Over the next few days, Net Politics will countdown the top five developments in cyber policy of 2015. Each policy event will have its own post, explaining what happened, what it all means, and its impact on cyber policy in 2016. In this post, the encryption debate.
Lincoln Davidson is a research associate for Asia Studies at the Council on Foreign Relations. You can follow him on Twitter @.
The debate over encryption—whether tech companies should be required to maintain the ability to decrypt communications pursuant to a lawful government request—dragged on throughout 2015. The year started with a bang, as evidence was released suggesting that the National Security Agency had the ability to break certain virtual private network protocols and it had access to the encryption keys that major telecommunications providers use to encrypt network traffic. It ended with the debate back in the spotlight, as politicians mulled the need to weaken encryption in the wake of terrorist attacks in Paris and San Bernardino, California. (For a solid recap of what’s what in encryption, see this FAQ published by ProPublica.)
The format of this debate has become almost ritualized. Something bad happens. Politicians, law enforcement agents, and intelligence officials claim that encryption helped enable the bad thing or prevented them from stopping the bad thing. Privacy advocates, security researchers, and representatives of the tech industry respond that there was no evidence that was the case, and that weakening encryption would be even worse than the bad thing. The debate then dies down for a bit, nothing having been accomplished. Rinse, repeat.
In 2015 we heard from United Kingdom Prime Minister David Cameron; French Prime Minister Manuel Valls; telecommunications regulators in India and Pakistan; government attorneys and police officials in New York City, Paris, London, and Spain; NSA Director Michael Rogers; Senators Dianne Feinstein (D-CA) and John McCain (R-AZ); and presidential candidates Jeb Bush, Hillary Clinton, John Kasich, and George Pataki all arguing for some form of government access to encrypted communications.
None of them can match FBI Director James Comey, however, who’s long been one of the most outspoken U.S. government officials in the encryption debate. Comey is particularly opposed to end-to-end encryption, such as that offered by Apple’s iMessage, saying that “use of encryption is part of terrorist tradecraft now.” Testifying to Congress in early December, for the first time Comey gave a specific example of encryption getting in the way of a federal investigation: a shooter exchanged 109 encrypted messages with an “overseas terrorist” before shooting a security guard at an anti-Islam event in Garland, Texas earlier this year. Comey said he found it “depressing” that tech industry leaders support encryption and fail to acknowledge that there are “societal costs to universal encryption,” and called for companies to reconsider their “business model.”
This “business model” has a lot of support, however, and not just from the tech industry. In the past year alone, strong encryption has garnered public support from the usual suspects in the tech sector such as the Information Technology Industry Council and Apple CEO Tim Cook (who also spoke to 60 Minutes on the topic), but also from former NSA and CIA Director Michael Hayden, former Secretary of Homeland Security Michael Chertoff, and former NSA Director Mike McConnell. In May, more than a hundred civil society organizations, tech companies, and security experts signed an open letter urging President Obama to develop “policies that will promote rather than undermine the wide adoption of strong encryption technology.”
For a while, it seemed as if these voices had won. A National Security Council memo leaked in September suggested the president was leaning towards advocating strong encryption. In October, administration officials said they had decided not to seek a legislative challenge to end-to-end encryption for the time being. But then came the terrorist attacks in Paris and San Bernardino, and a debate that had looked like it was almost settled flared back up.
The debate seems ultimately futile. Both sides keep repeating the same talking points and talking past each other. This isn’t terribly surprising, though. The talking points aren’t just the same as they were a year ago; they haven’t changed much in twenty years. The arguments of today’s advocates of “backdoors” and “golden keys” are the same as the arguments that were deployed in the 1990s in support of the Clipper chip. In both cases, advocates for increased government access to private communications pick whatever threat seems the scariest and resonates best with the public, and argue that encryption makes the threat that much scarier. In the mid-90s, the threat bandied about the most was drug dealers; today, it’s terrorists.
Looking ahead to 2016, we can expect the encryption debate to continue. In the wake of the San Bernardino attack, as Americans’ fear of terrorism shoots to the highest point in ten years, there will be plentiful opportunities for more anti-encryption proposals. If any evidence comes out that the San Bernardino attackers used encryption, you can be sure that legislators will be quick to act in response. Until then, the encryption debate will drone on.