Both business and government organizations routinely protect information by encrypting data. Encryption is also used to protect information from the prying eyes of competitors and foreign governments, becoming an important and indispensable tool for citizens, corporations, and governments alike. Without it, the Internet economy would grind to a halt and the civil liberties and freedom of expression for individuals could be in jeopardy. There is, of course, a flip side to this issue: law enforcement agencies may be hampered in acquiring plaintext evidence during investigations if the material has been encrypted. There have been some efforts by legislators to try to address this issue, but most have been unsuccessful, largely as a result of a lack of understanding of the technology and the issues involved. As the 12th century King Canute found with his apocryphal attempt to stop the incoming tide, simply issuing a directive will not necessarily achieve the desired goal.
This report, authored by a National Academies of Sciences, Engineering, and Medicine committee, is an attempt to provide assistance to legislators and lawmakers in formulating policy to successfully balance the requirements for privacy with the needs of law enforcement. After some material introducing the National Academies (a collaborative group of US nonprofit, nongovernmental organizations) and the committee, a preface by the committee chair defines the scope and goal of the report. There is also a well-written and concise executive summary of the issues and report findings.
The first chapter introduces the uses of encryption and the problems it creates for law enforcement. It discusses historical attempts to control encryption, along with the impact of technological change on encryption’s widespread use. It covers the basic issues and several perspectives on the debate and use of encryption. It presents the basic layout of the report, along with several broad options available to governments for securing plaintext access to encrypted information for law enforcement and intelligence investigations.
Chapter 2 looks at the history of encryption and details its many uses in today’s world. It discusses applications such as the ubiquitous public-key cryptography that secures web browsing and the protection of corporate communications, intellectual property, and financial data. The default protection of mobile data and devices to ensure the privacy of users is seen as a particular issue in the debate, as is the ongoing battle to protect against cyberattacks by criminals and hostile foreign groups.
Chapter 3 discusses the role of encryption in protecting the privacy and civil liberties of citizens, particularly for people living in countries without a tradition of democratic freedoms and rule of law. Chapter 4 then considers the other side, discussing the need of law enforcement and national intelligence organizations to access communications to protect the freedoms and rights of citizens, as well as investigate criminal and espionage activity. It also discusses the impediments created by encryption, as well as the additional information that new technologies can now deliver to support investigations.
Chapter 5 looks at options available for accessing plaintext, including the legal and legislative framework required for the disclosure of encryption keys and passcodes. It discusses the concept of “compelled assistance” from third parties, key escrow, and other technical considerations.
The discussion up to this point focuses primarily on the internal US. Chapter 6 looks at complications arising from the international reach of the Internet and the limitations of geographical jurisdiction, noting that domestic legislation would be largely toothless without international cooperation, which is not the global norm. The committee notes that as encryption technologies are developed globally, there are limits to what can be achieved with domestic regulation. There is also the impact of domestic regulation, particularly attempts to weaken encryption products, on the marketing of US encryption technologies and services in a competitive international market. Chapter 7 concludes the work by presenting a framework for legislators and lawmakers to consider when developing approaches to gain access to encrypted information. The framework is based around eight questions that the committee presents for consideration.
This is an interesting discussion on an important and topical issue. The report highlights the constraints on lawmakers by what is technically possible and by the geographical reach of jurisdiction. However, it also discusses the benefits for investigators that arise by virtue of new technologies. Highlighted is the fact that success is heavily dependent on international cooperation. If one country unilaterally enacts legislation covering encryption developers, potential users would simply seek solutions from elsewhere. A quite good overview of the report can be obtained by simply reading the summary chapter at the beginning and the several highlighted boxes throughout the text. Considering this report is the product of a committee (with all of the puns that spring to mind), it is readable, clear, and easy to understand.