Is It Time to Ban End-To-End Encryption?
Bad for privacy, but good for catching the bad guys.
Recently some of my AEI colleagues argued that “strong encryption is crucial to both Americans’ personal security and US national security.” They critiqued the Department of Justice’s (DOJ) renewed push for lawful access to encrypted products and services. But a closer look shows that so-called 256-bit “strong” encryption, while valuable and important in certain cases, plays a minor role in cybersecurity. Encryption’s downside, however, is that it makes the communications of gang murderers, drug traffickers, terrorists, and child sexual abusers inaccessible to law enforcement.
There is no single solution to privacy or security
In July, Attorney General Barr observed in a keynote address on cybersecurity that he was “not endorsing any particular solution” and asked America’s tech industry to “turn their considerable talent and ingenuity to developing products that will reconcile good cybersecurity to the imperative of public safety and national security.” Barr referenced virtual alligator clips, exceptional access keys, and layered cryptographic envelopes as examples of possible solutions. The field of homomorphic encryption holds promise in the ability to process components of encrypted data without revealing users’ identity.
It is understandable why information technology companies smarting from a privacy backlash now market end-to-end encryption. They have lost the trust of many users, and many users distrust government, an issue not helped by the Snowden scandal or ongoing partisan battles to politicize law enforcement. Google, Apple, Facebook, Verizon, Comcast, Twitter, and Microsoft, among others, publish annual transparency reports about law enforcement requests for user data globally. The Chinese firms Baidu, Tencent, Alibaba, and ByteDance (owner of TikTok) do not publish transparency reports. Indeed Facebook, with some of the world’s most robust encryption capabilities, could not protect its users from the Chinese government, so it doesn’t operate its services in the country.
However, tech companies’ moves to encryption are not entirely altruistic, as many companies collect relevant data for advertising before and after the encryption process. Indeed, the DNS over HTTPS protocol (DOH) actually siphons data away from users’ pre-defined privacy enhancing tools. Policymakers should recognize that there are a variety of privacy and security technologies and encourage their further development.
The emergence of law-free zones
Attorney General Barr noted that “warrant proof” encryption is creating law-free zones where criminal activity is exploding in part because these communications can’t be accessed by law enforcement. Mexican drug cartels use encryption technologies to coordinate murders and traffic fentanyl. ISIS uses them to plan terror attacks. Sexual predators use them to distribute unspeakable violations of children.
In a searing expose this fall, the New York Times described an exponential increase of child sexual abuse online including the doubling of photos and videos of sexual abuse of children, flagged at 45 million pieces of content last year. It notes the problem has escalated with new technologies and associated lowered inhibitions that increase the ease and speed of content creation, such as the internet itself, smartphone cameras, cloud storage, and online sharing platforms — all facilitated with virtual private networks, encryption, and “dark web” outlets. While encryption protects the privacy of the perpetrators and consumers of the illicit material, it does not protect the privacy of hundreds of thousands of abused American infants and children whose images proliferate across the web. The National Center for Missing and Exploited Children (NCMEC), which runs the CyberTipline, has collected 55 million reports of child sexual abuse in the last 20 years (18 million in 2018 alone). They rely on hashing, PhotoDNA, artificial intelligence, and other technologies to find, remove, and report abuse. NCMEC notes that end-to-end encryption would render these tools useless and likely cut reporting in half.
There is plenty of blame to go around in what has become a crisis. Some blame the federal government for neglecting the problem and failing to provide adequate funding. Six Senators blame tech companies for failing “to take meaningful stepsto stem the tide of child exploitation online,” as noted in a recent letter to 36 firms requesting more information on how they identify, prevent, and report the problem. Law enforcement, overwhelmed with the scale of the problem, is nevertheless criticized for making too many broad requests, but is also operating under constraints including mandates written before the digital age.
The need for balance
Distrust of the administrative state is as old as America itself, but the difference between the US and other countries is that our legal tradition to protect individual privacy is more than 200 years old and is bolstered by the rule of law. Individuals would not have safety or privacy if the Constitution did not prescribe a role for defense and law enforcement. The government can search correspondence under the Fourth Amendment — provided it has a warrant and probable cause — but even with these in hand, encryption is making it impossible for law enforcement to access relevant data, stop crimes in process, and obtain evidence necessary for prosecuting criminals. The DOJ is focused on ensuring access to messaging, smartphones, e-mail, and voice and data applications, not on bypassing customized encryption used by large business enterprises to protect their operations.
Individual privacy is a highly prized American value, but it is not absolute, and historically has been balanced with the public’s right to know. In Europe, data absolutism enables privacy perversions so murderers can erase their records and corrupt politicians can delete negative articles written about them. Sadly, this absolutism has infiltrated the US in the form of the forthcoming California Consumer Privacy Act which mandates that companies purchase the expertise and software to enable such deletions at a reported cost of $70 billion with only $5 billion in consumer benefit. To paraphrase my former AEI colleague Gus Hurwitz, “end to end encryption is politics, not privacy.”
This article by Roslyn Layton first appeared in 2019 on the AEI Ideas blog.