The Issue with Encryption

Executive Summary:

On March 28, the FBI disclosed that it had successfully unlocked the iPhone of Syed Rizwan Farook, the San Bernardino shooter, with the help of an unidentified third party.  The revelation effectively brought to a close the fierce public and legal standoff between the FBI and Apple over access to data housed on Mr. Farook’s phone.

Though the particular battle between the FBI and Apple over Farook’s phone has been put to rest, the larger struggle persists between private industry and the federal government over U.S. law enforcement access to data housed on personal devices. Meanwhile, the challenges that robust encryption technologies present to U.S. law enforcement are only poised to grow as such technologies mature in sophistication and strength. 

The John Hay Initiative’s Intelligence and Cyber working groups recently convened a dialogue on U.S. law enforcement access to personal devices and new encryption technologies.  This paper captures the diverse views that ran though the discussion and presents a balanced assessment of calls for access and the associated risks.  Despite varying opinions on the wisdom of mandating access for U.S law enforcement, our working group members agreed unanimously that the public and private sectors need to jointly identify a solution that strikes a sufficient balance between privacy and security.  The paper closes with policy recommendations.

Discussion:

The merits of strong data encryption are well-established.  Encryption helps protect the privacy of U.S. citizens, safeguarding their data and communications against criminal eavesdropping and foreign government snooping.  In the era of e-commerce and online banking, encryption also protects sensitive credit card information and ensures secure online transactions.  U.S. firms rely critically on encryption technology to shield trade secrets and other proprietary data against economic espionage.  And encryption helps defend the vital work of dissidents, journalists, and NGOs operating under repressive governments across the globe.

Strong encryption, however, is a double-edged sword.  Just as encryption defends the privacy of ordinary citizens, it also protects the data and communications of malicious actors looking to flout U.S. law and do harm to American interests.  Savvy criminals are increasingly turning to new encryption technologies as a means of evading U.S. law enforcement.  Similarly, as the FBI has repeatedly warned, terrorist organizations like ISIS are exploiting encryption tools to avoid detection while communicating with operatives and recruiting new members.

While encryption is hardly a new phenomenon, much has been made of recent decisions by technology companies like Apple and Google to proactively tie their own hands when faced with government requests for assistance in decrypting user data.  In September 2014, Apple announced that it would no longer retain the keys necessary to unlock mobile devices and decrypt user data, rendering itself incapable of accommodating lawful requests to help access encrypted content stored on locked devices.  At the same time, Apple and Google introduced new operating systems featuring data encryption by default (or built-in encryption), increasing the pervasiveness of strong encryption and further limiting U.S. law enforcement’s ability to access targeted data.  And while mobile device providers like Apple and Google encrypt data at rest through “device encryption,” messaging services like WhatsApp are increasingly securing data in motion through “end-to-end encryption,” which prevents decryption by any party other than a message's sender and intended recipient.

Going Dark?

Together, these developments have reignited concerns over what FBI Director James Comey, has called the “going dark” problem, which reflects the gap between U.S. law enforcement’s legal authority to access real-time communications and dormant data and its technical capability to access such content.  Although law enforcement enjoys the legal authority to intercept real-time communications and access data stored on a target’s mobile device pursuant to a court order, strong encryption is placing both data in motion and data at rest farther out of the government’s reach, hindering law enforcement’s ability to prevent and prosecute criminal and terrorist activity.  While the Communications Assistance for Law Enforcement Act (CALEA) requires telecommunication carriers to build lawful interception capabilities into their networks, CALEA was enacted in 1994 and many of today’s communication service companies are not subject to the law.  As the federal government struggles to keep pace with rapidly advancing encryption technologies, the FBI is sounding the alarm that criminals and terrorists will look to exploit the growing gulf between law enforcement’s legal authority and technical capacity.

Some suggest that the going dark scenario is overblown and that ubiquitous adoption of strong encryption is unlikely.  As experts from Harvard’s Berkman Center for Internet & Society explain in their February 2016 report on the going dark debate, strong incentives exist for companies to resist employing robust encryption protocols, including a growing reliance on data-driven advertising and cloud computing services—both of which require access to unencrypted user data.  While acknowledging that strong encryption may frustrate U.S. law enforcement efforts, the Berkman Center report suggests that networked sensors and the Internet of Things present new vectors for data collection and that these can offset the loss of content brought about by strong encryption.   What’s more, encryption does not impede law enforcement’s ability to access metadata,[1] which is already well-established as a crucial law enforcement and foreign intelligence collection tool and may also help compensate for the loss of content due to encryption.

Others, however, are not assuaged by the notion that business incentives currently discourage the widespread adoption of encryption.  Nor are they convinced that the void left by encryption can be easily filled through alternative avenues of information gathering.  Even if business interests help stall the ubiquitous use of strong encryption, the proliferation of accessible encryption tools will nevertheless allow determined criminals and terrorists to operate in the digital shadows.  As the Office of the Director of National Intelligence warned in its response to the Berkman Center report, “This means that law enforcement and national security personnel are losing access to the one area that we care about the most—the content of communications of violent criminals and terrorists.”  And while metadata and novel surveillance methods may indeed contribute to law enforcement efforts, it is difficult to imagine that these tools can compensate for the loss of potentially actionable content that could prove critical in disrupting criminal activity or thwarting a terrorist attack.  The government often does not have the luxury of time in the middle of a hot threat investigation, where the objective is not simply to obtain evidence for a prosecution, but to access information that may help to prevent a coming attack.  If, for example, Mr. Farook’s iPhone had contained information that implicated another confederate who was still at large and planning another attack, the “one-off solution” used by the FBI, i.e. paying a third party $1.5 million to hack the iPhone, may come too late to prevent the second attack. This is not to mention the potentially significant legal and technical barriers that may prevent U.S. law enforcement from exploiting networked sensors and the Internet of Things for data collection purposes.

Technical Feasibility

Those unnerved by the march towards indecipherable data and impregnable systems have called on communications companies to provide U.S. law enforcement with access to encrypted data when legally warranted.  While a technical discussion of the proposed methods for providing access is outside the scope of this paper, advocates insist that such access can be granted in a secure manner that maintains consumer privacy and remains within the bounds of the law.

Many technical experts, however, disagree.  Providing access, they argue, will inherently generate new risks and render user data less secure.  As a group of noted cybersecurity experts affiliated with MIT’s Computer Science and Artificial Intelligence Laboratory explained in 2015, these access proposals run counter to “forward secrecy”[2] and other current best practices in data security.  The MIT report also stressed that “complexity is the enemy of security.”  Because building in access for U.S. law enforcement would contribute to system complexity, it would also necessarily contribute to system vulnerability.  Disturbingly, providing access is also likely to create new high-value targets for malicious actors, effectively placing a bull’s-eye on backdoors or systems tasked with storing “golden keys” for U.S. law enforcement purposes.  These systems—even if highly secured—are not impervious to attack.

Supporters of the FBI, however, view this argument as untethered to the real world; they note that, whatever the merits of this argument as a matter of theory, it has little application to Apple and most other commercial encryption suppliers.  That’s because Apple and other companies have often retained “golden keys” that grant access to their own products so they can push updates at will. 

The Value of Encryption

Despite “going dark” and technical concerns, both sides of the discussion agree that strong encryption is valuable.  Testifying before the House Judiciary Committee in March, Comey explained, “[I]t is important for our global economy and our national security to have strong encryption standards…. We support and encourage the use of secure networks to prevent cyber threats to our critical national infrastructure, our intellectual property, and our data so as to promote our overall safety.”  In addition, law enforcement officials insist that the potential gains that providing access would yield must be weighed against any risk to data security that such access would create.  The Manhattan District Attorney’s Office argued in its November 2015 white paper on encryption that while the loss of personal security due to providing access is likely to be minimal, reequipping law enforcement with the ability to access targeted data would greatly contribute to societal security.  Testifying before the House Committee on Energy and Commerce, the FBI’s Amy Hess also restated that her agency recognizes that “there is no one-size-fits-all strategy that will ensure success.”  The FBI has repeatedly expressed that it is open to working with communications providers to develop tailored solutions.

Global Considerations

Privacy advocates have warned that mandating access would set a dangerous global precedent.  Should tech companies be required to provide access to U.S. law enforcement agencies, they would have little justification to resist similar requests from countries like Russia or China that may wish to monitor the communications of political dissidents or liberal activists.  As global demand for strong encryption technology grows, industry spokesmen claim, an access mandate in the U.S. could also drive internet traffic and encryption innovation offshore.  Law enforcement advocates counter that if, like the Feinstein-Burr draft circulated recently,[3] the mandate applies to any product sold in the United States without regard to where it is produced, the impact on U.S. companies would be no greater than on foreign companies.  If the mandate were limited to goods and software produced in the United States, however, it could undermine the global competitiveness of American tech companies and hamper U.S. law enforcement and foreign intelligence collection efforts by incentivizing criminals and terrorists to abandon U.S. communications platforms.

Another consideration is the direction that global technology will take regardless of U.S. legislative or judicial action.  Some argue the current technological trend to create impenetrable encryption cannot be stopped.  Whether or not illegal in the U.S., devices made offshore will be brought into the U.S. and to criminalize the possession of these devices is impractical.  At the same time, others rebut the notion that global technology is headed toward an inevitable encrypted future and is instead directed by profit, law, and technological feasibility.  Encryption is a product feature, and it is still unclear whether strong encryption security is a decisive differentiator for purchasers.  For example, Huawei and ZTE Corporation phones are two of the fastest growing brands in the U.S. market, despite widespread suspicions that the Chinese government induced both companies to build backdoors into the devices.  Moreover, should U.S. law impose penalties or liability on those who sold law-enforcement-defeating products in the U.S., the few encrypted devices that made their way to the U.S. market--like the European auto imports that do not meet U.S. air quality standards--would not put much competitive pressure on sellers who do obey the law. Hence, the direction of technology will be determined by consumers, but law can also guide that direction as long as it doesn't conflict with consumer demand.

Law enforcement supporters also contend that mandating access for U.S. law enforcement will do little to influence the behavior of illiberal countries like China and Russia.  These countries are likely to demand access to communications for surveillance purposes regardless of U.S. policy.  Indeed, Russia’s new related law appears to do just that, and Apple has already reportedly accommodated Chinese demands to retain greater control over its citizenry’s data.  In 2012, Apple released the iPhone 4S in China after fitting the device with a chip designed to support a controversial Chinese-made version of Wi-Fi, which is suspected to feature a true backdoor.  In 2014, Apple also relocated its Chinese users’ iCloud data to state-run servers in China—a move that some suggest has made such data more accessible to the Chinese government.  

Relatedly, tech companies need not treat all requests for data decryption equally.  Whereas U.S. law enforcement agencies request access to encrypted content though a careful legal process, an authoritarian government may demand that companies operating in its country accommodate extralegal surveillance activities.  Because tech companies choose where to do business, they are ultimately at liberty to decide whether or not to comply with unlawful requests for data.  Complying with lawful U.S. requests does not limit a company’s ability to rebuff the extralegal practices of repressive regimes.

Advocates of access for U.S. law enforcement also note that mandating access would not place the U.S. out of step with other liberal democracies.  In the aftermath of recent terrorist attacks in Paris and Brussels, European governments have sought to make communications data more accessible to their intelligence and law enforcement agencies.  The UK’s House of Commons recently passed the Investigatory Powers Bill, expanding the government’s surveillance authority and sanctioning the court to order companies to break their encryption in select cases.  In March, France’s lower house of parliament passed an amendment that would penalize tech companies that refuse to provide access to encrypted data during terrorist investigations.

Recommendations:

  • Silicon Valley and the federal government should seize the moment and commit to working together to solve the encryption issue in a mutually beneficial manner.  The advent of another terror attack against U.S. targets may effectively close the window of opportunity to arrive at a solution that adequately balances privacy and security concerns.  Legislation enacted as a whiplash response to any such attack is unlikely to satisfy all stakeholders.
  • Efforts in the House to establish a digital security commission and the recent formulation of a congressional working group on encryption represent positive steps.  The worth of these initiatives, however, will be determined by the extent to which they are able to bring industry and government together and make headway in solving the encryption puzzle. 
  • Any attempt to mandate access though legislation should be informed by an understanding that encryption technology is quickly evolving, and is thus a moving target.  New technology could easily eclipse narrowly drafted legislation.  To ensure that its legislation is both comprehensive and forward-looking, lawmakers should solicit significant input from tech companies, law enforcement, digital experts, and the privacy community.

Further Reading:

“No Time to Relax: A Digital Security Commission for the Next Generation” The Hill, May 27, 2016, see at http://thehill.com/blogs/congress-blog/homeland-security/281484-no-time-to-relax-a-digital-security-commission-for-the

“Don't Panic: Making Progress on the 'Going Dark' Debate” The Berkman Center for Internet & Society at Harvard University, February 1, 2016, see at https://cyber.law.harvard.edu/pubrelease/dont-panic/Dont_Panic_Making_Progress_on_Going_Dark_Debate.pdf

“Keys Under Doormats: Mandating Insecurity by Requiring Government Access to All Data and Communications” MIT Computer Science and Artificial Intelligence Laboratory, July 6, 2015, see at https://dspace.mit.edu/bitstream/handle/1721.1/97690/MIT-CSAIL-TR-2015-026.pdf

“The Ground Truth About Encryption And The Consequences of Extraordinary Access” The Chertoff Group, March 1, 2016, see at https://chertoffgroup.com/cms-assets/documents/238024-282765.groundtruth.pdf

“Report of the Manhattan District Attorney's Office on Smartphone Encryption and Public Safety” Manhattan District Attorney's Office, November 18, 2015, see at http://manhattanda.org/sites/default/files/11.18.15%20Report%20on%20Smartphone%20Encryption%20and%20Public%20Safety.pdf

“Decrypting Our Security: A Bipartisan Argument for a Rational Solution to the Encryption Challenge,” Jamil N. Jaffer & Daniel J. Rosenthal, 24 Cath. U. J. L. & Tech (2016), see at http://scholarship.law.edu/jlt/vol24/iss2/3

 

[1] Metadata, i.e. the information about the communication, such as phone numbers, email addresses, email headers and other similar information, must stay unencrypted in order for the systems that distribute the information to operate. 

[2] “Forward Secrecy” is a cryptography term used to describe a property of secure communications that ensures the integrity of a session key in the event that a long-term key is compromised. In other words, forward secrecy ensures that encrypted communications recorded in the past cannot be later retrieved and decrypted, should a password or long-term secret key be compromised in the future.

[3] In April 2016, Senators Burr and Feinstein released draft legislation, titled the Compliance with Court Orders Act of 2016 which proposed to require all tech companies to retain access to their customers encrypted data and extend access to appropriate law enforcement personnel with a proper warrant.  The requirement would apply to all devices and systems manufactured, sold, or used in the United States.