Undermining Encryption

Ryan Radia discusses the problem with encryption restrictions in RealClear Policy:

For most Americans, communicating over the Internet has become routine. We now correspond electronically with colleagues, loved ones, friends, and even doctors on platforms ranging from e-mail to Snapchat. But criminals have followed us online, and cyber-attacks are reported almost daily. Efforts to safeguard our digital data from bad actors can seem futile.

Fortunately, technology can dramatically reduce the risks we face from hackers, identity thieves, and even foreign spies. But some top government officials want to undermine a crucial security technology: encryption.

Encryption translates valuable information into seemingly meaningless gibberish that can be decrypted only with a private key. E-commerce websites have long used encryption to prevent criminals from swiping their customers' credit-card information as it travels between computers. More recently, an encryption protocol called HTTPS has taken off, making it much harder to snoop on our browsing habits.

Encryption does more than protect information as it traverses the Internet; it protects it on the devices we use every day. A typical smartphone now contains powerful processors that can quickly encrypt and decrypt data. Losing a phone or laptop no longer means worrying about who might misuse the private information stored on it — assuming the device was properly encrypted, meaning users must enter a passcode before each use.

However, some government officials claim that encryption helps criminals break the law with impunity. In a world of ubiquitous encryption, the argument goes, police will no longer be able to quickly search a suspected drug dealer's smartphone to find the identity of his supplier. Instead, police may need a passcode before they can access information on the device. A similar challenge exists on the Internet, where a growing number of "zero-knowledge" services host encrypted data that cannot be decrypted without the user's key.

Federal Bureau of Investigation director James Comey is perhaps the nation's leading critic of encryption. In numerous speeches and hearings, he has argued that when the police encounter encrypted data on a suspect's smartphone or online account, they often can't get the information they need to prevent crimes or catch criminals. Therefore, Comey has implored companies such as Apple and Google to design their platforms to ensure law enforcement can access a user's data even if she won't divulge her passcode.

So far, major tech companies have resisted these demands — and for good reason. Today, an encrypted iPhone or Android device is typically accessible only with the user's passcode; neither the company behind the platform nor the wireless carrier holds the key. Introduce a mechanism for law enforcement to get around encryption, however, and it's all but certain that hackers, criminals, and spies will soon figure out how to exploit the same mechanism.

Instead of pressuring companies to "voluntarily" redesign their devices and platforms, the administration should welcome the adoption of strong encryption — especially within government agencies, many of which have yet to encrypt sensitive files. Even a modest flaw can render a form of encryption practically useless, as the Allies proved during World War II when they cracked Nazi Germany's Enigma machine codes. Given the mounting cybersecurity threats we face, is this really a tradeoff worth making?

Aside from a handful of anecdotes, law-enforcement officials have shown scant empirical evidence that encryption is meaningfully frustrating criminal investigations. Even if encryption were to become a serious roadblock, there are alternatives to weakening encryption. For example, Congress could consider criminalizing a person's "willful refusal to comply with a decryption order," as law professor Orin Kerr has suggested.

Thankfully, encryption supporters have pushed back on this issue with some degree of success. As the Washington Post recently reported, the Obama administration has declined to push for a law to force companies to decrypt user data — for now. Yet the administration will continue its "conversations with industry," according to Comey — so the prospect that officials will continue to strong-arm companies to weaken their encryption behind closed doors remains likely.

Instead of imagining a worst-case scenario where criminals can wreak havoc with impunity, law enforcement should use the myriad tools it already possesses to investigate and prosecute criminals. Meanwhile, the government should leave encryption alone.

Originally posted at RealClear Policy