We need a wiser approach to encryption policy

There is, or ought to be, common ground in the encryption debate. It is time to put aside the past and move forward toward a wiser encryption policy.

More than two years ago, the FBI sought a court order requiring that Apple assist it in decrypting the iPhone of the suspected San Bernardino shooter. Apple refused; the FBI got a technical solution from another company and, in the end, the controversy faded away.

Since that time the debate over American encryption policy has ossified. Cryptographers often reflexively reject any proposal, and security analysts don’t comprehend why the technologists can’t find a solution. The encryption discussion must move beyond the tired bromides of the last few years. We need a wiser encryption policy that recognizes both the value of encryption and the reality of law enforcement fears of “going dark.”

{mosads}The reality is that solid and technologically sound encryption systems are needed more than ever for data protection, data integrity, and confidentiality. At a time, for example, when voter databases are under assault from foreign actors, we need to be enhancing the integrity of our data systems, not reducing it. I have worked across the private and public sectors to strengthen cyber protections, responded to breaches, and understand how difficult it is to build secure and resilient systems—introducing new vulnerabilities only exacerbates these challenges. So, it is time to ask whether instead of engineering backdoors into encryption systems, are there other reasonable technological solutions available? 

Fortunately, other experts have made similar observations. The Center for Strategic and International Studies (CSIS), for example, recently released a detailed report outlining law enforcement’s most pressing digital investigatory needs and the actions that government, law enforcement, and the technology community can take to address those needs. Where can immediate investments be made so that both the tech industry and law enforcement could benefit and find common ground? In my view, there are several areas in which joint efforts can alleviate the need for destructive confrontation.

First, we should understand that a wide range of open source data exists that can benefit law enforcement. In general, if data is available in the corporate context for use by a commercial enterprise it should be available, with appropriate legal authorization and safeguards, to law enforcement. These open source data sets are quite robust and often will prove an adequate substitute for encrypted data. Also, in many cases enterprises may maintain duplicate keys for their own purposes. That should be amenable to judicial process.

While some will argue that law enforcement should be further constrained in accessing open source data, privacy advocates cannot have it both ways – both in enforcing strong encryption and in denying law enforcement any other tools that might be necessary to act lawfully and effectively. 

A good example of this is the robust debate relating to geo-location technologies.  While one may readily agree that geotagging discloses significant information, it is also the case that locational data is widely shared by individuals to their own benefit and that it is of great utility to law enforcement.

The encryption debate cannot be resolved so long as advocates also seek to disable other forms of law enforcement data access. A sensible solution is one that, with proper legal supervision, enables privacy for those who take advantage of it (through encryption) but leaves law enforcement in no better, or worse, position than the commercial sector in access to open records.

The second pillar of a response – again, one in which the tech industry can assist law enforcement and find common ground – lies in the continuing lack of digital expertise in the law enforcement community. CSIS found that 30 percent of federal, state, and local law enforcement officers surveyed experienced difficulty in identifying which service providers even have the relevant digital evidence that they sought. The situation is getting better but the tech community can help by providing increased law enforcement training on digital investigation techniques that, if used fully, would likely obviate the need for an ability to decrypt data.

Finally, there is a crying need for IT modernization. Today many law enforcement systems (including, sadly, a number at DOJ) are relatively antiquated and incapable of large scale data base analytics. Law enforcement needs systems that can better receive and access lawful information.

It is a sad reality that much of the current information technology infrastructure of law enforcement is outdated and in desperate need of an upgrade. To be sure, the Federal government has begun some much-needed system upgrades and some of the larger law enforcement organizations, like the New York Police Department, have taken major strides in the use of data analytics.

But at a fundamental level, the procurement and deployment cycle for IT infrastructure is just too slow at all levels of law enforcement (and, of course, elsewhere in government). One critical way in which the technology community can assist is by bringing their agile development and procurement methodologies to bear to reduce the technological lag of government systems. We’ve seen a little bit of that happening already in the Federal government (for example, through a program known as 18F managed by the GSA) but the concept of agile digital services has yet to take hold at all levels of law enforcement.

The “debate” over encryption policy needs a reset. We must stop endlessly returning to the same questions of policy and technology. A better way forward – a wiser way – is to focus on areas of common ground and agreement.

Bob Anderson served more than 30 years with the FBI, including as the Executive Assistant Director for Criminal, Cyber, Response and Services Branch (CCRSB) overseeing all FBI criminal and cyber investigations worldwide, international operations, critical incident response, and victim assistance. He is now a principal at The Chertoff Group, a security risk management firm with clients in the technology sector.