As Americans connect with family and friends online, send their kids to school over Wi-Fi, work or order groceries online, we depend on the security of the internet to manage our daily lives. The communications and transactions that help us connect during this pandemic are protected from prying eyes, criminals, and foreign adversaries by complex mathematical formulas that scramble our data to everyone except the intended recipients. This process, known as encryption, has become an essential protection for operating in modem life even before the pandemic.
Unfortunately, the Department of Justice and Attorney General William Barr have proposed requiring American technology companies to break this essential protection by providing what’s known as “exceptional access” to their encryption systems.
In theory, it would require companies to establish a mechanism where the government could compel companies to unlock particular encrypted communications when the government obtained a warrant to do so. Even if such a mechanism already existed, past experience suggests that despite their best efforts, the government would not be able to keep such a system uniquely secure.
Even the nation’s most secure agencies, the CIA and the NSA, have reportedly had key cybertools stolen from inside their agencies. How could the government hope to keep an exceptional-access system secure given the thousands of law enforcement agencies across the country who would be making demands on the thousands of different technology companies with the information?
Yes, criminals use encryption to hide their crimes, but encryption was designed to protect everyone. Any service that technology provides will be misused by some fraction of the population. But breaking it without thinking about what we’re collectively losing would be a mistake.
Take our national security apparatus. It relies on encryption more than anyone to protect our nation’s secrets, to secure private information on military and civilian personnel, to organize and plan our response to crisis and conflict. This is true not only for the specialized classified information systems, but also the unclassified business and personal communications of millions of government employees. Indeed, it’s viewed as so essential that government employees are forbidden from using Zoom on their official computers because it lacked end-to-end encryption.
Even if the Department of Justice is successful at persuading Congress to pass a law mandating exceptional access for encryption, that rule only extends to American companies. Companies operating in other countries could continue to offer secure, end-to-end encryption to their customers. Would the Department of Justice prevent app stores from offering Americans a more secure alternative?
Also, by demanding that companies provide the U.S. government with exceptional access to encrypted technology, it would reinforce the demands of authoritarian governments around the world like Russia and China, to demand equal access to customer information, imperiling the privacy of people around the world.
To be sure, law enforcement faces unprecedented challenges in the digital age. Cybercrime proliferates faster than it can be counted, and even local crimes often have a digital evidence component. All too often the conversation between law enforcement and the technology companies can be adversarial, rather than focused on the common challenge of identifying the cyber criminals. But there is much that can be done to resolve law enforcement’s challenges without breaking such a fundamental protection on which our nation’s security, economy, and our personal privacy relies.
It can be tempting for some government officials to dismiss tech companies as standing in the way of law enforcement and national security. The consistent refrain that companies are not working hard enough to solve law enforcement’s problem with encryption is heard by companies as “nerd harder,” resulting in a stalemate. We believe this is mistaken and needs to change so we can have a more productive conversation about how industry and government can work together to hold malicious actors accountable.
Here’s the bottom line: Encryption is critical to securing private communications, financial systems, intellectual property and other trade secrets. A private company’s commitment to securing this data should not make them the enemy of government—it makes them an ally. Efforts to secure themselves and their customers against hostile online actors is as essential for national security as is anything done by the federal government.
To be clear, the case for special access to encrypted materials can have noble objectives and intentions; but technology has changed to make such access detrimental to cybersecurity and data integrity, with no guarantee of success. Policymakers and national security leaders should recognize this and be persistent in trying to find collaborative approaches with industry that protect, not undermine, national security.
This piece originally appeared in The Hill on 9/25/20