Time for a serious talk about encryption

Federal Bureau of Investigation Director James Comey delivered a frank message to the Senate Judiciary Committee in July: criminals are increasingly using encryption to prevent law enforcement from monitoring their communications.  

Comey acknowledged that encryption “is a really, really hard problem” and did not press lawmakers for a specific solution.  But the clamorous response from many privacy advocates made it seem as though he asked senators to outlaw encryption.  Three months later, Comey told another Senate committee that the administration “has decided not to seek a legislative remedy now.” 

{mosads}Comey’s experience demonstrates that it is difficult for public officials to have a direct and fact-based conversation about encryption, lest they be painted as an enemy to privacy and civil liberties. But we need to continue the conversation that Comey began.         

Soon after the terrorist attacks in Paris, we learned the unsurprising news that law enforcement agencies believe that the attackers may have communicated with increasingly popular end-to-end encryption technology. 

We do not yet know the role that electronic communications played in the attacks, nor do we know whether encryption prevented law enforcement from accessing the communications.  

But one thing has become clear: we are in an age of coordinated terrorist attacks, when a small group of lunatics armed with guns, homemade bombs, and smartphones can cause simultaneous chaos and destruction throughout a city.  Our policymakers need to take a serious look at whether encryption makes it more difficult for law enforcement to prevent attacks.   

Although encryption is quite sophisticated and effective, it is not reserved for sophisticated technology wonks.  In fact, encryption is widely available to the masses and is the default setting on many new smartphone operating systems and apps.  

Here is how encryption has changed the landscape for some criminal investigations: typically, if a court grants a warrant, law enforcement can compel an Internet service provider, email service, or other telecommunications company to provide access to communications.   With encryption, the companies do not have access to this content, and therefore cannot provide it to the police. 

As encryption became more advanced – and widely available – police criticized the technology for preventing them from conducting standard criminal investigations.   Law enforcement agencies have advocated for a mechanism that would provide them – or the companies – with the ability to decrypt communications if they have a valid warrant. 

Apple, which has been an ardent defender of encryption, has pushed back vigorously on any “back door” to encryption.  At a speech to a privacy group in Washington, D.C. last June, Apple CEO Tim Cook said that weakening or eliminating encryption “has a chilling effect on our First Amendment rights and undermines our country’s founding principles.” 

Some proponents of strong encryption have suggested that back-door access would actually weaken national security if the encryption keys got into the wrong hands.  A July report by some of the world’s leading cryptography experts concluded that allowing such access “will open doors through which criminals and malicious nation-states can attack the very individuals law enforcement seeks to defend.” 

This should not be the end of the discussion about encryption.  To the contrary, there are a number of questions that policymakers, technology companies, privacy advocates, and others should be asking and answering.  

How often do criminals use encryption to circumvent law enforcement surveillance? Is it possible to access encrypted communications without a back door?  If there were a back door key, what would be the risk of it falling into the wrong hands?  Is it possible to address the issue through voluntary agreements, rather than legislation?  Would weakened encryption reduce public trust in new technology?  Could law enforcement and intelligence agencies obtain the information through other means?  

These are just a few of the many questions that we need to address, with urgency.  The encryption debate requires us to take a hard look at how we value both privacy and security. 

Even after these discussions, there will be great disagreement, among reasonable people. about where to go from here.  Policymakers may ultimately decide that the security benefits do not outweigh the privacy harms.  But divergent views are not a reason to punt on such an important issue.       

Kosseff is an assistant professor of cybersecurity law at the United States Naval Academy.  The views expressed in this op-ed are those only of the author, and not of the Naval Academy or Department of Navy.