Encryption Nightmare: The Sequel

In the latest example of Washington emulating Hollywood, the Department of Justice and some members of Congress have been rolling out a sequel to a 1990s encryption horror movie.

First, Attorney General William Barr attacked Facebook and Apple, casting them as the villains, claiming that providing end-user encryption would protect child traffickers, molesters and pornographers as well as terrorists, money launderers, and drug dealers. Next, the Department of Commerce hosted an invitation-only meeting on Nov. 12, 2019, with trade association representatives to discuss lawful access to encrypted information. Finally, just last week the Senate Judiciary Committee held a hearing at which several senators excoriated the two companies for refusing to design and develop products that would allow law enforcement access to user data when investigating crimes. Chairman Lindsey Graham bluntly warned that either the companies would find a way to do so or the Congress would do it for them.

We have seen this movie before – and it didn’t play well then either. Once the exclusive province of the military, strong encryption has proven to be a fundamental building block of the Internet economy, e-commerce and privacy in the digital age. Nevertheless, it took a decade-long fight in the 1990s to liberalize export controls and prevent domestic controls on American encryption products. Time and again, encryption proponents had to explain that the security benefits of encryption far outweigh its costs.

Yet law enforcement agencies have periodically gone public complaining that their inability to access encrypted information is impeding vital investigations. In a “trailer” for the current release, in 2006 Attorney General Alberto Gonzales decried the difficulties of prosecuting child pornographers, convened a conference of tech companies, and demanded that they build in law enforcement access to their products.

In 2014, Attorney General Eric Holder similarly convened the Global Alliance Conference against Child Sexual Abuse Online and argued that encryption and other technologies were creating safe havens for sexual predators online. The DOJ argued then (as now) that new tech was creating opportunities for these predators to befriend and victimize children online. The solution was the same: force companies to weaken encryption by creating a “front/back door” in their hardware or software for law enforcement to gain access to the data passing across the platforms.

No one disputes that encryption can and does make law enforcement’s job tougher in some cases – although it has been shown repeatedly that it makes the job much less difficult than is claimed because there are other ways to get needed information or pursue a prosecution. More importantly, each time the idea of weakening encryption has been raised, a broad range of information security professionals and privacy advocates has pointed out the impossibility of building in access just for law enforcement without also making such products more vulnerable to malicious attacks.

At a time when America’s information and infrastructure is increasingly under attack, with data breaches an everyday occurrence, we need more encryption, not less. The U.S. government cannot protect the information it holds (e.g. the Chinese hack of 22 million Office of Personnel Management files) and the private sector needs to do much more as well (estimates are that more than half of U.S. citizens’ information has been compromised). The key point is that if the underlying information is encrypted then it doesn’t matter if a foreign adversary or competitor obtains it – it cannot be accessed.

It used to be that Hollywood released its movies in the United States first and then distributed them abroad. But, anticipating a poor domestic audience, this encryption sequel has opened overseas. Australia and the United Kingdom, two countries privileged to participate in the “Five Eyes” global surveillance network, have at the U.S. government’s urging already adopted measures enabling greater restrictions on the use of encryption. Now, the DOJ cites them as a reason for doing so in the United States as well.

This encryption sequel offers nothing new. But perhaps the plan is to catch the private sector napping in the audience – which could lead to a dramatic and not-so-happy ending.

Bruce J. Heiman is a partner in the global law firm K&L Gates; for 30 years he has helped lead the effort to ensure that strong encryption is available, representing Americans for Computer Privacy and a number of other associations and companies.

Morning Consult welcomes op-ed submissions on policy, politics and business strategy in our coverage areas. Updated submission guidelines can be found here.

Morning Consult