Lawmakers should think carefully before passing laws that will give governments the ability to access encrypted messages, says a report by U.S. legal and scientific academics and tech experts.
The report issued this morning by the U.S. National Academies of Sciences, Engineering and Medicine says adding capabilities for government to access encryption schemes would weaken the security of an encrypted product or service to some degree. On the other hand it also admits the absence of such an access hampers government investigations.
But facing pressure from law enforcement agencies who sometimes have trouble accessing encrypted devices or communications the report authors suggest a framework where policymakers can answer eight questions on whether a proposed solution is desirable as well as minimizes harmful side effects.
The questions are:
- To what extent will the proposed approach be effective in permitting law enforcement and/or the intelligence community to access plaintext at or near the scale, timeliness, and reliability that proponents seek?
- To what extent will the proposed approach affect the security of the type of data or device to which access would be required, as well as cybersecurity more broadly?
- To what extent will the proposed approach affect the privacy, civil liberties, and human rights of targeted individuals and groups?
- To what extent will the proposed approach affect commerce, economic competitiveness, and innovation?
- To what extent will financial costs be imposed by the proposed approach, and who will bear them?
- To what extent is the proposed approach consistent with existing law and other government priorities?
- To what extent will the international context affect the proposed approach, and what will be the impact of the proposed approach internationally?
- To what extent will the proposed approach be subject to effective ongoing evaluation and oversight?
A news release summarizing the conclusions says the report also emphasizes that policymakers will likely face challenges while addressing these questions such as incomplete information about the impact of encryption on investigations as well as deliberate use of encryption by criminals; limits on the current ability to measure security risks; and inability to fully predict the consequences of courses of action. Other difficulties for policymakers include the complexity presented by thousands of communications and computing products available today, an international marketplace where products and services are introduced with regularity, and the interactions of those markets with the strategies and policies that are adopted by other nations.
Contacted about the report Canadian privacy expert Ann Cavoukian suggested the issue is simple: “The folly of revisiting the creation of crypto-backdoors appears to be endless. Leading cryptographers all around the world have said that providing an additional port of entry would only serve to weaken online security for everyone. This is a lose/lose proposition that should be abandoned, once and for all. Let’s not have but yet another Clipper chip debate!”
To some degree the fight will be centred in the U.S., where major makers of encrypted devices and communications systems such as Apple and Google (which makes the Android mobile operating system) are headquartered. However, solutions imposed by Congress will leave openings for law enforcement agencies in other countries.
The committee that authored the report was chaired by Indiana University law professor Fred Cate, who is also vice-president for research and senior fellow at the institution’s Center for Applied Cybersecurity Research. It included Microsoft’s vice-president for security policy, a software engineer from Google and Intel’s global privacy officer.
The report doesn’t come down on either side of the controversy over government access to encrypted communications. Some say any attempt to weaken encryption, including so-called back-doors — even if they are highly protected and in theory only available for law enforcement and intelligence agencies — will be quickly exploited by criminals, nation states and terrorists. Others say that, with a judicial order, law enforcement and intelligence agencies must be able to access any communications, so hardware and software makers must include ways to give them access.
The report says solutions “must take into account both the needs for individuals to be able to have their privacy and civil liberties protected from intrusive government encroachment and individuals’ interests in protecting against both criminal actors and threats to national security.”
Much of the report is U.S.-centric — for example on whether under current U.S. law police can compel a suspect to provide a fingerprint or other biometric data to unlock a device and allow access to its data (yes) or get a password (no).
IT notes that large online service operators such as Google, Facebook, and Apple already have processes in place to receive and validate U.S. warrants and other law enforcement requests to manage and deliver unencrypted customer data that they hold in their corporate databases. However, device makers such as Apple do not presently have processes in place to give law enforcement agencies device unlock codes, That would involve managing master signing keys and creating device-specific unlock codes, the report points out. “A workable solution would have to be deployable on billions of devices.”
The report notes that a suggested solution is that device makers could create a master key solution similar to the one they use to authenticate software updates. However, it admits a so-called exceptional access key could an attacker access to everything on the device. One possible risk mitigation, it adds, is a system where exceptional access can only be given if a person physically has the device.