The following is excerpted from The Ground Truth About Encryption and the Consequences of Extraordinary Access, a recent whitepaper by The Chertoff Group, examining the current legal, technical and policy debate in America relating to the question of whether governments may lawfully access digital communications and digitally stored data.
Jim Pflaging, The Chertoff Group’s global lead for its technology sector and business strategy practice and a contributor to SecurityRoundtable.org, will discuss the topic as part of a panel at this week’s Fraud & Breach Prevention Summit in San Francisco. Join Jim and other industry experts for The Apple vs. FBI Crypto Debate at 4:05 p.m. PT at the Hilton San Francisco Financial District, Wednesday, March 23.
We are in the midst of a significant legal, technical, and policy debate in America (and around the globe). The question is whether governments may lawfully access digital communications and digitally stored data. The question manifests itself in many ways, ranging from the extraterritoriality of legal process to requirements for data localization.
One of the most prominent aspects of the debate pertains to the changing nature of how users and service providers encrypt data. For this white paper, the word “encryption” is defined as the encoding of data or information in a way that is intended to prevent access to that data or information by persons or parties whose access is not authorized by the creator of the data.
The outlines of the issue are clear. For years, most users kept their data on their own local devices (smartphone, tablet, laptop, etc.) in an unencrypted form. Others backed up their data using cloud storage service providers – providing the user with easy access but also allowing the cloud storage provider to access the data, both purposefully (for business reasons) and, as more relevant to our discussion, under compulsion of law.
Most users sent messages to friends and colleagues in unencrypted or readily decryptable formats. As a result, under the status quo of five years ago, a government could readily achieve lawful access (that is, purposeful requests to access data as part of an investigation, made by law enforcement and subject to a judicial or administrative authorization process, according to an established rule of law) to unencrypted data related to its inquiry – by accessing the data on the user’s local device, by accessing it in cloud storage, or by intercepting the unencrypted communication while in transit.
Two developments in the last year or two are rapidly changing that reality:
- First, device manufacturers are adopting operational systems that have changed the default local encryption setting from “off” to “on.” In other words, data on local devices was previously stored in an unencrypted form unless the user manually chose to enable the encryption option, but now the converse will be true – affirmative action by the user is necessary to store data in an unencrypted form.
- Second, service providers are taking steps to offer users products that automatically encrypt data stored in cloud storage systems and messages transmitted to other people in a manner that cannot be decrypted by the service providers. Put another way, service providers are offering products that prevent them from being technically capable of responding to lawful government demands as they cannot turn over data they do not possess.
To some degree, these changes are a natural technological evolution. They are also a response to pervasive concerns about the insecurity of cyber systems and to the business necessity of distinguishing commercial products from governmental activity. Whatever the reason, the upshot of these two trends is of growing concern for law enforcement and other government agencies that are systematically losing access to data and information relevant to criminal, national security, and counter-terrorism efforts.
As a consequence, some in the community, most notably the Director of the Federal Bureau of Investigations (FBI), have called for new laws or policies that restrain, limit, or even reverse the underlying technological trends.
This white paper finds the following as anticipated consequences that might arise from mandating lawful access to encrypted data for American encryption products:
- We should not overstate the practical significance of any decision the U.S. might make. It is uncertain that authoritarian nations (e.g. China or Russia) will forgo implementing an encryption access requirement simply because the U.S. chooses not to (or vice versa)
- It is possible (and perhaps even highly likely) that mandating exceptional encryption access would hinder or damage innovation in the U.S. encryption technology market. It may also restrain innovation in related U.S. security technology markets
- Adoption of an American encryption access requirement may result in adverse collateral effects, decreasing law enforcement’s investigative access to metadata and hampering the competitiveness of American businesses and U.S. national security; and
- Efforts to constrain encryption through forms of extraordinary access will inevitably introduce vulnerabilities into the security of consumer products in ways that are likely to have adverse long-term effects on the security, privacy, and civil liberties of citizens.
Read the full whitepaper from The Chertoff Group here.
Subscribe to SecurityRoundtable.org to receive the latest from our contributors.