Year of Encryption Redux

CSIS published “2014 as the Year of Encryption: A (Very) Brief History of Encryption Policy” more than a year ago. It turns out that 2014 wasn’t the year of encryption, but the issue keeps creeping up on us, so maybe 2015 will see more action.

The issues today are still the same ones that bedeviled encryption policy in the 1990s. Stronger encryption hurts collection by the FBI and NSA, but makes Americans safer from hacking. Somebody (hint to White House – that’s your cue) has to decide which set of risks is greater. The decision in the 1990s was that the US gained more by making Americans safer from foreign espionage and crime by encouraging the use of strong encryption than it lost in collection capabilities. That’s still the right decision.

The idea of a third party holding the encryption keys (in this case, the service providers) so that the FBI can serve a warrant is something I spent several years working on. Part of this involved interviewing many Fortune 500 companies to ask them what they thought about a third party holding the keys to their most sensitive information. Unsurprisingly, no one thought that was a good idea. That hasn’t changed.

In light of a new trend among technology companies to adopt stronger encryption by default, the FBI is interested in requiring that technology companies also hold keys if they offer encryption to users. This is important because if the company doesn’t hold the key, as some have promised, there is no easy way to decrypt the traffic. An alternative is to have a third party hold the keys, but this may cause fewer people to use encryption. 

That may be the goal in this debate, but it doesn’t answer the central question – are we better off making it harder for spies and criminals to hack Americans even it if makes the NSA’s and FBI’s jobs harder?  

You might note that the Snowden revelations (he should change his name to Snowdenisovich in homage to his Russian sponsor) showed how NSA was able to successfully manage the threat to collection posed by the internet and publicly available encryption. I assume that they could do so again, although it would take time, and be harder and more expensive. That may not help the FBI, which can’t always use NSA-collected information, given its different evidentiary rules. 

You might also note that the security situation is very different from 1999, when we appeared to be entering a golden age of international harmony. The risk of damaging collection is greater now than it was then, but so is the risk of not blocking rampant espionage and coercion by foreign governments. It’s not an easy decision. For example, if you encrypt content, it makes collecting metadata more important. Encryption and surveillance are linked, and if you loosen up on one you have to compensate on the other. Terrorist groups will use commercially available encryption just as the use the internet. I still think it’s better to let people use strong encryption, but I also think it’s good to keep surveillance programs in place. Saying yes to the first and no to the second is asking for trouble.               

The idea of a third party holding the encryption keys (in this case, the service providers) so that the FBI can serve a warrant is something I spent several years working on. Part of this involved interviewing many Fortune 500 companies to ask them what they thought about a third party holding the keys to their most sensitive information. Unsurprisingly, no one thought that was a good idea. That hasn’t changed.

In light of a new trend among technology companies to adopt stronger encryption by default, the FBI is interested in requiring that technology companies also hold keys if they offer encryption to users. This is important because if the company doesn’t hold the key, as some have promised, there is no easy way to decrypt the traffic. An alternative is to have a third party hold the keys, but this may cause fewer people to use encryption. 

That may be the goal in this debate, but it doesn’t answer the central question – are we better off making it harder for spies and criminals to hack Americans even it if makes the NSA’s and FBI’s jobs harder?  

You might note that the Snowden revelations (he should change his name to Snowdenisovich in homage to his Russian sponsor) showed how NSA was able to successfully manage the threat to collection posed by the internet and publicly available encryption. I assume that they could do so again, although it would take time, and be harder and more expensive. That may not help the FBI, which can’t always use NSA-collected information, given its different evidentiary rules. 

You might also note that the security situation is very different from 1999, when we appeared to be entering a golden age of international harmony. The risk of damaging collection is greater now than it was then, but so is the risk of not blocking rampant espionage and coercion by foreign governments. It’s not an easy decision. For example, if you encrypt content, it makes collecting metadata more important. Encryption and surveillance are linked, and if you loosen up on one you have to compensate on the other. Terrorist groups will use commercially available encryption just as the use the internet. I still think it’s better to let people use strong encryption, but I also think it’s good to keep surveillance programs in place. Saying yes to the first and no to the second is asking for trouble.