National Academy of Sciences Encryption Study

Few would describe 2017 as a quiet year.  But it actually was a period of relative calm with respect to at least one important topic.  After supporters and opponents of mandated government access to encrypted communications publicly feuded for much of 2016, reprising arguments they’ve had since at least the days of the “Clipper Chip,” these “encryption debates” seemed to quiet down for much of last year.  The same tensions likely simmered beneath the surface, to be sure, but they didn’t boil over and there was accordingly less attention directed at the issue than there had been previously. 

Soon after 2018 began, however, signs started emerging to suggest that this year might be different.  FBI Director Christopher Wray kicked off the New Year with a high-profile speech in which he emphasized how, because of the increased use of encryption technologies, law enforcement officials are frequently unable to access device content even when they have lawful authority to do so.  Wray further argued that, while the FBI “supports information security measures, including strong encryption[,] . . . . information security programs need to be thoughtfully designed so they don’t undermine the lawful tools we need to keep this country safe.”  Then, less than two weeks after Wray’s remarks, Congress passed the FISA Amendments Reauthorization Act of 2017, which required the Attorney General (in coordination with the Director of National Intelligence) to report back to Congress before the end of the year on certain challenges to the effectiveness of foreign intelligence surveillance – with one of the specifically enumerated challenges being “the use of encryption.”  Given these signs, it’s not hard to see encryption being a hot topic again in the coming months.

Which makes all the more welcome last week’s issuance of the long-awaited National Academy of Sciences study, “Decrypting the Encryption Debate:  A Framework for Decision Makers.”  The report, a product of a year and a half of work by a “diverse array of leaders from law enforcement, computer science, civil liberties, law, and other disciplines,” is not intended to solve or take sides in the encryption debates.  Rather, the stated purpose of the report is solely to “examine the tradeoffs associated with mechanisms to provide authorized government agencies with access to the plaintext version of encrypted information” (page xi).  To do so, the report “describe[s] the context in which decisions about such mechanisms would be made and identif[ies] and characterize[s] possible mechanisms and alternative means of obtaining information sought by the government for law enforcement or intelligence investigations” (page xi).  The report also “seek[s] to find ways to measure or otherwise characterize risks so that they could be weighed against the potential law enforcement or intelligence benefits,” with an ultimate goal of “provid[ing] an authoritative analysis of options and trade-offs” (page xi).

It’s likely that those on either side of the encryption debate may take issue with certain elements of the NAS report.  (See, e.g., here.)  But it’s unlikely that anyone would discount the report as a good faith attempt to, as the Chair and Director of the study have recently written, “help decision makers reach rational decisions but also to help them appreciate the broad ramifications of those decisions and to tailor those decisions to reduce unintended consequences whenever possible.”

To that end, the study, among other things, highlights (in section 2.3) that “encryption” is not a monolithic thing, as it actually has a number of different applications that present different trade-offs and questions (e.g., device locking, secure messaging, etc.); notes (in section 2.4) the relevance of the expanding cyber threat to be debate; explains (in section 3) how encryption can protect privacy and civil liberties; discusses (in section 4) how encryption affects the information needs of law enforcement and the Intelligence Community, with an interesting discussion of potential alternative sources of information (e.g. metadata; new sources, such as the Internet of Things); and catalogues (in sections 5 and 6) the potential options going forward and international dimensions of the issue.  A constant theme throughout the report is the need for better data about, for example, “the impact of encryption on investigations” and “the deliberate use of encryption by criminals,” as well as the difficulty of quantifying “key factors such as the additional security risks of adding exceptional access to encryption systems” (page 2).

The study’s ultimate contribution to the encryption debate is a framework (laid out in section 7) designed “not simply to help policymakers determine whether a particular approach is optimal or desirable, but also to help ensure that any approach that policymakers might pursue is implemented in a way that maximizes its effectiveness while minimizing harmful side effects.”  This framework consists of the following set of questions:

  1. To what extent will the proposed approach be effective in permitting law enforcement and/or the intelligence community to access plaintext at or near the scale, timeliness, and reliability that proponents seek?
  2. To what extent will the proposed approach affect the security of the type of data or device to which access would be required, as well as cybersecurity more broadly?
  3. To what extent will the proposed approach affect the privacy, civil liberties, and human rights of targeted individuals and groups?
  4. To what extent will the proposed approach affect commerce, economic competitiveness, and innovation?
  5. To what extent will financial costs be imposed by the proposed approach, and who will bear them?
  6. To what extent is the proposed approach consistent with existing law and other government priorities?
  7. To what extent will the international context affect the proposed approach, and what will be the impact of the proposed approach internationally?
  8. To what extent will the proposed approach be subject to effective ongoing evaluation and oversight?

In the end, the study makes clear that there “is no silver bullet in the encryption debate,” because the debate at its core is about a fundamental trade-off:  “adding an exceptional access capability to encryption schemes necessarily weakens their security to some degree, while the absence of an exceptional access mechanism necessarily hampers government investigations to some degree” (page 3).  Nonetheless, the study is well worth a read, not least as preparation for participating in the encryption debates that signs suggest may pick up again soon.