Why the Policy Fight over Encryption Is at an Impasse
The next U.S. government looks set to inherit the ongoing fight over whether the government should rein in encryption.
Add this to the list of unresolved policy issues likely to greet the next tenant of the Oval Office: which side to pick in the entrenched battle over whether technology companies should be forced to provide law enforcement with a way to access our encrypted data and messages.
Last year senior figures at agencies including the FBI, DHS, and the White House all said they needed that power. But in October the White House apparently gave up on the idea, according to congressional testimony by the FBI’s director and memos leaked to the press. That appeased encryption experts, who say any system giving the U.S. government a way around encryption would also be demanded by other governments and would create weaknesses exploitable by criminals or spies.
The peace lasted only about a month. After gunmen killed 130 people in Paris in November, public figures including FBI director James Comey and New York City police commissioner Bill Bratton made fresh demands that encryption be reined in. Such calls were repeated after the December shootings in San Bernardino, California, and several senators, including John McCain and Dianne Feinstein, have said they are developing proposals to regulate encryption software. Just yesterday the FBI's Comey told the Senate Intelligence Committee that encryption is "overwhelmingly affecting" investigations, and has prevented agents from accessing the contents of a phone belonging to one of the San Bernardino shooters.
This time the chances of White House intervention in the fight over encryption look slim, though. “I think this current dynamic is going to be the dynamic for the duration of this administration,” says Ben FitzGerald, director of the technology and national security program at the Center for a New American Security. “The White House does not want to spend its political capital on this topic given the widely divergent opinions between the protagonists.” A petition asking the White House to pledge support for strong encryption, which received over 100,000 signatures, led to meetings with campaigners late last year but no formal response.
Government figures calling for limits on encryption have not rallied around any one proposal, or outlined any in much depth. Among the suggestions are that companies should provide a “back door” for law enforcement or avoid designs like that of Apple’s mobile messaging and disk encryption software, which leaves the company without the encryption key needed to unlock data.
The response from security experts has been less varied. They say encryption has not been shown to be hampering investigators and that creating a way through an encryption system creates weaknesses vulnerable to being exploited by bad actors (see “How an Overreaction to Terrorism Can Hurt Cybersecurity”).
“The idea of providing exceptional access for law enforcement is even more dubious now than it was in the ’90s,” veteran cryptographer Ron Rivest told a security conference last month, referring to the U.S. government’s failed Clipper Chip scheme that asked companies to secure everything using a protocol to which it had a key.
Rivest and other experts point out that open-source encryption software and products developed outside U.S. jurisdiction are easily found online. And they argue that controls on encryption would prevent most people from using the best methods to protect their security and privacy, without troubling the most dangerous wrongdoers. “The only effect would be to put encryption out of reach of less sophisticated Internet users and bad actors,” says Andrew Crocker, a staff attorney with the Electronic Frontier Foundation.
Crocker and others also point to a lack of evidence that encryption is really hampering law enforcement (see “6 Ways Law Enforcement Can Track Terrorists in an Encrypted World”). A Harvard report last week investigated the notion that encryption allows criminals to “go dark” and concluded that the nature of Internet devices and services in fact gives police and government agencies ample opportunity for surveillance and investigation.
One of the most powerful figures in Silicon Valley, Apple CEO Tim Cook, has been particularly outspoken against the idea that government should dictate how his company uses encryption. He has publicly denounced the idea of government controls on encryption and is reported to have challenged national security officials at a January summit they held with West Coast tech companies.
Facebook’s leaders have not taken a public stance. But the executive who founded and runs WhatsApp, Jan Koum, said at a conference in Germany last month that the service’s encryption is being upgraded to a strong, “end-to-end” design similar to Apple’s iMessage. WhatsApp now handles more than 40 billion messages every day.
Google’s leaders have also been publicly quiet, and the company’s relatively unpopular Hangouts messaging service does not use end-to-end encryption. But Google does require some mobile devices running its Android operating system to use disk encryption similar to Apple’s, a feature that has been the target of complaints from law enforcement.
Yet although the next government’s stance on encryption might matter a lot to tech companies, so far the presidential hopefuls haven’t engaged much with the issue, says Chris Soghoian, principal technologist with the ACLU.
Ted Cruz and Bernie Sanders are both generally averse to surveillance, but Marco Rubio and Donald Trump would probably back the idea of limiting encryption in some way were they to win office, he guesses. Hillary Clinton has said she’s against back doors but claimed that she could work out a solution by meeting with technology companies.
That position is emblematic of the divide between technologists and government over encryption, which looks likely to persist, says Soghoian. “What’s probably going to happen is in the next year or two there will be another terrorist attack or mass shooting, and the government will blame encryption again,” he says. “No one thinks that anti-climate-change politicians are credible, but somehow here it’s okay to completely ignore the advice of experts.”
Keep up with the latest in Security at Business of Blockchain 2019.
May 2, 2019