Deciphering the Encryption DebateSofia Lesmes, Kathryn Waldron / Oct 18, 2021
Governments worldwide are pushing for access to encrypted messages. The Five Eyes alliance—including the United States, via the Department of Justice—along with other nations such as India and Japan, are advocating for domestic backdoor channels. Meanwhile, recent revelations about the NSO Group exposed that countries like Hungary, Mexico and Saudi Arabia have relied on Pegasus spyware to track communications. The Indian government has been feuding with developers of messaging apps like Signal on this very issue, as companies push back against those arguing for weaker encryption.
Events like these lead us to ask why we are still stuck in the debate frame of “security versus privacy.” Conceptualizing the argument in this manner has stymied progress toward a solution. As we articulate in our recently published study, if policymakers and other parties actually want to reach effective solutions, they need to change the contours of this debate.
To do that, it’s important to acknowledge how we arrived at this binary view. In the United States, this debate didn’t just spring fully-formed—it was molded over time by events like the controversial 1990’s Clipper chip debate and the 2015 San Bernardino terrorist attack investigation. Coupled with changes to societal attitudes, such as the “Snowden effect” after the National Security Agency (NSA) spying revelations of 2013, these events have resulted in the emergence of two rival camps: security versus privacy advocates. The first cites a need for authorities to access encrypted communications to combat terrorism and child sexual predation—the base position of the U.S. government. The latter guards against the infringement of civil liberties and privacy.
Why can’t the two agree on a backdoor that only law enforcement can access? Security advocates support this as a way to better intercept illegal content—some of which can go unnoticed through encryption. Conversely, privacy advocates are wary of the long-term implications of giving law enforcement special access to encrypted communications.
The Pegasus debacle is just the latest reminder that you can’t realistically keep technology solely in the hands of the good guys. NSO Group’s part in surveilling close associates of murdered journalist Jamal Khashoggi reveals how dangerous it is when governments who only pay lip service to civil rights obtain these types of technology. Even though some law enforcement bodies in democratic governments pushing for weakened encryption are well-intentioned, it would be foolish to assume these vulnerabilities would only be used in a legitimate manner.
Further exacerbating the issue is blurry rhetoric. Technologists, law enforcement, civil rights activists and policymakers—all stakeholders in the encryption or “going dark” debate—use different terminology and unique jargon, making it easy to speak past one another. Even common terms like “backdoor” and “cybersecurity” lack consensus in the encryption policy context, barring productive dialogue. We should acknowledge, as the Cyberspace Solarium Commission did, good intent on both sides, and ask a different question: how do we bridge these different perspectives on data security?
Overly simplistic framing allows policymakers to gloss over the larger problem: our country lacks a holistic government approach to cybersecurity policy. With new paralyzing ransomware attacks popping up regularly, the reality is that the security provided by strong encryption is too vital to our national and personal security to undermine.
A few action items will help: coordinating a holistic government approach; creating a statistical agency for cybersecurity; and agreeing on terminology. Take the nascent National Cyber Director (NCD), for example. The director’s office—tasked with coordinating cybersecurity efforts across the U.S. government—could synchronize encryption stances to produce a holistic approach. Indeed, the NCD has recently expressed his support for creating a national mechanism—a Bureau of Cyber Statistics. In the encryption context, this Bureau would parse information about encryption’s role in defending from intrusions. But none of this can happen without tweaking normative perspectives on encryption policy—especially if we continue to see the debate as law enforcement interests against those of privacy advocates.
Our encryption debate has settled almost exclusively into two battling camps—but if we want to come up with new solutions, we need to start thinking about the issue through a new lens. Only then can we start making our nation more secure.