The Tech Side of the Encryption Debate
In the wake of the recent terror attacks in San Bernardino and Paris, national security and surveillance are back in the limelight, with encryption dragged along into the show. The arguments are nothing new — they haven’t changed since the 1990s — but the stakes are higher than ever.
We live an increasingly interconnected digital world, and encryption has the power to protect our privacy and security online. Government and law enforcement, however, have been stoking fears over the potential of encryption to create “dark spaces” online preventing them from tracking criminals and terrorists and hindering their ability to protect the American people from danger and terrorism. Nevertheless, the tech world knows that weakening encryption would introduce vulnerabilities into the Internet with severe ramifications for privacy, security, human rights, and the global economy.
Although the debate surrounding strong encryption is largely being waged in Western democracies, many of the beneficiaries of encryption technology live under despotic, authoritarian regimes. For dissidents in countries like Iran, North Korea, and Syria, encryption is a literally life-saving technology. Without the means to communicate and organize in secret, free from the prying eyes of oppressive security agents, lives in those countries would be even more endangered.
Here in the West, encryption is a means to curtail unwarranted and often extra-judicial surveillance of law-abiding citizens. The Snowden revelations made it clear just how far the U.S. government had gone in upending online civil liberties. American consumers, newly aware of the prevalence of government snooping, began demanding more security and privacy, and domestic tech firms responded.
In 2013, Apple began offering end-to-end encryption on iPhones that even it could not break. In 2014, Google turned on HTTPS — the hypertext transfer protocol that encrypts data in motion between the end user and recipient — by default. These decisions were responses to a government whose surveillance apparatus had run amok.
Is Encryption the Problem?
Federal Bureau of Investigation Director James Comey claims that parts of the Internet are “going dark” due to encryption, leaving law enforcement unable to listen in on suspected bad guys such as terrorists. There is little evidence that this is true. In fact, if one looks at statistics from the U.S. Federal Courts, quite the opposite appears to be true.
In 2014, judges issued a total of 3,554 state and federal wiretap orders. In only 25 of those cases was encryption even encountered. In only four of those cases was the encryption found to be unbreakable. In 2013, there were no cases of unbreakable encryption. Important to note is that despite the prevalence of strong encryption, law enforcement agencies can still circumvent online security through human intelligence operations, keylogger hardware installations, “black bag” operations, and good old fashioned police work.
In Western European nations, evidence for the Internet “going dark” is similarly scarce. As noted in a report from the European Parliament:
“[T]he use of encryption and anonymisation techniques does not impede criminal investigation to such an extent that extraordinary means, such as the imposition of backdoors to encryption systems, should be made available to law enforcement. Instead, it requires the availability or development of specific technical skills.”
Yet, despite the lack of evidence that law enforcement has been deprived of necessary tools or the ability to protect citizens, officials like Comey continue to cry foul on encryption, especially in the quest to hunt down terrorists.
The Power of Encryption
Encryption’s power to protect security and privacy online has made it part of the infrastructure of the Internet economy, but the economic ramifications of weakening encryption are generally overlooked. In a recent report from the Niskanen Center, a libertarian issue advocacy organization, I detailed a few of the many economic benefits of encryption. In short, everything from inter-bank transfer payments to online retail depends on secure encryption.
Without online security protocols, the global economy would be a mere shadow of its current self. Weakening encryption would mean fewer online transactions, diminished trust between producers and consumers, and reduced engagement in online spaces generally. It’s no wonder, then, that so many trade associations, commercial organizations, and technology and financial firms are so avowedly opposed to government proposals to weaken this marvelous technology.
The tech industry has moved toward incorporating strong encryption by default as a result of the 2013 Snowden revelations. Consumers demanded more privacy and security controls over their personal data, and tech companies like Google and Apple responded accordingly. The U.S. government, on the other hand, has been far slower to constrain the growth of the surveillance state.
The tech industry has taken a hard line on the issue of encryption. Tech CEOs like Apple’s Tim Cook are standing firm in their support of strong end-to-end encryption, and this is the type of positive intransigence we need from tech innovators, entrepreneurs, and startups everywhere. So long as tech companies refuse to give an inch of ground on the encryption issue, law enforcement and the administration will have no choice but to sue for peace.
Tech and Government Disagree
Indeed, Comey recently changed his tune on the “going dark” debate. Previously, law enforcement cast encryption as a technical problem requiring a bit more elbow grease from all those tech wizards out on the west coast. Now, the same side has reframed the issue as a “business model problem.” Apparently, the problem is not that security vulnerabilities introduced into encryption protocols would leave consumers unprotected by malicious hackers. Rather, the alleged problem is that tech companies offer consumers the protections of encryption at all. In Comey’s ideal world, Apple and Google wouldn’t be allowed to give their users the ability to use end-to-end encryption.
The policy wish-list of law enforcement regarding the encryption of communications in transit is just as alarming. Backdoors can be mandated in proprietary code, but there are many open source libraries (openSSL, NACL, Bouncy Castle, etc.) that are available free of charge, as well as strong encryption produced in foreign jurisdictions.
Since it would be impossible for the government to stop people from using these sources of strong encryption, the U.S. government’s best option for cracking down on encryption would be to create a regime of intermediary liability, whereby Google and other tech firms would be forced to act as gatekeepers to the Internet by being made legally responsible for their users’ actions. As Jonathan Mayer detailed in an April 2015 post, such an approach would simply be untenable.
Although many policy debates involve compromise and nuance amongst stakeholders, the issue of encryption is a clear black and white issue in the tech industry. For tech startups, as well as established firms, a unified position defending encryption is the only viable solution for ensuring that users benefit from strong privacy protections, robust security, and continued growth of the online economy. Politics is the art of the possible, and while concessions in policy debates are often necessary, the issue of encryption is one in which a redline must be drawn: no security vulnerabilities, no government-mandated key escrow systems, and no backdoor access.
Support for strong encryption is support for a strong economy, a robust online forum for debate and discussion, and, in many cases, protection of the lives of citizens the world over.