For the past several decades, policymakers, law enforcement, private companies, civil liberties advocates and cybersecurity specialists have been locked in a passionate yet seemingly unending battle over encryption. The debate, sometimes referred to as the “going dark problem” or the “crypto wars,” centers around whether law enforcement agencies should be able to force companies to decrypt communications. While advocates argue government access to encrypted data is necessary for the sake of public safety and national security, many others believe that undermining encryption is an assault on individual privacy and civil liberties. Despite decades of debate, policymakers and lawmakers have made minimal progress toward settling the issue once and for all or with finding an acceptable compromise.
The debate was seemingly set to be answered by the courts in 2016, when Apple refused to craft new software at the behest of the Federal Bureau of Investigation (FBI) that would allow the agency to access encrypted information on a phone belonging to one of the shooters in a 2015 terrorist attack on Inland Regional Center in San Bernardino, California.
But the “going dark” encryption debate shares a key characteristic with the walking dead: no matter how many times you try to put it to rest, it keeps coming back. In October 2020, the Department of Justice (DOJ) issued an international statement calling for companies to “[e]nable law enforcement access to content in a readable and usable format where authorisation is lawfully issued, is necessary and proportionate, and is subject to strong safeguards and oversight.” Both at home and abroad, there are increased government calls to weaken encryption in the name of national security.
While fervor surrounding the issue remains high, trotting out the same arguments of a now decades-old policy debate has gotten us no closer to a solution. Indeed, several experts have agreed that if policymakers want to make progress, they must stop viewing encryption as an issue of security versus privacy and reframe the debate.
One laudable attempt to reframe how encryption policy is considered comes from Tim Maurer and Carnegie’s working group on encryption, which brings together some of the premier experts on the topic. While the working group does not come to a consensus regarding a policy solution, the group has proposed a number of recommendations for moving the conversation forward, such as narrowing the focus to encryption of data sitting in databases, known as data at rest, as opposed to data moving through a network, known as data in transit.
The limiting binary of privacy versus security must be reshaped into one of security versus security, which focuses on coordinating a whole-of-government approach, creating a Bureau of Cyber Statistics, exploring alternatives and establishing a standard language to discuss encryption. However, there is still exploration to be done regarding why the privacy versus security framework has persisted for so long, and what additional steps must be taken to break away from this limiting way of thinking. The widespread availability of encryption and the highly public nature of certain cases where law enforcement has been stymied by technology, namely terrorist attacks, have obviously played their part in ensuring the debate remains relevant. However, also at play is the lack of a common language or good metrics and a reluctance on the part of certain government officials to explore potential alternative solutions.
