Breaking the encryption impasse
The debate about encryption is stuck in a long battle between one camp arguing that access to encrypted data is essential for law enforcement and another camp arguing that encryption is necessary to protect against cyber espionage and to enable individuals to safeguard their information. The debate also does not seem to move forward. Just like in the 2016 San Bernardino case, the Justice Department is pressing Apple to provide the data from the two iPhones belonging to the Saudi lieutenant who acted as the gunman during the shooting at the Pensacola naval base last month.
The debate has received attention over the plans by Facebook to expand encryption of user messages, a policy that the FBI director referred to as a “dream come true” for child pornographers. But the new Pensacola case again raises the issues from the San Bernardino mass shooting. The law enforcement argument is best understood through the positions of the Justice Department and the FBI, which have been fighting a losing battle against the use of end to end encryption, security that ensures only the sender and receiver can read the message. The Justice Department and the FBI want such encryption banned, replaced by “exceptional access” systems allowing law enforcement with a warrant to read the messages.
On the other side of the argument in the encryption debate are primarily civil libertarians and cybersecurity experts. The problem they see is that “exceptional access” would decrease broader cybersecurity. Computer security experts argue that if you make it easy for law enforcement to get around encryption, this makes it easy for the bad guys, such as malicious hackers, foreign nations, criminals, and spies, to also do the same thing.
While we have started on different sides of the argument, we have both long recognized the need to find a critical path forward. Earlier this year, we convened a working group of former law enforcement and national security officials, civil society organizations, business representatives, and academics to work together on finding practical and useful solutions that acknowledge the importance of the two dimensions of national security.
What we found, through months of meeting with experts on both sides of the argument, is that we have been thinking about the debate the wrong way. We started our initial working group meeting by throwing out two strawmen. First, we should stop seeking approaches to enable access to encrypted information. Second, law enforcement officials will not be able to protect the public unless they can obtain access to all encrypted data. Once we changed the nature of the debate, we found a lot of agreement.
We agreed that proposals should address a legitimate and demonstrated law enforcement problem, that solutions should not make disparities in law enforcement worse, and that it should not be possible to repurpose “exceptional access” solutions into mass surveillance tools. We agreed that these tools should not appreciably decrease public cybersecurity, and that use of the capability should be documented and reported in a way that enables public oversight. By far the most promising path for the current debate was focusing on law enforcement access to data at rest.
By putting aside the more controversial debate about data in motion, or information being passed between two devices on an encrypted platform, and focusing on a conversation about data at rest, or information stored on a particular device, allowed us to find a more pragmatic way to address the concerns of both privacy advocates and law enforcement. This was an important starting point, and while we did not conclude with an agreed upon proposal, we were able to make progress. Embracing this approach could help move this entrenched debate in a more constructive direction.
One thing we did manage to all agree on is that no single approach will solve every problem when it comes to the encryption debate. It is now well past time to rethink the belief that solutions are impossible and that encryption means law enforcement officials cannot do their jobs. So by breaking the debate down into its component parts and looking at points of agreement, there is a path toward a more fruitful and more civil debate.
Denis McDonough is a visiting senior fellow at the Carnegie Endowment for International Peace and a former White House chief of staff. Susan Landau is the Bridge Professor in Cyber Security and Policy with Tufts University.
The Hill has removed its comment section, as there are many other forums for readers to participate in the conversation. We invite you to join the discussion on Facebook and Twitter.