The current controversy over encrypted communications and devices is the symptom of a larger security challenge, not a cause. As our society struggles to adapt to changing digital technology and the security implications of those changes, we should not let our recent focus on encryption of mobile phones blind us to larger issues at stake for digital security at the national and personal levels. How we resolve these issues will affect not only public safety and privacy, but also international competitiveness and global data flows.
Until lately, the iPhone dispute between Apple and the FBI was much in the news. Both parties addressed their arguments and concerns to the court of public opinion as well as the court in California. The crisis seems to have been averted … but only for the moment. While Congress approaches a recess break, now is not the time to put this conversation on hold.
The likelihood is high that issues of law enforcement access to data and extraordinary access to encrypted data will recur with greater frequency as the use of mass-consumer encrypted digital products expands. Following recent Islamic-State inspired attacks, we saw this play out both on the national and international level without any progress on addressing the issue at hand. We should only assume that future attacks will continue to focus attention on encryption issues.
Thus, while we have a brief moment to consider the matter without the pressure of a crisis, it is time to step back and weigh questions of public safety, privacy and civil liberties as best we can. But in doing so we should not let the narrow issue of encryption be the sum of our consideration – it is an important issue, to be sure, but part of a much larger picture involving security in the age of a globalized domain of data flows. Moreover, any decision made by the US will have implications for other countries such as Britain and China, and could very well set a precedent for addressing lawful data access.
In the Congress, House Homeland Security Chairman Michael McCaul, and Senator Mark WarnerMark Robert WarnerHillicon Valley — Presented by Connected Commerce Council — Incident reporting language left out of package Language requiring companies to report cyberattacks left out of defense bill Democrats see Christmas goal slipping away MORE from Virginia have introduced a bipartisan proposal to set up what they call a “digital security” commission. Other Members of Congress have set up an internal Congressional “working group.” Under both approaches, the intent is to take a step back and look more holistically at the benefits of encryption; at the ways in which encryption creates issues for law enforcement; and also at how the availability of encryption sometimes helps law enforcement.
Encryption questions are also closely linked to a host of other issues relating to how law enforcement may lawfully access digital data. These issues grow out of the very real technological transformation that is driving the digital economy. That new economy, in turn, is upsetting settled expectations about privacy, civil liberties, security, identity, and access. If we are going to consider creating a full-scale commission to examine these issues, then we should not limit our efforts to a single aspect of the problem as it would be a bit like asking the 9/11 Commission to look at only flight training restrictions – that’s a part of the problem, but not necessarily the most important one.
Here are just a few of the other issues that are tied to the fundamental question of change and are worthy, in my judgment, of plenary consideration:
- To what extent are American law enforcement agencies acting extraterritorially to secure digital evidence? Conversely, to what extent are American companies subject to extraterritorial investigative demands made by foreign law enforcement agencies? Is a system of mutual extraterritoriality in the broader interests of America and its allies or does such a system degrade digital security?
- To what extent are nations reacting to the globalization of the network by erecting trade barriers to global flows of data? To the extent they are, is the digital security of citizens enhanced by data localization requirements or is it degraded?
- To what extent is law enforcement leveraging digital technology tools to aid in investigations? Can more be done in a way that strengthens law enforcement’s ability to investigate crimes without harming the security of other users or consumers?
These are difficult questions of law, policy, and technology. Frankly, too much of the discussion has been obscured behind the veil of classification and technological ignorance. America will benefit, as a mature democracy, from a full, frank, open conversation. While many issues are likely to be capable of resolution, it may be that some issues cannot be compromised – they may present a binary choice. In that case, it is for Congress (and the American people) to make a fully informed choice. A broader inquiry into issues of digital security and civil liberties will enrich that debate.
Chertoff was secretary of Homeland Security from 2005 to 2009. He is now executive chairman of The Chertoff Group, a global security and risk-management firm with clients in the technology sector.