A debate is currently raging between FBI Director James Comey and much of the technology community over whether law enforcement should have some sort of special access, which has been called a backdoor, into encrypted communications and data.[1] In this “Crypto War,” the FBI contends that special access is needed to access the communications and data of criminals and terrorists. However, many in the technology community argue that this will undermine the cybersecurity of all communications and will not work because some users will find alternative services to encrypt their communications.
Given these constraints and competing security demands, no decision on special access will satisfy legitimate but competing interests. Heritage scholars have long supported the use of lawful tools by law enforcement and the intelligence community in order to keep the U.S. safe, but we cannot ignore technological advances. The case for special access by law enforcement to encrypted materials is one with noble objectives and intentions, but the reality is that technology has changed as to make this policy detrimental to cybersecurity and data integrity, with no guarantee of success. Given these cybersecurity realities, the U.S. should not require technology and communication companies to provide law enforcement with special access to encrypted materials.
Encryption 101
Encryption is the process by which data, be they words, numbers, photographs, etc., are coded so that anyone who acquires the data is unable to read it without knowing and then applying the algorithm that was used to encode it. Encryption has been used since ancient times as messages were written in a code that only someone with the key could decipher. More recently, in the 1840s, Samuel Morse developed a code (which bore his name) that assigned a set of dots and dashes to each letter of the alphabet and then was used to transmit messages across telegraph lines. The universal international distress signal for ships, SOS (“save our ship”) was expressed in Morse code as ••• ——— •••.
As computers advanced, so too has the ability to create ever more complicated codes, effectively surpassing the ability of decryption techniques to break an encryption. This point is important to emphasize as it is a dramatic change from the past. Today, properly encrypted data cannot be cracked, at least not efficiently enough to be of use in a criminal or terrorist investigation.[2] Director Comey recently agreed, stating, “We cannot break strong encryption.”[3]
Encryption can be used to ensure that communication between two parties is protected or to protect data at rest, that is, data residing on a hard drive. Many communications and technology firms may encrypt users’ communications that pass through or reside on their servers, but the firms hold the key to decrypt the data. With end-to-end encryption, though, only the computers at each end of a communication have the encryption keys and only they can read the messages, with the service provider itself unable to read the data.
What the FBI Wants and Why It Is Problematic
The FBI wants some sort of special access to encrypted systems, which will give law enforcement access to a master encryption key (or keys) needed to decrypt data residing on or passing through a system. This special access creates a single point of vulnerability into systems, exactly what organizations and individuals are increasingly trying to avoid. According to a recent report produced by encryption experts, special access not only undermines the confidentiality of data, but also its authenticity, i.e., hackers who acquire the master keys would be able to forge communications and make them look legitimate.[4]
At the crux of this debate is the fact that special access provided to law enforcement undermines the security of systems. If true, then this is a zero-sum situation: Either cybersecurity is paramount or law enforcement gets special access to catch bad guys. That said, legitimate questions have been raised about just how absolute is this trade-off. Brookings Institution scholar Ben Wittes points out that Google “retains the ability to decrypt Gmail and Gchat communications for its own business reasons; that’s how it routes you ads based on the contents of your material. To my knowledge, Google does not take the position that this service is insecure, nor do I know of any particular security issues that have arisen as a result of it.”[5] Is Google currently less secure than an amateur’s end-to-end encryption?[6] The security vulnerability resulting from special access is one of the fundamental points in this debate, and technologists should clarify the reality of that vulnerability.[7]
Even if Congress mandates some sort of special access, there is no guarantee that it would be the effective solution law enforcement wants, since criminals and terrorists could just buy different products that do not have a backdoor. American-based Apple and Google may be required to provide special access, but what about a company outside U.S. jurisdiction that sells end-to-end encryption communications applications? Will the United States try to ban them on the app stores for iTunes and Google Play? Will we ban the import of encryption technology and search for such technology at U.S. ports of entry to ensure forbidden applications are not smuggled into our country? Will the United States employ a national firewall, similar to China, to block the downloading or use of such applications?[8] The answers to these questions should be “no,” as we cannot prevent the spread of this technology and it would be futile to try. Some criminals and terrorists will not use encrypted technologies, but others will.
Adapting to Change
In light of these realities, Congress should not support special access for law enforcement. The current debate indicates that such access will substantially weaken cybersecurity and incent criminals and terrorists to switch from U.S. applications to foreign ones. Former intelligence and homeland security policymakers also have concluded that.[9] The only circumstance under which special access should be considered is if it can be done while maintaining an extremely high level of security. Different potential solutions that have been suggested include:
- Biometrics. The use of encryption with a biometric lock provides decent protection for the decryption key. This allows law enforcement to break an encryption through direct interaction with the individual being investigated or charged.[10]
- Dividing the law enforcement key among several organizations.[11] This was a solution proposed by Admiral Michael Rogers, the Director of the National Security Agency, which ensures that no one person or agency can decrypt data. While breaking up the key may improve some aspects of security and privacy, it will likely introduce additional complexity and vulnerabilities to the encryption process. It is also unclear how communication across different countries would work.[12]
- Requiring that any potential solution be publically and extensively tested. Rather than develop a specific solution, perhaps a good compromise would be to require that any potential solution be made publically available and tested for a year. If it cannot be cracked, then it can be used for special access.[13]
This list is not exhaustive nor are its proposals perfect. Technologists and policymakers alike should explore other proposals. Further investigation of the issue could reveal that large technology service providers like Google are able to securely hold the special access keys, making law enforcement special access to encrypted communications possible without jeopardizing the security of that data. Until this is determined or other solutions present themselves, however, the cybersecurity stakes are too high to provide special access.
Setting a high bar for special access means that law enforcement and the intelligence community need all other lawful tools at their disposal to track and prevent threats to the United States.[14] Given the growing threat of terrorism, these tools are needed now more than ever.[15 ]
Special access to encrypted systems and communications, however, cannot be one of those tools, at least until the security of such access is assured. The United States can and should see if it is possible to maintain both cybersecurity and special access. In the meantime, one of these important priorities has to give. Keeping the U.S. homeland safe and secure from multiple, dynamic threats is not easy, but policymakers should err on the side of not providing special access, while providing our defenders with all other lawful tools.
—David Inserra is a Policy Analyst for Homeland Security and Cyber Policy in the Douglas and Sarah Allison Center for Foreign and National Security Policy, of the Kathryn and Shelby Cullom Davis Institute for National Security and Foreign Policy, at The Heritage Foundation. Paul Rosenzweig is a Visiting Fellow in the Davis Institute. Charles D. Stimson is Manager of the National Security Law Program and Senior Legal Fellow in the Davis Institute. David Shedd is Visiting Distinguished Fellow in the Davis Institute. Steven P. Bucci, PhD, is Director of the Allison Center.