Opinion: Why we all have a stake in encryption policy

Rapid advances in technology could soon turn science fiction notions of effortless encryption into a reality. But ensuring that we can trust that technology will take more public vigilance against government and corporate eavesdropping.

 

FBI Director James Comey testified on Capitol Hill in September on cybertheats. Mr. Comey has warned that strong end-to-end encryption on consumer devices can harm terrorist and law enforcement investigations.

Pablo Martinez Monsivais/AP

October 14, 2015

In William Gibson's latest novel, "The Peripheral," he imagines a future in which people have the ability to effortlessly encrypt spoken conversations in real time, in ways that are unbreakable to the artificial intelligences deployed by governments to eavesdrop on everyone.

It's a vision of the future that presents a timely thought experiment against the backdrop of government and law enforcement officials' calls for "backdoors" into encryption products, for use by government agencies with law enforcement and national security missions. And while the Obama administration recently stated that it would not pursue legislation to require these backdoors, the question is far from settled.

The encrypted conversation scenario remains, for now, well within the realm of science fiction, due mainly to the effortless nature with which Mr. Gibson’s characters deploy this technology. With a few exceptions, contemporary use of strong, end-to-end encryption is limited to those willing to put up with the complicated mechanics that most cryptographic tools require. There is nothing "effortless" about it.

The battle between Washington and Silicon Valley over encryption

Which is why, as director of New America's Open Technology Institute Kevin Bankston points out, the recent "apocalyptic" warnings by law enforcement of "going dark" are premature, at best. Law enforcement and other government agencies with an interest in civilian access to crypto technologies are rarely stymied by encryption, since criminals so infrequently deploy it. When it is used, there are often flaws in implementation that lets government agents bypass encryption without having to go through the trouble of actually deciphering it.

Thus, even the notional smart criminal runs into the same problems the rest of us do when we try to use encryption – it's complicated, it's nonintuitive, and when it's used incorrectly, it leaves open security holes that can be exploited. Until we reach something like Gibson’s effortless crypto, truly ubiquitous encryption is beyond our reach.

But if we extrapolate a future path based on the rapid advances in technology we have seen over the past few decades, we could quite easily make the case that effortless encryption is inevitable. This observation is not lost on those same government agencies calling for crypto backdoors, who now seek to establish law enforcement-friendly standards that can become fully baked into our legal system by the time we reach encryption ubiquity.

It is therefore worthwhile for everyone to start considering a world where effortless, ubiquitous encryption is possible, since advances in technology will one day likely force the question upon us. If we fail to meaningfully engage with our government on this level, we will waive our right to shape the domestic surveillance policies of this future. Thus, engage we must, starting with a solid understanding of the landscapes both before and behind us.

Which brings me to University of Washington School of Law assistant professor Ryan Calo's recent article. He argues that tech giants Apple and Google, who have implemented reasonably effortless versions of end-to-end encryption into some of their communication products, may be our best hope of resisting government surveillance. That is to say, if consumers ask for the sort of effortless encryption technology envisioned in Gibson's possible future, these demands could translate into market forces that would provide corporations with the incentives to build this technology in the face of government resistance.

Why many in Ukraine oppose a ‘land for peace’ formula to end the war

My concerns – and I expect Mr. Calo's, as well – with this scenario are twofold. First, imagine that some future Apple or Google is the implementer of the effortless encryption, and we further assume that they have implemented this technology in such a way as to require all communication to be transmitted via their networks. In this case, courts may well hold that we have no reasonable expectation of privacy – in a Fourth Amendment context – in the information we voluntarily share with these companies. This aging doctrine has continued to roil in our courts, and has a direct effect on our ability to trust corporations to keep our data safe from warrantless government searches.

Second is the concern that emerges from the very basis of these corporate incentives. Governments can be quite effective at shaping market forces, and many of these same companies that might build our effortless encryption solution also realize significant benefits from government contracts. The first company to build effortless encryption may find itself left out when it comes to future government business. And corporations, as private actors, are not subject to the constitutional restrictions placed on government. Corporations will follow where the market leads them.

We are, of course, a nation that can effect change through the political process. And we can project a certain kind of power when we vote with our pocketbooks. But this issue is too important to the future health of an open and free society to trust it to either market forces or government bureaucracies.

What's at stake is our ability to privately converse, conduct business, associate, and otherwise communicate with our fellow citizens without the fear of unwanted snooping. We owe it to ourselves to carefully consider all of the costs and benefits as we prepare for the day when effortless encryption is more than just a thought experiment, so that we, as citizens, approach the conversation as informed stakeholders.

Jeffrey Vagle is lecturer in law and executive director of the Center for Technology, Innovation, and Competition at the University of Pennsylvania Law School. Mr. Vagle is also an affiliate scholar with the Stanford Law School Center for Internet and Society. Follow him on Twitter @jvagle.