What Americans Need to Know About the Encryption Debate
Should private companies that provide users with encryption technology be required to assist law-enforcement and intelligence services to defeat that technology? This question is a more pressing one in the wake of November’s Paris terrorist attacks. But it is a very tough question that has vexed both the government and providers of communications services for years.
Part of what makes it so difficult is the new facts of life. As I noted during the debate over the NSA’s bulk-collection of telephone metadata, we are operating in a political environment that is night-and-day different from the aftermath of 9/11. Back then, a frightened public was demanding that the government do a better job of collecting intelligence and thwarting terrorist plots. Of course that sentiment was driven by the mass-murder of nearly 3,000 Americans, coupled with the destruction of the World Trade Center and a strike against the Pentagon. But it also owed in no small measure to the fact that government had done such an incompetent job gathering and “connecting the dots” prior to the attacks. There was a strong public sense that intelligence agencies needed an injection of muscle.
Today, the public’s sense tends in the other direction. There have been spectacular abuses of government power (e.g., IRS scandal), and intrusive security precautions infused by political correctness (e.g., airport searches). Americans understandably suspect that government cannot be trusted with enhanced authorities and that many of its tactics are more about the appearance of security than real security.
It is, moreover, no longer sufficient for the national-security right to posit that security measures pass legal muster. The public wants proof that these measures actually and meaningfully improve our security, regardless of whether they are justifiable as a matter of law.
This makes it a very uphill environment in which to suggest, as FBI Director Jim Comey has recently done, that communications providers should provide the government with keys to unlocking their encryption technology – encryption-key repositories or what is often called “backdoor” access.
The problem is that encryption technology has gotten very tough to crack and very widely available. Consequently, if terrorists or other high-level criminals are using it to carry out schemes that endanger the public, government agents cannot penetrate the communications in real time. That they have a legal basis to conduct surveillance is beside the point; all the probable cause in the world won’t help an agent who lacks the know-how to access what he’s been authorized to search.
At the excellent Lawfare blog, there is a good piece by Matt Waxman (a Columbia law prof and former government security official) and Doron Hindin (an expert in Israeli security law now studying at Columbia) on how Israel regulates encryption. What is most interesting about it is that while Israel has extensive laws requiring business to cooperate with the government, the system is marked by lax enforcement; yet, it appears to work well nonetheless.
Why? Because there is no real doubt about the existential threat Israel faces; there is a generally good relationship between the government and hi-tech innovators (many of whom served in military intelligence); and the reasonable enforcement of the law promotes collaboration.
To grasp how comparatively antagonistic the relationship between government and enterprise has become in the U.S., one need only look at another Lawfare report, involving a federal case in Brooklyn. The government is attempting to compel Apple to decrypt a secured iPhone under circumstances where a court has authorized a search but the agents can’t crack the code. Apple is objecting.
The judge, though apparently sympathetic to the company’s position, seems irked that Apple has suddenly become recalcitrant despite a history of cooperation (compliance with 70 similar requests since 2008, according to the Justice Department). Lawyers for the company explained, “Right now, Apple is aware that customer data is under siege from a variety of different directions. Never has the privacy and security of customer data been as important as it is now.”
That is, Apple has changed its position because the public has changed its mood. Whether justified or not, the libertarian narrative that government is as much to be feared as the threats from which it seeks to protect us has traction.
I’ve known Director Comey for many years and I have great respect for his judgment. There is also no gainsaying that intercepting terrorist communications in real time greatly increases the government’s chances of preventing attacks. That said, for practical and legal reasons, I have never been a fan of the notion that technological progress should be the slave of government’s monitoring capabilities.
Many libertarian friends have been cross with me over my defense of NSA surveillance on the ground that there is no constitutional privacy right in the property of third parties (phone usage records belong to the telecoms, not the customer). I am similarly unmoved by the claim that, just because a court may lawfully authorize a search of property, the government must be given the tools to search it no matter whose property those tools are. There is nothing in the Constitution that supports this proposition, and history is to the contrary: when wiretapping began, government had to develop the capacity to penetrate then-existing technology – there was no expectation, let alone requirement, that the phone company had to help government trespass on its lines.
Over time, this has changed because of statutory law, which has long required phone companies to cooperate in surveillance. In part, this development rests on the theories that the telecoms are public utilities, and that with the duty to serve the public comes the obligation to help law enforcement police the utility. Plus, since the companies own the lines, there is an argument that they are knowingly facilitating crime if they are aware criminals are exploiting their property but they refuse to take steps to stop them.
Still, even if I agree that the telecoms have a legal duty to stop the criminal use of their facilities, I’ve never been persuaded that this creates a government power to coerce the companies’ assistance in law-enforcement or intelligence operations. Both Congress and the Supreme Court, however, have endorsed this concept – in the wiretapping and pen-register statutes, for example, and in such cases as United States v. New York Telephone Company (1977).
As the aforementioned (and, at the moment, unresolved) federal case involving Apple shows, encryption and modern sensibilities are challenging these theories. As Judge James Orenstein has pointed out, distinguishing Apple from the phone company, “Apple is not a ‘highly regulated public utility with a duty to serve the public.’ It is a private-sector company that is free to choose to promote its customers’ interest in privacy over the competing interest of law enforcement.” Notice the perception here: government is seen by many law-abiding people as a threat rather than as their protection from threats. We can argue about whether this is an overreaction to government abuses and missteps; we cannot credibly claim, however, that it is not a concern that many people have – and are entitled to have.
In any event, practical issues make these legal considerations almost beside the point.
We are now in a global communications market that the United States government is not capable of regulating. Even if Congress could be persuaded to legislate a demand that private companies enable government to decrypt any encryption technology they sell – something that lawmakers have declined to do and that would doubtless prompt a vigorous legal challenge – Congress has no power to impose such a requirements on foreign companies, much less on other foreign actors, like terrorist organizations, who might be capable of fashioning their own encryption technology. So the mandate would be easily circumvented by bad actors while putting American companies at a competitive disadvantage in marketing products to law-abiding people worried about privacy.
Moreover, any back-door open to our government could also be exploited by anyone else with technical capabilities – foreign intelligence services, tech-savvy terror networks, sophisticated criminal enterprises, etc.
Finally, even without cracking the code, government has other investigative techniques, such as lawfully hacking into suspect computers (with appropriate judicial warrants, of course). Agents could thus (a) obtain the decryption information, or (b) read the communications before they are encrypted or after they are decrypted.
None of these alternative techniques is as good as being able to read communications in real time. Let’s say a terrorist attack occurs, and it is later shown that the FBI tried but could not conduct effective surveillance because of encryption technology and a lack of corporate cooperation. Under those circumstances, there would undoubtedly be a push for Congress to enact laws that force private tech companies to assist the government – even if libertarians colorably argue that such laws would be ineffective.
I think it is very likely that Congress would enact such laws, probably with a short sunset (say, three years). But unlike the post-9/11 period, it is no sure thing.
Rightly or wrongly, the public has grown wary of government. In the surveillance area, I believe the public is mostly wrong: as I’ve long argued, layers of judicial and legislative oversight were built into surveillance programs, and while some excesses have occurred, they are not in the same league as unilateral executive branch abuses of power that have occurred at the IRS and the Justice Department in the Obama years.
But it doesn’t matter what I think. The fact is: public attitudes have changed. People would demand a cogent, fact-based explanation of how new laws giving government more power would actually enhance public safety. If that explanation is unsatisfying, these laws will be short-lived – if they are enacted at all.