This week, the Senate Judiciary Committee will hold a hearing examining a Groundhog Day issue in internet policy: Should the government require tech companies to redesign their systems so that government agents can access encrypted communications and data? Little about the hearing is available at this writing, but its title is “Encryption and Lawful Access: Evaluating Benefits and Risks to Public Safety and Privacy.” That is an invitation to balanced analysis, which can be enlightened by consideration of benefits and costs, as well as other concepts in risk management.
The model in the US for mandating that a communications product be designed conveniently for law enforcement is CALEA, the Communications Assistance to Law Enforcement Act. That law, passed in 1994, requires centralized telecommunications carriers and manufacturers to make their services and equipment amenable to wiretapping.
CALEA reflects the technology of the times. In the 1990s, there were a small number of channels over which wrongdoers could communicate long-distance. Having access to the nation’s communications bottlenecks could provide genuine and lasting law enforcement benefits.
But communications technology has changed, and criminals are not static actors. Communications travel across the wide-open internet now, on varied and variable routes, and in a variety of formats, including bespoke options. Internet service providers and backbone providers do not stand in the same all-seeing position that phone companies stand to the content crossing their systems.
Were there to be a reduction in the quality of communications encryption provided by US tech companies, the adept criminals and terrorists — arguably the ones we should most worry about — would move to encrypted communications platforms offered in other countries or to nonproprietary, fully-encrypted communications techniques. In other words, this is a low-benefit proposition. Mandating weakened encryption systems would immediately move some bad actors off of US-regulated systems. A continuing exodus would produce less and less law enforcement benefit over time.
As to cost: It’s been called “dogmatic” to say, but it’s incontrovertible that modifying encryption systems to allow third-party access reduces the security of those systems. Proposals for opening encrypted systems to third-party access vary, but the common questions include: Who should hold decryption keys — the government, the company providing the service, or both? And what rules and processes should dictate their use? Third parties can lose control of decryption keys or suffer corruption and mismanagement. These risks simply don’t exist when keys are held only by the parties to a communication.
Is it worth embracing those risks so that law enforcement might have some more material to use in its investigatory work? The scale of today’s technology systems makes the law enforcement case very hard. Simply put, the vast, vast majority of technology users are law-abiding. Weakening the systems they use exposes them to risks of loss and harm that are almost always going to be greater than the risks and harms prevented or punished by such weakening.
A real-world analogy might help illustrate: If Congress required every American home to be retrofitted with a special door for law enforcement access, would it make us safer? Regulations could say that the door itself, the hinges, and frame are supposed to be of a required strength. Keys to the door could be stored at police agencies or town halls according to sharply prescribed rules. Rules about access to the keys could be equally rigid. But every American’s home would still have an additional opening that could be compromised a variety of ways.
Economists summarize the action of markets using things such as supply and demand curves. Millions of actors making billions of economic decisions become one or two lines on a graph. Security also involves millions of actors making decisions about millions of different problems. To name just a few security techniques: refrigerating food, patching roofs, taking antibiotics, seat belts, armed guards, and encrypted communications.
To think about amending security systems in gross, imagine that the status quo in security measures — everything listed above and much more — were depicted spatially as an area on a two-dimensional grid. Let’s say every one of the 330 million people in the United States had one square foot of security. That would be 330,000,000 square feet of total security.
Now, to protect victims of acute crimes and punish wrongdoers, a rule is made that lowers the security of the general population by just 1/32 of a square inch. Just as adding a door to a house reduces security by a small margin, reducing the quality of the encryption systems everyone uses to facilitate law enforcement access reduces everyone’s security. If everyone has 11 and 31/32 square inches of security, that’s about 328,283,488 square feet of security — about 1.7 million fewer square feet of security society-wide. It’s the equivalent of bringing the security of 1.7 million people to zero.
There might be a few real deaths from such a policy, but the statistical ones would mostly manifest themselves across a large swath of the population as identity frauds and other scams, stolen data, lost business opportunities, forgone communications, altered or destroyed medical records, money spent mitigating data loss, and manifold other reductions in welfare. Such costs would include unwanted access to business and political leaders’ otherwise private communications, threatening national and economic security interests that people advocating against good encryption often claim to defend. If the cost of our rule against strong encryption is a reduction of each person’s square foot of security by 1/32 of a square inch, it has to do the statistical equivalent of saving 1.7 million people from death to be a winner for society. Weakening the encryption used by everybody has to save a HUGE number of exploited children or stop a LOT of terrorism to be cost justified.
The theoretical reduction in security from lower-quality encryption may be smaller than 1/32 of an inch on a square-foot grid. But the affected community is actually much larger than the population of the United States. It numbers in the billions. The vast majority of encryption users worldwide are law-abiding, honest citizens of their respective countries, just like most Americans. Lowering the security of all is very costly, even if that results in greater security for a small number of highly sympathetic people against highly repugnant crimes.
What is on illustration here is a methodology, better than the somewhat hashed analytical framework offered by Attorney General William Barr back in July, for weighing the costs and necessary benefits of weakening encryption. Balancing the interests at stake in a debate like this is always difficult. But our sympathies for the victims of crime and appreciation of the work of law enforcement should not obscure what I think a sound methodology reveals: Weakened encryption is bad security.
This article by Jim Harper first appeared at the American Enterprise Institute.