The Core of the Encryption Debate
- October 30, 2019
- Clayton Rice, Q.C.
On September 3, 2018, AppleInsider reported that the Five Eyes intelligence alliance consisting of the United States, Britain, Canada, Australia and New Zealand issued a Statement of Principles on Access to Evidence and Encryption at the conclusion of a two-day meeting on Australia’s Gold Coast. “Privacy law must prevent arbitrary or unlawful interference, but privacy is not absolute,” the statement read. There have been significant developments in the encryption debate since the Five Eyes statement was released. Here’s an update.
1. The ‘Back Door’ Problem
The Five Eyes consortium went on to assert that government authorities should be able to “seek access to otherwise private information when a court or independent authority has authorized such access.” The statement also encouraged tech companies to “voluntarily establish lawful access solutions to their products and services that they create or operate” in the five countries. It was, then, a request that companies produce a “back door” to their products.
Back door access to encrypted products has been a feature of the encryption debate for years. It is a well-worn complaint by law enforcement that the use of encrypted communications by terrorists and other targets impedes investigations by creating a ‘going dark’ problem. Going dark involves the use of encryption to protect both stored data and data in transmission. The Five Eyes statement put the need for electronic surveillance over the needs of everyone else this way:
“[T]he increasing use and sophistication of certain encryption designs present challenges for nations in combatting serious crimes and threats to national and global security. Many of the same means of encryption that are being used to protect personal, commercial and government information are also being used by criminals, including child sex offenders, terrorists and organized crime groups to frustrate investigations and avoid detection and prosecution.”
“There’s no way to secure our phones and computers from criminals and terrorists without also securing the phones and computers of those criminals and terrorists. On the generalized worldwide network that is the Internet, anything we do to secure its hardware and software secures it everywhere in the world. And everything we do to keep it insecure similarly affects the entire world. This leaves us with a choice: either we secure our stuff, and as a side effect also secure their stuff; or we keep their stuff vulnerable, and as a side effect keep our own stuff vulnerable. It’s actually not a hard choice.”
2. Australia’s Encryption Bill
On December 6, 2018, the Australian Parliament passed the Telecommunications and Other Legislation Amendment (Assistance and Access) Bill 2018. The statute requires “designated communications providers” to render support to agencies of the Australian government by way of a Technical Assistance Notice (TAN) or a Technical Capability Notice (TCN). A TAN would allow certain government agencies to require assistance that a designated communications provider is capable of giving. A TCN would require a provider to build such a capability if it presently lacks the ability to assist. (See: Jamie Tarabay. Australian Government Passes Contentious Encryption Law. The New York Times. December 6, 2018)
The Australian statute was ridiculed world-wide. The concern of tech companies is, of course, being targeted by a TCN to defeat encryption systems by building back doors. It is a legislative device that implements an “offence dominant” approach to Internet security irrespective of whether it is a realistic one. It is important, however, to recall exactly what law applies in Australia to understand this short-sighted policy. “The laws of Australia prevail in Australia, I can assure you of that,” former Prime Minister Malcolm Turnbull had said on July 14, 2017. “The laws of mathematics are very commendable, but the only law that applies in Australia is the law of Australia.”
On July 23, 2019, during a speech on encryption policy at Fordham University in New York, US Attorney General William Barr admitted that back doors to encrypted communications will weaken security but added that the risk is worth the price of admission. “[I]n the world of cybersecurity,” Mr Barr argued, “we do not deal in absolute guarantees but in relative risks.” All systems have vulnerability risks that the tech community recognizes when it suggests that law enforcement can exploit vulnerabilities in their products. “The real question,” Mr Barr continued, “is whether the residual risk of vulnerability resulting from incorporating a lawful access mechanism is materially greater than those in the modified product.”
Mr Barr emphasized that, particularly with respect to encryption marketed to consumers, the significance of the risk should be assessed based on its practical effect on consumer cybersecurity, as well as its relation to the net risks that offering the product poses for society. “After all, we are not talking about protecting the nation’s nuclear launch codes,” he said. “Nor are we necessarily talking about the customized encryption used by large business enterprises to protect their operations. We are talking about consumer products and services such as messaging, smart phones, e-mail, and voice and data applications.”
4. The Baker Post
On October 22, 2019, in a post to Lawfare titled Rethinking Encryption, former FBI general counsel Jim Baker reflected on these interrelated subjects: national security, cybersecurity, counterintelligence, surveillance, encryption and China. Mr Baker concluded that it is time for government authorities “to embrace encryption” because it is one of the few tools available that “the United States and its allies can use to more effectively protect themselves from existential cybersecurity threats, particularly from China.” Here are four takeaways:
- [T]he situation for law enforcement may not actually be as bad as some claim. In fact, some argue that society is in a “golden age of surveillance” as substantially more data – especially metadata – than ever before is available for collection and analysis by law enforcement.
- [A] solution that focuses solely on law enforcement’s concerns will have profound negative implications for the nation across many dimensions. I am unaware of a technical solution that will effectively and simultaneously reconcile all of the societal interests at stake in the encryption debate, such as public safety, cybersecurity and privacy as well as simultaneously fostering innovation and the economic competitiveness of American companies in a global marketplace.
- The core of the encryption debate today, then, is disagreement over how best to balance the various costs and benefits associated with encryption and potential ways for law enforcement to access encrypted communications. Public safety officials simply disagree with others – companies, cybersecurity experts, academics and civil society groups – about how best to reconcile those costs and benefits.
- All public safety officials should think of protecting the cybersecurity of the United States as an essential part of their core mission to protect the American people and uphold the Constitution. And they should be doing so even if there will be real and painful costs associated with such a cybersecurity-forward orientation. The stakes are too high and our current cybersecurity situation too grave to adopt a different approach.
Mr Baker concluded that the security of strong encryption outweighs the security of encryption with back doors although it will “impose costs on society, especially victims of other types of crime.” He has, then, aligned himself with Mr Schneier in endorsing a “defence dominant” strategy for Internet security. In Click Here To Kill Everybody, Mr Schneier said this, at pp 161-2: “If we are ever going to secure the Internet, we need to prioritize defense over offence in all of its aspects. We’ve got more to lose through our Internet vulnerabilities than our adversaries do, and more to gain through Internet security. We need to recognize that the security benefits of a secure Internet greatly outweigh the security benefits of a vulnerable one.”
The most important thread now running through the encryption debate is this one. It is time for western democracies to implement what cybersecurity experts have been advocating for years – the defence dominant policy for Internet security. It is the only policy that withstands the scrutiny of rigorous cost-benefit analysis. As Mr Schneier said in Click Here To Kill Everybody, at p 171, combined with authentication, encryption is “probably the single most essential security feature for the Internet.”
Encryption is not a panacea. But it’s far ahead of whatever’s in second place.