Washington – This week was a busy one for in the tech policy space, especially when it came to discussions of privacy and security. Yesterday there were two events with identical topics: the modern day revival of the “Crypto Wars” of 1990s.
The new Crypto Wars have developed out of recent remarks by a raft of government officials in the U.S. and abroad, beginning with FBI Director James Comey, but echoed by David Cameron, the Prime Minister of the United Kingdom, and Admiral Mike Rogers, the Director of the NSA. They call for a “conversation” about the widespread availability of secure, consumer-protective communications services because of the potential difficulty they cause governments in accessing private communications, and the adoption of legal requirements that would provide governments with a back door or “golden key” into encryption technologies. These remarks were largely spurred by the implementation of default strong device encryption by Google and Apple on the latest versions of their smartphone operating systems, which the companies are not able to bypass.
The events held by the Congressional Internet Caucus and ITIF yesterday were designed to foster that conversation between government and law enforcement officials and members of civil society and the tech industry. On the government side, ITIF’s event featured Michael Daniel, the White House Cyber Czar, while the Net Caucus panel included David Bitkower of the Department of Justice. Both panels shared Amie Stepanovich, Policy Counsel at Access, along with varying representatives of tech companies, lawyers, and academics.
The primary point of representatives of the law enforcement and intelligence communities seemed to be that, prior to any discussions about the practical feasibility or desirability of government access to secure communications systems and devices, society should have a policy discussion about whether strong, user-controlled encryption and backdoor-free communications should be available or widespread.
Michael Daniel mentioned that strong cybersecurity protections are important for individuals and industry. However, the prevailing government position remains that after weighing the tradeoffs, society should ultimately still come away with the determination that there should be requirements for either backdoors or compelled provider-aided access to electronic data or communications. They argue that the fear of “going dark” with respect to communications and other digital evidence for crimes ranging from child pornography to potential terrorism is already sufficient to outweigh the broad-based benefits of increased cybersecurity for citizens, consumers, and the global economy.
Of course, the tech industry and civil society representatives demurred. Three key points stood out, one of which directly countered the law enforcement premise that a policy discussion must precede a technical one. First, security advocates argued that strong encryption and secure communications systems are tools that the public should have the choice to use, absent pressure from law enforcement. In the face of increased trespass from hackers, identity thieves, stalkers — and indeed, the government — individuals demand more control over who can access their information, and when. Strong, backdoor-free encryption is one of the tools that they should be able to employ to protect themselves and increase the marginal cost of indiscriminate intelligence-gathering in a “golden age of surveillance.”
The encryption advocates also noted that a policy discussion premised on manipulating technology to allow for different levels of potential government access pursuant to lawful process should account for the technical feasibility of such backdoors or shared keys. There is also broad consensus among technologists that allegedly secure backdoors for lawful government use in complex systems rarely remain secure and instead become means for unlawful access by criminals or others inclined to misuse such access. These risks are not just theory — backdoors intended for merely permissible uses have regularly been breached to the public’s detriment in the past.
Lastly, the tech and civil society representatives pointed out that the imposition of backdoors or managed government access is not a conversation limited to domestic policymakers and law enforcement. The statements made by Administration officials have been mirrored by legal requirements for backdoors in tech products and source code disclosure in China, along with interference with encrypted VPN services used by journalists and activists. The government’s attempts to advocate for backdoors in the U.S., while simultaneously arguing that they stifle free expression and serve as transparent barriers to trade abroad, demonstrates an impressive, though untenable, cognitive dissonance.