Widespread availability of advanced encryption technology has improved security for consumers and businesses, though some in law enforcement have voiced concerns that it limits their ability to prevent terrorism and prosecute crimes. On July 28, 2018, the Information Technology and Innovation Foundation (ITIF) and the Fourth Amendment Advisory Committee hosted an expert panel to discuss how policymakers can protect consumer and business access to encryption while enacting policies that both encourage advances in cryptology and protect the rule of law.
As digital products and services have become more secure, some in the law enforcement and intelligence communities are concerned about their ability to gain access. While it is important for law enforcement to have the right tools to prevent and solve crimes, history suggests that attempts to limit encryption are impractical, impede progress in information security, create new cybersecurity vulnerabilities, and make it more difficult for U.S. companies to compete abroad.
Representative Suzan DelBene (D-WA) began the event by stating that building “backdoors” in encryption is undeniably bad for security. While the phrase “warrant-friendly encryption” has emerged as a new policy suggestion, she believes it is leaves consumers and businesses open to invasion. She argued that such terminology demonstrates a lack of technology knowledge within government, something she believes more people need to understand in our increasingly complex world. Ultimately, Representative DelBene hopes that the United States will lead by example and ensure that U.S. companies are free to develop the most secure, advanced products in the world. Putting limits on encryption could harm U.S. businesses and open the door for foreign companies to step up. Given the opportunities ahead, ensuring the United States is protecting and promoting encryption has never been more important.
Following the congresswoman’s remarks, the event’s moderator, ITIF Vice President Daniel Castro, kicked off the panel conversation. The panel consisted of experts from a variety of different sectors and perspectives: William A. Carter, deputy director and fellow of the Technology Policy Program at CSIS; Mike Godwin, distinguished senior fellow at R Street Institute; Robyn Green, policy counsel and government affairs lead of the Open Technology Institute at New America; Riana Pfefferkorn, cryptography fellow at Stanford Center for Internet and Society; and Amie Stephanovich, U.S. policy manager at Access Now.
To begin the discussion, Pfefferkorn defined encryption, which is the act of “scrambling” information to make it illegible to outside eyes. Today, encrypted material can be unencrypted with “keys” to mathematical algorithms. Its purpose is to make it difficult for others to access devices, and if they do, almost impossible for them to decipher the data inside.
Though encryption was originally used for national security and financial information, it is a necessary component of digital life today. Smartphones and other devices hold extremely valuable data about most individuals—credit card information, location data, private communication, and more. In more oppressive regimes, encryption can mean life or death—particularly to dissenters, as Stephanovich pointed out.
However, there is no such thing as unbreakable encryption. As a human invention, it is inherently flawed and can be hacked. Thus, putting backdoors into encryption will only make it easier for bad actors to access sensitive data. And even with its flaws, encryption works very well. Greene shared the example of how iPhones were repeatedly stolen years ago. After Apple began encrypting them, thefts decreased by 30 percent. If backdoors were put into the phones’ encryption, criminals could likely easily access the data for a relatively low price.
While many law enforcement officials see encryption as a tool to hide crime, Godwin believes this is nothing new. The invention of the telephone led to a new wave of criminal activity, since suddenly people could conspire without meeting in person. However, the government did not outlaw private phone calls; rather it quickly determined how to wiretap them. He stated that if law enforcement agencies are going to hack encryption, there will need to be the legal framework to do so. Greene also emphasized this, stating that hacking may be a better option that creating backdoors, since it limits hackers to only accessing specific endpoints or communications. However, she does not believe that it should be legal to hack any individual—each case will have to genuinely merit it.
Carter, on the other hand, stated that law enforcement should be able to access data in a more effective way without crossing any boundaries. To access data, law enforcement officials must go through extensive oversight to get a warrant. On the same vein, he doesn’t necessarily believe that law enforcement access equates to weak encryption. For example, Google has relatively strong encryption, but law enforcement can still get access to Gmail messages.
Carter argued that it will be necessary to establish a model for law enforcement to access the necessary data. Otherwise, the United States could fall behind other countries. For example, China forces technology providers to give data access to law enforcement. He believes that this could lead to weakened cybersecurity, since the United States does not have the same access. Stephanovich pointed out that other countries’ backdoor provisions are often based on the false assumption that the United States has one too.
Throughout the panel, participants emphasized the importance of technological education. Greene stated that citizens should be educated about the importance of their privacy to both national security and the economy, and they should push back against backdoor mandates.
Ultimately, smartphones hold vital, sensitive information about people—data that needs to be protected. Over the next couple of years, it will be imperative for lawmakers to figure out the right balance between innovation, privacy, and regulation.
Follow the conversation on Twitter using the hashtag #ITIFencryption.