Encryption is not new. It was invented long before the internet – by 50 BC, the Romans had developed the “Caesar Cipher” (a type of substitution cipher) to secure the written notes that Julius Caesar’s messengers carried to and from the far reaches of the Roman Empire.
Jumping ahead a couple thousand years, we had the first “Crypto Wars” in the early 1990s, when the Clinton Administration released its so-called “Clipper Chip” proposal – an effort to convince telecommunications companies to incorporate an encryption chipset in their telephones and other devices with a “back door” that would enable law enforcement to access communications upon proper legal request. This proposal was widely criticized and ultimately abandoned. Later in the 1990s, as use of the internet continued to expand, the Crypto Wars again pitted the US government against the technology sector over the enforcement of export controls on mass-marketed encryption products for non-military application. These controls trace back to conflicts in the 1970s about whether IBM and DEC could export hardware and software with strong encryption, and academics could freely publish cryptographic research. The White House ultimately relaxed these controls in 1996 by moving encryption from the US Munitions List to the Commerce Control List.
Now, 20 years later, we have “Crypto Wars 2.0.” Just last month, in the shadow of Apple’s battle with the FBI over the San Bernardino iPhone, Senators Richard Burr (R-N.C.) and Diane Feinstein (D-Calif.) released the Compliance with Court Order Act of 2016 (the “CCOA”). “No entity or individual is above the law,” declared Senator Feinstein. “The bill . . . simply provide[s] that, if a court of law issues an order to render technical assistance or provide decrypted data, the company or individual would be required to do so . . . . We need strong encryption to protect personal data, but we also need to know when terrorists are plotting to kill Americans.”
“The CCOA is DOA,” commented a leading encryption supporter, Kevin Bankston of the Open Technology Institute. Indeed, privacy advocates across the board have come out against the CCOA, saying it effectively ignores the lessons of the first Crypto Wars. There are many strong arguments against trying to control encryption by fiat. Consider, for example, the July 2015 paper published by a number of the world’s top cryptographers, Keys Under Doormats: Mandating Insecurity by Requiring Government Access to All Data and Communications, and the March 2016 paper issued by Amnesty International, Encryption: A Matter of Human Rights
- In Keys Under Doormats, fifteen leading cryptographers, many of whom worked together 20 years earlier to oppose the Clipper Chip, argue that law enforcement’s current demand for “exceptional access” to private communications and data would “open doors through which criminals and malicious nation-states can attack the very individuals law enforcement seeks to defend. The costs would be substantial, the damage to innovation severe, and the consequences to economic growth difficult to predict.”
- In Encryption: A Matter of Human Rights, Amnesty International asserts that encryption is a “critical tool” for all defenders of human rights. “In the digital age, access to and use of encryption is an enabler of the rights to privacy and freedom of expression, information and opinion, and also has an impact on the rights to freedom of peaceful assembly, associations and other human rights.” Any restriction on encryption must be precise and transparent, used only when necessary to achieve a legitimate aim, and be non-discriminatory.
So who is right in this debate, and who has the stronger argument? Those who want to protect and strengthen the use of encryption, or those who want to restrict and weaken it? Do you line up with FBI director James Comey, who famously declared in October 2014 that “encryption threatens to lead us all to a very, very dark place”? Or likeminded Cyrus Vance Jr., New York County District Attorney, who has repeatedly complained that encryption limits the capacity of law enforcement to investigate crime and undermines its efficiency in the fight against terrorism? Or, alternatively, do you side with Zeid Ra’ad A Hussein, UN High Commissioner for Human Rights, who passionately argues that “encryption and anonymity are needed as enablers of both freedom of expression and opinion, and the right to privacy”? Or cryptographers sympathetic to this position who say that “exceptional access” rights could force a U-turn from best practices, substantially increase system complexity and create concentrated targets for bad actors?
Place this debate in the context of recent events, which both encryption supporters and critics draw upon in different ways to support of their positions, and we truly have a perfect storm — the Snowden revelations about mass surveillance by the US NSA and the UK Government Communications Headquarters; the almost daily stories about large data breaches, hacked websites and identity and credit card thefts; and the many horrendous acts of terrorism in Paris, Brussels, Baghdad, Yemen and elsewhere. Although the CCOA has many detractors and supporters, this proposed legislation may now — quite appropriately — move the debate from the judiciary to the legislative branch of government.
Once again, the United States is at the epicenter of the privacy v. security debate. This seems an inevitable function of Silicon Valley’s lead in information technology and the United States having had to respond to global terror attacks already since 9/11/2001. This debate is carried out quite publicly in the United States, given the openness and transparency of its political and judicial process. However, the conflict is omnipresent in all jurisdictions, many having less stringent privacy protections against government surveillance than the United States, as our recent global surveillance survey shows. All companies around the world – technology providers and users alike – have to take a strategic stance and position their design and compliance programs to adapt to the crypto conflicts where governments require encryption in products, demand decryption for their own national security purposes and prohibit backdoors for other countries, friends or foes, in a global economy.