On Oct. 4, Attorney General William P. Barr wrote a letter to Facebook with counterparts from Britain and Australia calling for the company to halt plans to implement strong encryption across all of its messaging services. This is the latest episode in the long-running debate over government access to encrypted data. Beginning in the 1990s with the introduction of strong encryption software such as Pretty Good Privacy, the United States government and governments around the world have fought for “backdoors” in encryption. A U.S. proposal for a universal backdoor was defeated in the ’90s, but as the Snowden leaks showed, the government’s public defeat only made it pursue a backdoor covertly. The U.S. government used a combination of secret hacking, coercion and subversion to achieve a de facto backdoor. Following the Snowden leaks, companies have strengthened their encryption and security practices and have been less publicly willing to cooperate with government requests for data. Barr’s letter is the latest contribution to this polarized debate.
First, what is encryption and why does it matter? Broadly, encryption transforms data into a string of bits whose original state can only be revealed with a specific key. For example, if you were sending a message with the data “I love The Michigan Daily,” encryption would transform the data into something like “hfoahdjdsh90112aofa00” — intelligible only to those with the appropriate key. Encryption is the foundation of much of what we do online, enabling the flow of confidential information like our banking and health data by keeping it hidden and secure. It protects dissenters, journalists and everyday people from prying governments, organizations and individuals. As more parts of our lives move online, privacy and security are increasingly important. We expect what we say and do in private won’t be surveilled or exposed. The same should be true of our private discussions, activities and existence online. Weakening encryption weakens privacy and security online and threatens people’s freedom, safety and well-being.
With all the benefits of encryption, what are governments’ arguments for a backdoor, and what is a backdoor? Generally, it is a mechanism built into encryption systems that allows a third party to decrypt data when needed. Governments argue that as strong encryption becomes more common, criminal activities are increasingly able to “go dark,” or become hidden from law enforcement, undermining the rule of law and endangering us all. To combat this, governments argue that companies need to create ways for law enforcement to access encrypted data when they need it — through backdoors.
In most cases, however, government arguments for backdoors are far from convincing. Privacy and security experts argue that backdoors threaten the security and privacy of all users, and a bipartisan congressional report concluded that backdoors would “(work) against the national interest.” Forcing companies to build backdoors would only make everyday citizens less secure, while doing nothing to prevent criminals from using encryption. Any backdoor created for governments could be exploited by hackers through either targeting the backdoor directly or stealing access from governments. Additionally, the technology to use strong encryption is already out there. Building backdoors into everyday applications will put everyone at risk while doing little to stop tech-savvy criminals from using strong encryption.
There are some situations where the debate about law enforcement access to encrypted data is less one-sided. As our phones become the “everything” tool and strong encryption is more common, evidence such as calendars, notes, pictures and videos has become increasingly difficult to obtain, even with a warrant. Local law enforcement often lack the resources and expertise to bypass a device’s strong security and encryption systems on their own, and they don’t have many options for help. Compelling suspects to provide access to their phones would undermine the Fifth Amendment and be useless in situations where suspects are unable or unwilling to help. Additionally, companies are less willing to help law enforcement access data and are designing devices to be warrant proof. This combination of inadequate capabilities and unavailable help can render suspects’ devices useless to investigations. As privacy becomes a selling point for technology companies from Apple to Facebook, their increasingly absolutist positions should be taken with a grain of salt. A narrow solution that protects privacy and security while providing law enforcement access when appropriate is not impossible as tech companies often argue. Tech companies already comply with the vast majority of government requests for data, though they don’t publicize it. Also, there are a number of existing proposals to address locked out devices. If representatives of companies, privacy advocates and the government engage in good faith discussions, a narrow, communitarian solution should be possible. Unfortunately, absolutism is often simpler and more popular.
There are certainly some situations where the debate over encryption is less lopsided. However, they are narrow cases where policies and system design are essential, not encryption capabilities themselves. Proposals to directly undermine encryption with “backdoors” are misguided, lazy and dangerous. Instead of fear mongering to justify a dragnet, governments should engage privacy advocates and companies in good faith discussions about limited solutions. Strong encryption is the foundation of much of the modern internet, and protecting it protects everyone and everything online. Turning encryption into a marketing symbol or national security scapegoat undermines that protection and makes us all the more vulnerable.
Chand Rajendra-Nicolucci can be reached at chandrn@umich.edu.