What 2020 Means for Encryption

March 3, 2020
In The News

What is encryption?

Encryption is the process of scrambling information so only the intended recipients can decipher it. An encrypted message requires a key — a series of mathematical values — to decrypt it. This protects the message from being read by an unwanted third party. If someone without the key tries to hack in and read the message, they’ll see a set of seemingly random characters. Using modern encryption techniques, extracting the original message without the key is nearly impossible.

That basic process is a fundamental building block of network security, ensuring that information can travel over the public internet without being intercepted in transit. Without some form of encryption, it would be impossible to implement basic online services like email, e-commerce, and the SSL system that verifies webpages.

While most uses of encryption are uncontroversial, the wide availability of techniques has opened up new political questions around lawful access. Presented with a warrant for a particular user’s information, businesses are legally required to turn over all the information they have. But if that information is encrypted and the company doesn’t have the key, there may be no way to work back to the original data.

Some products hold copies of user keys and decrypt data when served with a warrant, including Gmail, Facebook pages, and most cloud storage providers. But messaging apps like WhatsApp, Telegram, and Signal do not, and the device encryption used by iOS also makes the phone’s local data inaccessible. That approach has both privacy and security benefits: since the data is not available outside of the local device, the apps are far more resilient to breaches and centralized attacks.

Why don't politicians like encryption?

In 2014, James Comey, the then-director of the FBI, wrote a memo spelling out his concerns about encryption. “Those charged with protecting our people aren’t always able to access the evidence we need to prosecute crime and prevent terrorism even with lawful authority,” he wrote.

Comey went on to warn that encryption would make it more difficult for law enforcement to catch suspected criminals. If communications are encrypted by default, he said, the government can’t monitor and collect communications, even if a judge allows them to do so. Encryption, he summarized, “will have very serious consequences for law enforcement and national security agencies at all levels. Sophisticated criminals will come to count on these means of evading detection. It’s the equivalent of a closet that can’t be opened. A safe that can’t be cracked. And my question is, at what cost?”

The government’s position on encryption hasn’t evolved a whole lot in the intervening years. Attorney General William Barr and Sen. Lindsey Graham (R-SC) argued last year that hardened encryption makes it difficult to figure out when messaging platforms are used to coordinate crimes. If a large-scale terrorist attack is carried out, the government needs to act quickly to understand the national security risks. Hardened encryption could make this discovery process harder.

What has the encryption fight looked like so far?

In 2016, in the wake of the San Bernardino shooting, the FBI asked Apple to hand over information from the suspect’s iPhone. At first, the company complied, giving the FBI data from the suspect’s iCloud backup. Then the FBI demanded access to the phone’s local storage. This would have involved Apple deploying an entirely new version of iOS to the device, which the company refused to do. In a statement, a company spokesperson said: “We believed it was wrong and would set a dangerous precedent.”

The FBI responded by trying to force Apple to help, citing the All Writs Act of 1789. Just before a hearing on this case, however, the FBI was able to unlock the iPhone using an anonymous third-party company. The phone did not contain much new information the FBI hadn’t already had, but the conflict escalated the fight between tech companies and the government over encryption.

In 2019, after the shooting at the Pensacola Naval Air Station, the government again asked for Apple’s assistance unlocking the suspect’s iPhone. Apple did not comply, but it did hand over data from the suspect’s iCloud backups. In response to Apple’s refusal to unlock the shooter’s iPhone, President Donald Trump tweeted: “We are helping Apple all of the time on TRADE and so many other issues, and yet they refuse to unlock phones used by killers, drug dealers and other violent criminal elements.”

A week later, it was revealed that the company had dropped plans to allow users to encrypt their iCloud backups after the FBI argued the move would harm future investigations.

 

In March 2019, Facebook CEO Mark Zuckerberg published a memo laying out his vision for a new privacy-focused social network. In it, he stated the company’s plan to roll out encryption across its various messaging apps. “People expect their private communications to be secure and to only be seen by the people they’ve sent them to — not hackers, criminals, over-reaching governments, or even the people operating the services they’re using,” he wrote.

The news set off a firestorm of criticism from certain politicians — most notably, AG Barr. In a letter to the company, Barr, along with officials in the United Kingdom and Australia, wrote, “Companies should not deliberately design their systems to preclude any form of access to content, even for preventing or investigating the most serious crimes.” They added that encryption put people at risk “by severely eroding a company’s ability to detect and respond to illegal content and activity, such as child sexual exploitation and abuse, terrorism, and foreign adversaries’ attempts to undermine democratic values and institutions, preventing the prosecution of offenders and safeguarding of victims.” They asked Facebook to stop the encryption rollout. Facebook did not comply with this request. 

What do Republicans want?

Republicans seem to want US tech companies to comply with law enforcement in the event of a major national security attack. They do not want US tech companies to make accessing user data more complicated through end-to-end encryption. In his letter to Facebook, Barr asked Zuckerberg to allow “law enforcement to obtain lawful access to content in a readable and usable format,” as reported by The New York Times.

What do Democrats want?

Most Democratic presidential candidates are supportive of end-to-end encryption. When asked whether the government should be able to access Americans’ encrypted conversations, Sen. Bernie Sanders (I-VT) said: “[I] firmly [oppose] the Trump administration’s efforts to compel firms to create so-called ‘backdoors’ to encrypted technologies.” Sen. Elizabeth Warren (D-MA) did not answer directly, but she said that “the government can enforce the law and protect our security without trampling on Americans’ privacy. Individuals have a Fourth Amendment right against warrantless searches and seizures, and that should not change in the digital era.” During his primary run, former South Bend, Indiana mayor Pete Buttigieg said, “End-to-end encryption should be the norm.” Former New York City mayor Mike Bloomberg, in an op-ed from 2016, argued against end-to-end encryption and said tech companies shouldn’t be above the law in refusing court orders to hand over user data.

How does section 230 fit in?

Section 230 of the Communications Decency Act “protects websites from lawsuits if a user posts something illegal.” There’s been a large debate about whether companies should continue to have these protections, with various lawmakers proposing plans to change or amend Section 230.

 

In January, one proposed change called Eliminating Abusive and Rampant Neglect of Interactive Technologies Act (EARN IT) sought to strip tech companies of their Section 230 protections if they didn’t comply with new rules for finding and removing content related to child exploitation. And while the bill, titled the National Strategy for Child Exploitation Prevention, didn’t lay out many specifics, complying with these rules would likely mean not encrypting some user data.

What do tech companies want?

 

Apple has taken the lead on the issue so far, and it has been careful to valorize law enforcement and lawful access provisions, while firmly opposing a backdoor. As CEO Tim Cook framed it in an open letter at the start of the San Bernardino case, Apple is willing to do everything it can — including turning over iCloud logs and other user data — but unlocking device encryption is a step too far. “Up to this point, we have done everything that is both within our power and within the law to help [the FBI],” Cook wrote. “But now the U.S. government has asked us for something we simply do not have, and something we consider too dangerous to create. They have asked us to build a backdoor to the iPhone.”

For the most part, other tech companies have lined up behind Google — with the Facebook-owned WhatsApp leading the way. In response to Barr’s letter in 2019, Will Cathcart, head of WhatsApp, and Stan Chudnovsky, who works on Messenger, said the company was not prepared to build the government a backdoor in order to access user messages. “Cybersecurity experts have repeatedly proven that when you weaken any part of an encrypted system, you weaken it for everyone, everywhere,” they wrote. “It is simply impossible to create such a backdoor for one purpose and not expect others to try and open it.”

Still, many tech companies that rely on government contracts have had to walk a more politically delicate line. Microsoft supported Apple publicly during the San Bernardino case, but more recent statements from Microsoft CEO Satya Nadella have taken a softer line. In January 2020, Nadella expressed opposition to backdoors but optimism about legislative or other technical solutions, saying, “We can’t take hard positions on all sides.”

What's next?

As tech companies like Facebook continue to move forward with large-scale encryption projects, more major changes could come in the form of legislation aimed at helping or hurting large-scale encryption initiatives. In 2019, Rep. Ted Lieu (D-CA) reintroduced a 2016 bill called the Ensuring National Constitutional Rights for Your Private Telecommunications Act (ENCRYPT), which would create a national standard for encrypted technology. Rep. Zoe Lofgren (D-CA), along with a bipartisan coalition, also introduced the Secure Data Act, which would stop federal agencies from forcing tech companies to build backdoors into their products, thereby weakening encryption. Finally, there’s still the draft of the National Strategy for Child Exploitation Prevention, which would make it much harder for tech companies to encrypt their products.