Feb 212018

National Academy of Sciences Encryption Study

Christopher Fonzone
, , ,

Few would describe 2017 as a quiet year.  But it actually was a period of relative calm with respect to at least one important topic.  After supporters and opponents of mandated government access to encrypted communications publicly feuded for much of 2016, reprising arguments they’ve had since at least the days of the “Clipper Chip,” these “encryption debates” seemed to quiet down for much of last year.  The same tensions likely simmered beneath the surface, to be sure, but they didn’t boil over and there was accordingly less attention directed at the issue than there had been previously. 

Soon after 2018 began, however, signs started emerging to suggest that this year might be different.  FBI Director Christopher Wray kicked off the New Year with a high-profile speech in which he emphasized how, because of the increased use of encryption technologies, law enforcement officials are frequently unable to access device content even when they have lawful authority to do so.  Wray further argued that, while the FBI “supports information security measures, including strong encryption[,] . . . . information security programs need to be thoughtfully designed so they don’t undermine the lawful tools we need to keep this country safe.”  Then, less than two weeks after Wray’s remarks, Congress passed the FISA Amendments Reauthorization Act of 2017, which required the Attorney General (in coordination with the Director of National Intelligence) to report back to Congress before the end of the year on certain challenges to the effectiveness of foreign intelligence surveillance – with one of the specifically enumerated challenges being “the use of encryption.”  Given these signs, it’s not hard to see encryption being a hot topic again in the coming months.

Which makes all the more welcome last week’s issuance of the long-awaited National Academy of Sciences study, “Decrypting the Encryption Debate:  A Framework for Decision Makers.”  The report, a product of a year and a half of work by a “diverse array of leaders from law enforcement, computer science, civil liberties, law, and other disciplines,” is not intended to solve or take sides in the encryption debates.  Rather, the stated purpose of the report is solely to “examine the tradeoffs associated with mechanisms to provide authorized government agencies with access to the plaintext version of encrypted information” (page xi).  To do so, the report “describe[s] the context in which decisions about such mechanisms would be made and identif[ies] and characterize[s] possible mechanisms and alternative means of obtaining information sought by the government for law enforcement or intelligence investigations” (page xi).  The report also “seek[s] to find ways to measure or otherwise characterize risks so that they could be weighed against the potential law enforcement or intelligence benefits,” with an ultimate goal of “provid[ing] an authoritative analysis of options and trade-offs” (page xi).

It’s likely that those on either side of the encryption debate may take issue with certain elements of the NAS report.  (See, e.g., here.)  But it’s unlikely that anyone would discount the report as a good faith attempt to, as the Chair and Director of the study have recently written, “help decision makers reach rational decisions but also to help them appreciate the broad ramifications of those decisions and to tailor those decisions to reduce unintended consequences whenever possible.”

To that end, the study, among other things, highlights (in section 2.3) that “encryption” is not a monolithic thing, as it actually has a number of different applications that present different trade-offs and questions (e.g., device locking, secure messaging, etc.); notes (in section 2.4) the relevance of the expanding cyber threat to be debate; explains (in section 3) how encryption can protect privacy and civil liberties; discusses (in section 4) how encryption affects the information needs of law enforcement and the Intelligence Community, with an interesting discussion of potential alternative sources of information (e.g. metadata; new sources, such as the Internet of Things); and catalogues (in sections 5 and 6) the potential options going forward and international dimensions of the issue.  A constant theme throughout the report is the need for better data about, for example, “the impact of encryption on investigations” and “the deliberate use of encryption by criminals,” as well as the difficulty of quantifying “key factors such as the additional security risks of adding exceptional access to encryption systems” (page 2).

The study’s ultimate contribution to the encryption debate is a framework (laid out in section 7) designed “not simply to help policymakers determine whether a particular approach is optimal or desirable, but also to help ensure that any approach that policymakers might pursue is implemented in a way that maximizes its effectiveness while minimizing harmful side effects.”  This framework consists of the following set of questions:

  1. To what extent will the proposed approach be effective in permitting law enforcement and/or the intelligence community to access plaintext at or near the scale, timeliness, and reliability that proponents seek?
  2. To what extent will the proposed approach affect the security of the type of data or device to which access would be required, as well as cybersecurity more broadly?
  3. To what extent will the proposed approach affect the privacy, civil liberties, and human rights of targeted individuals and groups?
  4. To what extent will the proposed approach affect commerce, economic competitiveness, and innovation?
  5. To what extent will financial costs be imposed by the proposed approach, and who will bear them?
  6. To what extent is the proposed approach consistent with existing law and other government priorities?
  7. To what extent will the international context affect the proposed approach, and what will be the impact of the proposed approach internationally?
  8. To what extent will the proposed approach be subject to effective ongoing evaluation and oversight?

In the end, the study makes clear that there “is no silver bullet in the encryption debate,” because the debate at its core is about a fundamental trade-off:  “adding an exceptional access capability to encryption schemes necessarily weakens their security to some degree, while the absence of an exceptional access mechanism necessarily hampers government investigations to some degree” (page 3).  Nonetheless, the study is well worth a read, not least as preparation for participating in the encryption debates that signs suggest may pick up again soon.

Christopher Fonzone

cfonzone@sidley.com

You might also like
UK Sets Out It’s “Pro-Innovation” Approach To AI Regulation

On 29 March 2023, the UK’s Department for Science Innovation and Technology (“DSIT”) published its long awaited White Paper on its “pro-innovation approach to AI regulation” (the “White Paper”), along with a corresponding impact assessment. The White Paper builds on the “proportionate, light touch and forward-looking” approach to AI regulation set out in the policy paper published in July 2022. Importantly, the UK has decided to take a different approach to regulating AI compared to the EU, opting for a decentralised sector-specific approach, with no new legislation expected at this time. Instead, the UK will regulate AI primarily through sector-specific, principles based guidance and existing laws, with an emphasis on an agile and innovation-friendly approach. This is in significant contrast to the EU’s proposed AI Act which is a standalone piece of horizontal legislation regulating all AI systems, irrespective of industry.

EU Moving Closer to an AI Act – Key Areas of Impact for Life Sciences/MedTech Companies

The European Union is moving closer to adopting the first major legislation to horizontally regulate artificial intelligence. Today, the European Parliament (Parliament) reached a provisional agreement on its internal position on the draft Artificial Intelligence Regulation (AI Act). The text will be adopted by Parliament committees in the coming weeks and by the Parliament plenary in June. The plenary adoption will trigger the next legislative step of trilogue negotiations with the European Council to agree on a final text. Once adopted, according to the text, the AI Act will become applicable 24 months after its entry into force (or 36 months according to the Council’s position), which is currently expected in the second half of 2025, at the earliest.

New EU Cyber Law for the Financial Services Industry with Significant Impact on ICT Service Providers

The new EU Regulation on Digital Operational Resilience for the Financial Sector (DORA) recently entered into force. DORA establishes cybersecurity requirements for information and communication technology (ICT) systems supporting the business processes of financial entities and represents a paradigm shift for the ICT sector.  Critical ICT third-party service providers, who are providing services to regulated financial entities, will also be directly regulated under DORA and subject to regulatory supervision by a regulator to be established under DORA (a so-called ‘Lead Overseer’).