the pack, launching end-to-end encryption with
its popular messaging app, iMessage, in 2011. In 2014, the company blocked its
own access to information stored on iPhones -- data that disappears permanently
after 10 failed passcode attempts. (End-to-end encryption enables only the
partners trading messages to decode them. The companies providing the means to
transmit them cannot.)
WhatsApp, the global messaging service owned by Facebook,
announced end-to-end encryption this year, as did Viber, a messaging app that
is popular in Europe. These years-long technical efforts predated the FBI case.
Cloudera and Box, two larger tech start-ups selling data storage and processing
systems to large corporations, have built encrypted systems over the past year
in which only the customer has the keys needed to unscramble data.
The case between Apple and the FBI and the possibility of
“backdoor” legislation — mandating encryption bypasses for law enforcement — is
a new inflection point. Earlier this month, Google launched Allo, a chat app
that allows users to switch on end-to-end encryption, and Amazon chief
executive Jeffrey P. Bezos said he was exploring measures to encrypt data and
throw away the keys on devices owned by the Seattle-based company.
Stealth Worker — a start-up funded six months ago by the
prominent incubator Y-Combinator — provides contract cybersecurity experts to
early-stage start-ups, which often operate on a shoestring budget. Stealth
Worker chief executive Ken Baylor said that in the past month he had been
approached by a half-dozen companies looking for ways to build tougher
encryption and other secure technical architectures. But many don’t want to
talk about it, he said.
“They are afraid of a phone call from someone high up
saying that they are unpatriotic,” Baylor said.
Bracket Computing, a 70-person Silicon Valley start-up,
embarked on an encryption project about a month ago intended to make it easier
for customers to hold the keys to their own data.
That way, “I can’t get subpoenaed the way Apple did,”
Bracket chief executive Tom Gillis said. “This clears up the whole issue: If
you have an issue with my customer, go talk to my customer, don’t talk to me.
I’m just a tech guy, and I don’t want to be in the middle of these things.”
Gillis said that initially, customers seeking the ability
to hold the keys to their data were large, sophisticated financial services
companies, such as Goldman Sachs and Blackstone. Today, a broader array of
companies, including media and automotive firms and small banks, are making
these requests. Advances in Intel’s chips, he said, have made it possible to
build these complex systems 13 times as fast as in 2010.
Building systems that cut off a company’s access to
customer data is time- and resource-intensive, and these systems don’t come
without risks.
Envoy CEO Gadea, an engineering prodigy who was hired by
Google when he was just 18, estimates that his company’s data-wiping project
will take a few months and about three engineers working full time.
Currently, when a visitor enters a building with an Envoy
registration system, a message is sent alerting the appropriate employee that
they have a guest. Envoy can send such messages — by text, email or other
messaging services — because the customer data is stored on its servers, which
are hosted remotely by Amazon Web Services, the cloud division of Amazon. The
information is encrypted, but Envoy holds the keys to unscramble it. (Amazon
CEO Bezos owns The Washington Post).
Under the new protocol, the engineering team will have to
reconfigure the system so that the keys to unscramble the data are kept by the
customers on the iPads used to sign people in. Envoy will no longer have the
ability to access the keys. The technical challenge will be making it possible
for the iPads to alert people when they have visitors, instead of having the
alerts come from Envoy’s servers. The goal is to make the change unnoticeable
to users, Gadea says, but it could take months to get there.
There will undoubtedly be many trade-offs, Gadea said.
Not only will Envoy sacrifice the ability to send visitor notifications
directly, but customer service also could be become more challenging. Today, if
one of Envoy’s 2,000 customers asks for help correcting a mistake in a visitor
name or resetting a password, an Envoy customer service rep can lend a hand.
Under the new system Envoy’s reps could have their hands tied.
The new system could also make it harder to fix software
errors because Envoy will no longer be able to push out automatic updates from
its servers. And if a customer loses its passwords or keys, Envoy won’t have
the ability to restore the lost data. It will be inaccessible forever.
Gadea said he is not anti-government and would sell
Envoy’s services to the FBI if the agency wished to become a customer. “It’s
like with your friends,” he said, “you’re always going to find one thing you
don’t like about them. But you’re not going to hate a person because of one
disagreement.”
And he said he understands the trade-offs.
““For a small startup trying to iterate quickly, it
definitely slows things down,” Gadea said. “But in the long run, it’s a
competitive advantage and it reduces risk on our company. I can sleep better at
night.”
Staff writer Ellen Nakashima contributed to this report
Comments
Post a Comment