Policy Studies Technology and Innovation

Reframing the Crypto Wars


Kathryn Waldron
Former Resident Fellow, Cybersecurity and Emerging Threats
Sofia Lesmes
Former Senior Research Associate, Cybersecurity and Emerging Threats

Key Points

The encryption debate in the United States has been marked by a number of high-profile events since the early Crypto Wars in the 1990s that have shaped the debate into the limiting binary of privacy versus security.

The enduring nature of the encryption debate is partially due to a lack of common language, the increased availability of encryption services and a lack of a whole of government approach to cybersecurity.

The way forward on the encryption debate is multifaceted and requires efforts from both “sides.” Policymakers should capitalize on the inauguration of a National Cyber Director to streamline the encryption policy debate. Additionally, establishing a Bureau of Cyber Statistics would help paint a clearer picture of how many investigations are stifled by encrypted communications, instead of allowing individual high-profile events to dominate the debate. Finally, stakeholders need to change the language of the debate’s language, avoiding certain terms that are either too confusing or too polarizing to be of any value, and instead reframe the debate under the guise of security versus security.

Press Release

What are the Crypto Wars?


For the past several decades, policymakers, law enforcement, private companies, civil liberties advocates and cybersecurity specialists have been locked in a passionate yet seemingly unending battle over encryption. The debate, sometimes referred to as the “going dark problem” or the “crypto wars,” centers around whether law enforcement agencies should be able to force companies to decrypt communications. While advocates argue government access to encrypted data is necessary for the sake of public safety and national security, many others believe that undermining encryption is an assault on individual privacy and civil liberties. Despite decades of debate, policymakers and lawmakers have made minimal progress toward settling the issue once and for all or with finding an acceptable compromise.

The debate was seemingly set to be answered by the courts in 2016, when Apple refused to craft new software at the behest of the Federal Bureau of Investigation (FBI) that would allow the agency to access encrypted information on a phone belonging to one of the shooters in a 2015 terrorist attack on Inland Regional Center in San Bernardino, California.

But the “going dark” encryption debate shares a key characteristic with the walking dead: no matter how many times you try to put it to rest, it keeps coming back. In October 2020, the Department of Justice (DOJ) issued an international statement calling for companies to “[e]nable law enforcement access to content in a readable and usable format where authorisation is lawfully issued, is necessary and proportionate, and is subject to strong safeguards and oversight.” Both at home and abroad, there are increased government calls to weaken encryption in the name of national security.

While fervor surrounding the issue remains high, trotting out the same arguments of a now decades-old policy debate has gotten us no closer to a solution. Indeed, several experts have agreed that if policymakers want to make progress, they must stop viewing encryption as an issue of security versus privacy and reframe the debate.

One laudable attempt to reframe how encryption policy is considered comes from Tim Maurer and Carnegie’s working group on encryption, which brings together some of the premier experts on the topic. While the working group does not come to a consensus regarding a policy solution, the group has proposed a number of recommendations for moving the conversation forward, such as narrowing the focus to encryption of data sitting in databases, known as data at rest, as opposed to data moving through a network, known as data in transit.

The limiting binary of privacy versus security must be reshaped into one of security versus security, which focuses on coordinating a whole-of-government approach, creating a Bureau of Cyber Statistics, exploring alternatives and establishing a standard language to discuss encryption. However, there is still exploration to be done regarding why the privacy versus security framework has persisted for so long, and what additional steps must be taken to break away from this limiting way of thinking. The widespread availability of encryption and the highly public nature of certain cases where law enforcement has been stymied by technology, namely terrorist attacks, have obviously played their part in ensuring the debate remains relevant. However, also at play is the lack of a common language or good metrics and a reluctance on the part of certain government officials to explore potential alternative solutions.

Featured Publications