by Tim Maurer and Arthur Nelson*
In many countries, a battle is brewing that only occasionally breaks to the surface: whether and how the government can access encrypted data and communications.
A new so-called cryptowar erupted in Europe in 2016, after terrorist attacks in Paris and Brussels, when some EU member states called for EU-wide legislation to ensure law enforcement agencies could access encrypted data. The fear was that law enforcement would be unable to stop future attacks because terrorists could hide their plans.
Other member states pushed back. Germany responded that “a regulation to prohibit or to weaken encryption . . . has to be ruled out, in order to protect privacy and business secrets.”
The same year on the other side of the Atlantic, the U.S. Department of Justice clashed with Apple over accessing a terrorist suspect’s encrypted iPhone.
In 2019, the Australian, British, and U.S. governments pushed Facebook to build its encrypted messaging apps in a way that would preserve access for law enforcement. Facebook refused. The European Commission is still straddling the debate, promising that “no ban on encryption is being considered” but hedging that law enforcement access “may be justified in individual cases by the objective of preventing or investigating criminal offences.”
Why hasn’t a solution been found?
One problem is that the debate is often framed as two sides stuck in opposing political trenches. One side wants law enforcement to have special access to encrypted data following legal processes. Those on the other side want to maximize the protection provided by encryption because they worry that access for law enforcement can be exploited by foreign spies and will weaken security for everyone. However, this dichotomy is overly simplistic.
So, what next? To start, let’s back up and explain the dimensions of the debate.
Encryption secures data by scrambling the original content into a string of characters that can be deciphered only with a key. These data can be either at rest—for example, a photo stored on your phone—or in motion—for instance, messages sent through Facebook or data exchanged between you and your family over video chats. (The recent debate amid the coronavirus pandemic over Zoom’s privacy protections also had to do with encryption.)
A trend toward stronger and more user-controlled encryption is why law enforcement agencies have become more worried.
Paired with this is the fact that tech companies sometimes build products and applications with encryption in a way that they themselves can’t decipher—only the user can. That poses challenges for law enforcement agencies if that user is a criminal suspect and the data are of interest for an investigation.
This trend is not new, but encryption has become cheaper and easier to use. From protecting business secrets to guarding citizens’ private information, there has been a growing demand for strong encryption across society. It is this increasing ubiquity of strong encryption that scares law enforcement.
Widely used messenger services like WhatsApp and Google Messages, and popular mobile devices like Apple’s iPhone, have been the focus of attention. What frustrates law enforcement officials is that even if they have a warrant, some technology companies can’t decipher the sought-after content.
And, while law enforcement’s capabilities have been weakened by encryption in some ways, they have improved in other ways: location tracking through mobile devices, increased video surveillance, and the adoption of cloud services have made certain investigations easier. Society will need to consider these factors as it determines the appropriate rebalancing.
This debate is particularly complicated for democratic societies. In the West, governments must reconcile various dimensions of security, from terrorist threats to cyber espionage, and rights to privacy and data protection.
By contrast, in China and Russia, the encryption debate is one sided. Governments in both countries emphasize centralized control and have the legal authority to order companies to provide access to their users’ content.
The Australian and UK governments have passed laws that allow them to force tech companies to give law enforcement access to data. This has triggered substantial controversy, and opposing political parties have promised reform.
To advance a more constructive debate, Carnegie’s Encryption Working Group, co-convened with Princeton’s Center for Information Technology Policy, published a consensus report last fall.
The group found that there is no single solution to this debate. It also found that a solution to access encrypted data in motion may not offer an achievable balance of risk versus benefit; as such, this approach is not worth pursuing and should not be the subject of policy changes—at least for now.
Instead, the focus should be on data at rest. As Ed Felten, a Princeton professor and author of the report, argued, “in fishing for solutions to the encryption debate, it is not clear if there are any fish to be caught—but data at rest is the best area to cast your line.”
The global shift to remote working and a reliance on virtual communication tools like Zoom illustrate that there are many reasons for strong encryption. The way societies adapt to the coronavirus in the long term could require governments to revisit their stances toward encryption.
Whatever the future may bring, as the encryption debate evolves, societies should resist jumping into opposing trenches. Instead, it is important to break the debate down into its component parts and, ideally, focus on data at rest—the most promising area for a more constructive debate.
*co-director of the Cyber Policy Initiative and a senior fellow at the Carnegie Endowment for International Peace and a research analyst in Carnegie’s Cyber Policy Initiative
**first published in: carnegieeurope.eu