New Perspectives on the Future of Encryption
Encryption and its effects on law enforcement’s access to data seem to occupy a perennial place in the headlines (and on Lawfare as well). The two of us have been working on it for years. The subject is often highly contested, but the fierce discussion has ignored some critical factors. One of those is how changing usage patterns and technologies will affect how law enforcement can—or can’t—obtain access.
With the support of the Carnegie Endowment for International Peace, a group of us have been meeting to discuss encryption policy. No, we haven’t found a silver bullet to put an end to the encryption debate. But to get the ball rolling toward a more informed conversation, the Carnegie Encryption Working Group has highlighted two particular areas where an understanding of future trends and technologies can enhance policy discussions: the future of “user-controlled” encryption and the development of quantum computing. The Carnegie working group, together with Princeton University, has recently released papers on both subjects that we think will be illuminating. We discuss them in some depth here.
The first major trend of the future will be how “user-controlled” encryption—that is, systems in which customers or end users have ultimate control over the keys to encrypt and decrypt information—will be adopted across platforms and commonly used services, including services like WhatsApp and Signal. Law enforcement cares a great deal about the trend lines here; the adoption of user-controlled encryption systems is one of the main things they are talking about in the context of “going dark.”
As the cost of deploying encryption has decreased enough to make it widely available and cheap, providers likely will deploy user-controlled encryption when two conditions are satisfied: 1) customers want user-controlled encryption, and 2) the provider does not need access to the data that customers want to encrypt in order to make its services work. One early sign that this prediction is bearing out is Facebook’s March announcement that it will shift its focus to encrypted messaging. In this case, Facebook’s potential interest in analyzing the content of user messages to serve ads likely did not outweigh its assessment of user demand for privacy. Given the scrutiny that Facebook has been under recently, other factors could be at work as well.
Clearly, user-controlled encryption will make it difficult or impossible for law enforcement to access some data. But, as the paper points out, such encryption will not be used everywhere because users have different needs for and approaches to encryption. The same is true with providers.
Some customers want to ensure their information is protected in situations when even their service provider is compromised. Those customers will seek out platforms and services where user-controlled encryption will be available in nearly every context. The constraint on their ability to do so will be the provider’s need for access to customer data to ensure product functionality; to perform data recovery, for instance, providers would need access to encryption keys. The same applies for functions that depend on server-side processing, including email storage, search, and spam filtering. Some providers also may continue to rely on a business model that, one way or another, monetizes their access to the content of communications, so they are likely to retain the ability to read the plain text of customer communications. But it is important here to distinguish between encryption of data-at-rest (the encryption of data stored on a device or server, for example) and data-in-motion (the encryption of data transmissions, as used by WhatsApp and Signal, for instance).
In the future, it is likely that service and platform providers will apply user-controlled encryption to all or almost all data-in-motion (because provider interests can be fulfilled by storing data that comes over the network as opposed to reading it while it is in transit). Meanwhile, data-at-rest—in cloud servers in particular—is likely to remain accessible to the provider in order for it to perform data recovery, enhance service functionality or monetize the content. Law enforcement would, in theory, still be able to serve orders on cloud service providers and other application providers to access that data. In reality, however, other trends—such as data localization and data fragmentation—may complicate law enforcement’s efforts to access data in the cloud as a practical matter even in circumstances where encryption is not an issue.
This analysis leads to certain predictions about which applications will be more or less accessible to law enforcement with lawful process and which ones will go increasingly “dark.” (Note that this analysis does not consider alternative forms of access, such as lawful government hacking.) Encryption alone is unlikely to render cloud-based email, enterprise messaging, calendar management, and collaborative editing services inaccessible to law enforcement because the services that providers offer along those lines require maintaining access (although, as noted above, other trends may complicate production of plain text to law enforcement). In other cases, such as instant messaging, some customers—especially public companies and regulated businesses—will want data recovery, while other customers will opt for user-controlled encryption and forego storing older messages in the cloud. Audio conferencing will likely incorporate user-controlled encryption. For now, current technology means that video conferencing requires server-side functionality and thus will be accessible; however, that could change in the future.
Users and providers are not monolithic in their approach to encryption. Understanding how users will interact with their data, and which data they will seek to control through user-controlled encryption, is a critical aspect of the encryption debate; we urge Lawfare readers to read the longer—though still brief—report.
Other reports have addressed the implications of quantum computing for subjects like the U.S.-China rivalry. But its relevance for encryption policy is one that is largely unknown in public—even though quantum computers could make all our messages readable—especially those written decades ago secured by older encryption systems.
Right now, quantum computers are quite difficult to build. None has been built so far that surpass a classical computer, though not for lack of trying. We don’t know how quantum computing will progress, but as the paper states, it is possible that quantum machines could become a practical reality in the next 10 to 20 years.
Today, key-exchange algorithms like RSA are secure because they use key sizes large enough such that any adversary using a classical computer would have to perform prohibitively expensive and time-consuming computations to solve one. But quantum machines could quickly break RSA, rendering the algorithm insecure—and therein the danger lies. If an adversary was currently collecting our encrypted communications and then, a decade or two from now, had a working quantum computer, it would be able to retrospectively break the encryption protecting the collected communications. This is something the U.S. did in the 1950s to encrypted Soviet communications collected during World War II (see the declassified Venona files).
Fortunately, cryptographers know this problem is coming. The National Institute of Standards and Technology has been leading an effort on post-quantum cryptography—“quantum-safe” encryption methods that can withstand quantum computers. Parties including Microsoft, Google, the European Telecommunications Standards Institute, a coalition of European research institutions called the Prometheus Project, and others are also working on post-quantum solutions. Any debate on the future of encryption should factor in the quantum issue, since any key-escrow system that relies on contemporary public-key encryption won’t stand the test of time in a post-quantum world. Lawfare readers are urged to also read this report.
Those involved in the discussions about encryption policy would benefit from incorporating these analyses into their considerations. Our working group continues to study the issues and is examining other areas where new contributions would improve the debate. This includes the international dimensions of encryption policy. Expect to see more from us.
Image credit: eamesBot