EncryptionFramework for policymakers to address debate over encryption
A new report by the National Academies of Sciences, Engineering, and Medicine proposes a framework for evaluating proposals to provide authorized government agencies with access to unencrypted versions of encrypted communications and other data. The framework is the product of an 18-month study led by a diverse array of leaders from law enforcement, computer science, civil liberties, law, and other disciplines.
A new report by the National Academies of Sciences, Engineering, and Medicine proposes a framework for evaluating proposals to provide authorized government agencies with access to unencrypted versions of encrypted communications and other data. The framework is the product of an 18-month study led by a diverse array of leaders from law enforcement, computer science, civil liberties, law, and other disciplines.
NAS says that the decades-old encryption debate reached new public prominence in connection with the FBI’s efforts to compel Apple to decrypt the phone of a dead terrorist in the San Bernardino case. FBI and other law enforcement officials have warned that the growing use of encryption in smart phones, messaging apps, and other devices and software is restricting their access to information needed for criminal and national security investigations. They have increasingly called for reliable, timely, and scalable ways to access this information so they can fulfill their public safety and national security missions.
Meanwhile, critics have raised legal and practical objections that regulations to ensure government access would pose unacceptable risks to privacy and civil liberties and undermine information security in the face of rising cyber threats, and may be less necessary given the wider availability of data and alternative means of obtaining access to encrypted data.
One of the fundamental trade-offs underlying the debate, according to the report, is that adding capabilities for government to access encryption schemes would weaken the security of an encrypted product or service to some degree, while the absence of such an access hampers government investigations.
“The debate over efforts to enable government agencies access to plaintext has long been very polarized,” said Fred Cate, C. Ben Dutton Professor of Law at Indiana University and chair of the committee that wrote the report. “This is the first time that such a diverse array of experts representing so many important and often conflicting viewpoints worked together to reach consensus on the critical issues raised by encryption and the questions policymakers should ask when addressing them. Our hope is that this report and the framework it presents will cut through the rhetoric, inform decision-makers, and help enable an open, frank conversation about the best path forward.”
The framework includes eight questions for policymakers or members of the technical community to consider while evaluating or formulating a proposal to provide authorized government agencies with access to encrypted content:
— To what extent will the proposed approach be effective in permitting law enforcement and/or the intelligence community to access plaintext at or near the scale, timeliness, and reliability that proponents seek?
— To what extent will the proposed approach affect the security of the type of data or device to which access would be required, as well as cybersecurity more broadly?
— To what extent will the proposed approach affect the privacy, civil liberties, and human rights of targeted individuals and groups?
— To what extent will the proposed approach affect commerce, economic competitiveness, and innovation?
— To what extent will financial costs be imposed by the proposed approach, and who will bear them?
— To what extent is the proposed approach consistent with existing law and other government priorities?
— To what extent will the international context affect the proposed approach, and what will be the impact of the proposed approach internationally?
— To what extent will the proposed approach be subject to effective ongoing evaluation and oversight?
The framework is designed to be applicable to regulatory requirements, such as when a manufacturer has to ensure lawful access to their products; policy choices such as decisions to provide more funding to support efforts by government to obtain lawful access to plaintext; and particular technologies that might be imposed by law or implemented by companies in response to a general requirement for access.
The report also emphasizes that policymakers will likely face challenges while addressing these questions such as incomplete information about the impact of encryption on investigations as well as deliberate use of encryption by criminals; limits on the current ability to measure security risks; and inability to fully predict the consequences of courses of action. Other difficulties for policymakers include the complexity presented by thousands of communications and computing products available today, an international marketplace where products and services are introduced with regularity, and the interactions of those markets with the strategies and policies that are adopted by other nations.
NAS notes that the aim of this framework is not simply to help policymakers determine whether a particular proposed approach is desirable but also to ensure it is implemented in a way that maximizes effectiveness while minimizing harmful side effects, the committee said.
— Read more in Decrypting the Encryption Debate: A Framework for Decision Makers (National Academiy of Sciences, 2018)
