Fears about allowing law enforcement to gain access to encrypted data for criminal investigations — that it would put us on a slippery slope to massive digital privacy intrusion — are well-intentioned, but misguided.
While Americans care deeply about privacy, we also expect law enforcement agencies to fully investigate and prosecute terrorist or other criminal activities. Faced with these expectations, law enforcement cannot simply give up on trying to acquire the data they need for criminal and terrorism investigations. They will need to find other means to access that data — data that a court has deemed important to an investigation.
Strong encryption is critical, and it is already used widely. But when technology companies design systems that don't allow them to comply with court orders, they are effectively telling law enforcement to up their game in hacking mobile phones or other devices on the growing network of the Internet of Things.
Law enforcement data retrieval efforts would then hinge on compromising user devices by secretly snooping for vulnerabilities and stockpiling exploits. This, in turn, would increase demand for software bugs, driving up the price of certain hacking services, and enticing more hackers to sell those services in dark markets rather than disclose vulnerabilities to technology vendors who would fix them.
Law enforcement being forced to hunt for more vulnerabilities and exploits is not the solution — it’s bad for everyone.
Not only is this a laborious and ineffective way of conducting investigations, but it would fuel the global cyber arms race, decrease transparency and contribute to a less secure and less private global Internet. And it would push investigative efforts into further secrecy, with less public scrutiny, oversight and accountability.
If Congress introduces legislation, it should require companies to maintain the ability to comply with court orders for data, but it should not dictate specific technical means such as the creation of a master key for law enforcement. Any legislation should also introduce additional protections to ensure that access cannot be exploited for malicious or unauthorized activities. In short, companies should be permitted to exclusively design and control how they comply, but not to decide whether they comply.
Could compliance with court orders lead to China and Russia demanding greater access to data? Maybe, but these countries don't need to wait to require concessions of technology companies in exchange for market access. According to reports, some U.S. tech companies are already complying with ominously vague security checks required by the Chinese government for products they sell in China.
Oppressive governments will never back down on domestic surveillance, but it’s the responsibility of companies who want to do business in countries with limited freedoms to figure out how to protect their customers there. This shouldn’t dictate how we investigate crimes against Americans.
Instead, the U.S. government and American technology companies can and should set an example for the world by partnering to establish a system that, based on a transparent lawful process, provides government access to critical information and strikes a reasonable balance between public safety, privacy and civil liberties.