The encryption of data and communications has long been understood as essential. Strong encryption thwarts criminals and preserves privacy for myriad beneficiaries, from vulnerable populations to businesses to governments. At the same time, encryption has complicated law enforcement investigations, leading to law enforcement calls for lawful access capabilities to be required of encryption technologies.
The 2016 San Bernardino legal dispute between the Federal Bureau of Investigation (FBI) and Apple over access to an encrypted iPhone provided a snapshot of the contentious debate on law enforcement access to encrypted data. Law enforcement initially argued that mobile device encryption presented a significant barrier to its efforts to investigate a deadly counterterrorism case. Apple responded that the FBI’s request that it create software to circumvent its encryption raised unacceptable implications for the security of its broader customer base. The ensuing legal showdown left little room for compromise. The dispute ended when the FBI found a way to access the device without Apple’s assistance, so the courts did not resolve the issue.
Since that time, a variety of attempts have been made to move the discussion forward. A report published in February 2018 by the National Academy of Sciences (NAS) enhanced the common understanding of encryption and illuminated the false dichotomy that some have drawn between “security” and “privacy.” Security in the context of the encryption debate consists of multiple aspects including national security, public safety, cybersecurity and privacy, and security from hostile or oppressive state actors. The key is determining how to weigh competing security interests. The report therefore presents a framework of essential questions to evaluate plans for lawful access to encrypted data. In addition to the 2018 report, several computer scientists have proposed, albeit with controversy, design approaches they argue would allow access while using a variety of technical and procedural safeguards to minimize the increased risk to cybersecurity and prevent misuse. Finally, some governments have helpfully begun to acknowledge the difficulty of the problem and the downsides of requiring government access. A recent article by UK officials, for example, highlights the lack of silver bullet solutions and therefore the need for principled collaboration and compromise.
At the same time, disclosures of massive data breaches and revelations about the powerful user-tracking abilities of technology companies have underscored the valuable role encryption can play in safeguarding personal data. Individuals around the world—from everyday citizens to at-risk groups such as journalists, activists, and marginalized groups fearing persecution—increasingly make use of encryption to protect not just against cyber crime but also unwanted disclosure and monitoring by technology platforms and other actors. The importance of encryption has grown as information technology enables the creation and storage of more and more sensitive personal information. User-controlled encryption is and will be in the future an essential component of delivering on those desires, particularly as individuals become more skeptical of U.S.-based and foreign technology companies that would otherwise have access to sensitive private information. In addition, other countries have taken steps to strengthen data protection, such as the European Union General Data Protection Regulation (GDPR).
The group behind this paper—including former government officials, business representatives, privacy and civil rights advocates, law enforcement experts, and computer scientists—came together believing that more common ground is attainable and that the discussion can be best honed through specific, honest, and open-minded discussion among diverse perspectives. Our goals are:
- to engage in and promote a more pragmatic and constructive debate on the benefits and challenges of the increasing use of encryption;
- to identify specific areas where greater common ground may be possible; and
- to propose potentially more fruitful ways to evaluate the societal impact, including both benefits and risks, of any proposed approaches that address the impasse over law enforcement access to encrypted data.
We should highlight that we approach this issue from the point of view of stakeholders in the United States and discuss our framework for evaluating approaches in the U.S. context with policymakers at the national level as the target audience. The working group has sought not to repeat but rather to expand upon the 2018 NAS study. Although in many cases we reinforce some of the findings of the NAS study, our paper delves more deeply into one particular component of the debate—that on mobile phone encryption—and details a more specific approach to evaluating proposals focusing on law enforcement access to encrypted mobile phones.
We do so for two reasons. First, it is the problem set that is most commonly raised by law enforcement. However, importantly, we also found greater common ground and believe this is the area where a constructive dialogue is likely more achievable than other, even more contentious areas such as encrypted communication.
In this paper, we do not rule out any way forward regarding law enforcement access to encrypted mobile phones, nor do we endorse or propose any specific technical approach or legislation or mandates. Rather, we share what has shaped and emerged from our discussions: a framework for decisionmaking based on our findings about how to productively focus encryption considerations and debate, the core principles to which any proposed approach should adhere, and our approach to identifying and weighing risks through practical threat scenarios. These components have enabled our group to find unanticipated agreement on some points, and we hope they will do the same for the broader debate over law enforcement access and encryption.
PURSUING A MORE CONSTRUCTIVE DIALOGUE ON ENCRYPTION AND LAW ENFORCEMENT ACCESS
Many groups have published principles and key considerations related to the debate over law enforcement access to encrypted data. Each has helped advance the discussion by identifying key equities at stake, offering guidance for reaching agreement, or communicating the views of different groups. Rather than repeating or proposing replacing such content, we have set out several guidelines that can motivate better, healthier dialogue and avoid unproductive dead ends.
AVOID ABSOLUTIST POSITIONS
All stakeholders should avoid holding absolutist positions; these are unlikely to result in productive dialogue. The focus should be on a careful and specific assessment of risks, benefits, trade-offs, and options. The goal must be to recognize, balance, and align core principles across a broad range of social and organizational interests. The United States and other liberal democratic governments are established, in part, to protect equality under the law as well as individual privacy and liberty. They are responsible for protecting the public safety and national security. They advance the economic interests of businesses and markets and carry out the full scope of a country’s foreign policy. A more constructive debate requires continuing to deliver concurrently on all these promises: not by simply trading one for the other, but by seeking the best possible alignment of interests, as guided by shared principles and values.
FRAME THE DEBATE AS A SHARED CONCERN
Those who favor broad availability of strong encryption do not dispute that law enforcement is challenged by encrypted communications and devices and that in some instances strong encryption facilitates crime that harms real victims; those who favor lawful access do not dispute that use of strong encryption prevents crime and protects people. Stakeholders should seek out areas of common ground, establish shared interests, and consider and include the perspectives of all relevant stakeholder communities, not just a subset. Groups that are often underrepresented in this debate, including communities of color and low-income communities, bring valuable insights on how encryption policies could affect certain areas, for example, the disparate impacts of law enforcement and the impact on U.S. values of equality, openness, and privacy. Even within our group, we recognize that there are several such stakeholder communities that are not represented. We urge those who build upon our work to continue to expand engagement with these communities.
RECOGNIZE THAT SECURITY TAKES MANY FORMS AND IS INTERTWINED WITH PRIVACY AND EQUITY
“Security” can be defined in a variety of ways, such as national security and public safety, cybersecurity and privacy, or security from hostile or oppressive state actors. These interests are all priorities. All parties—including those who typically make rights-based arguments and those who typically make national security–and law enforcement–based arguments—are concerned with thwarting malicious actors, criminals, terrorists, and foreign agents, and investigating and preventing crime and threats to public safety. Encrypted technologies also support and enhance not only the speech and communications of individuals and communities but also the missions and operations of national security and law enforcement. The key is determining how we can jointly figure out how to weigh competing security responsibilities based on factual analysis and more informed cost/benefit assessments.
ASSESS THE RANGE OF IMPACTS
Privacy, cybersecurity, public safety, and national security are important, but they are not the sole interests at stake. Economic competitiveness, foreign policy, freedom of expression, civil and human rights, and the need to maintain an open internet are other important and sometimes overlapping interests. U.S. companies do business around the world. In addition, the U.S. economy and national security benefit from the U.S. technology advantage. Careful consideration is therefore warranted of whether any action might accelerate the loss of that advantage, especially in an environment where some nations and populations hold fairly antagonistic sentiments toward U.S. companies and manufacturers.
ATTEND TO INTERNATIONAL DYNAMICS
While this paper focuses on the United States, the U.S. debate is not happening in a vacuum; it will affect (and be affected by) choices made in other countries and by non-U.S. technology companies. (Recent papers published by the Encryption Working Group assess the environment in Australia, Brazil, China, Germany, India, and the European Union.) Any proposed approach should be adaptable beyond a U.S. setting, both to enhance commonality and to reduce the burden of implementation. Policymakers should consider the viability of any proposal in light of users and devices crossing borders. They should further consider that U.S. policies will give legitimacy to replication by other nations, including those with weaker judicial protections and records on human rights. Finally, policies should be considered in light of the effect they will have on U.S. foreign policy interests.
THINK LONG TERM
Given rapidly changing technology and governmental needs, a long-term perspective is essential. Governments should account for technological change and recognize that needs will change over time. Industry, for its part, will innovate over time and in response to governance. Questions including how encryption is likely to be deployed over time (based on evolving market trends, customer demand, and engineering realities) are important to consider, as is the continued rapid growth of digital data collection and storage. Recent papers published by the Encryption Working Group, for example, examine the impact of quantum computing and likely future adoption of user-controlled encryption.
ACCEPT IMPERFECTION
No approach will address every concern perfectly. Stakeholders must accept that some level of risk is inherent in any future path. Cybersecurity advocates should not dismiss out of hand the possibility of some level of increased security risk, just as law enforcement advocates should accept that they may not be able to access all of the data they seek. More conversations are needed to identify a reasonable standard of expectation in these areas, and whether precedents and existing standards (for example, those in the Electronic Communications Privacy Act, Wiretap Act, Foreign Intelligence Surveillance Act, or Fourth and Fifth Amendment jurisprudence) offer any guidance.
SEPARATE THE DEBATE INTO COMPONENT PARTS
It is probably impossible to establish a single approach that applies to each of the diverse applications of encryption in society. Stakeholders, technologies, processes, policies, and regulatory environments are very different when it comes to protecting data in the cloud, data in motion, and data on devices. Proposals that attempt to solve every issue are unlikely to succeed. The more constructive discussions will be those that examine one part at a time. Some components, as described in the next section, are more worthy of pursuit than others.
PLACE THE ISSUE OF ENCRYPTION INTO THE BROADER CONTEXT OF LAW ENFORCEMENT CAPABILITIES
Encryption has taken a central role in much of the public debate, but other policies and practices also affect law enforcement’s ability to obtain data sought for investigations. These include accessing data in the cloud and on internet-of-things devices, use of communications metadata, law enforcement hacking, obtaining timely and full compliance with court orders and other legal process in situations not involving encryption, as well as such legal and policy tools as mutual legal assistance treaties, personnel and resource levels, and policies on how government hacking is handled (for example, the vulnerabilities equities process). Investments in these areas could theoretically offset some of the impact on law enforcement from inaccessible encrypted data, but they also come with their own complex considerations and trade-offs.
RECOGNIZE THERE IS NO PURELY TECHNICAL APPROACH
Any proposal to increase law enforcement access must address process, infrastructure, and policy—not just technology. How would requests for access be made and authenticated? What would be the roles and responsibilities of various actors in the system? How would information be delivered? What sort of legal duties would law enforcement have to satisfy? What are the oversight expectations? What would be the risks and benefits due to these nontechnical aspects? These kinds of nontechnical questions are necessary to understand fully any such proposal’s risks and benefits.
RECOGNIZE THE CHALLENGE OF EFFECTIVE IMPLEMENTATION
A key principle of cybersecurity is to keep the design of systems as simple as possible; complexity highly increases the risk of insecurity. Any proposal should attempt to minimize the risk of catastrophic failures at the implementation level.
BALANCE THE NEED FOR A STRATEGIC APPROACH AND THE NEED FOR TECHNICAL DETAIL
The world of cryptography, digital communications, and data management is deeply technical; this complicates the broader societal conversation that is needed on encryption. On one hand, more strategic, accessible approaches are needed to broaden this circle. On the other, some risks often can only be identified at very detailed, technical levels of investigation. Proposals should be tested multiple times—including at strategic levels (for example, do they establish high-level principles and requirements to weed out incomplete or unfeasible proposals?) and at technical levels (for example, what are the technical risks of the specific implementation?).
PRODUCE BETTER DATA FOR BOTH THE RISKS AND BENEFITS OF A PROPOSAL
Many reports have lamented the inadequacy of available data to understand and evaluate the risks and benefits of proposals for law enforcement access to encrypted data. Agencies could adopt procedures to generate better data, such as tallies of how many encrypted devices they have encountered and in what types of cases. Structural challenges to producing the desired data require addressing the following questions: how can federal, state, and local law enforcement provide accurate data about investigations, or measure the quality of “leads” that came from such information? Similarly, how can stakeholders assess the degree to which a proposed solution is likely to result in a reduction in privacy for individuals, for example, who are not the intended targets of a lawful search? In other cases, such as understanding state- and local-level needs, the challenge is more about resources and authority to request such data. In any case, stakeholders in the encryption debate have an ongoing responsibility to reevaluate and seek better data to inform the debate.
For full text:
