User Encryption on Personal Devices: Perspectives
Transmittal Letter 1
We are pleased to publish this report, The Future of Encryption. This report addresses the challenges in developing legislation for encryption, and provides recommendations for legislative solutions. In recent years, encryption, the Internet, and personal computers increasingly have taken on essential financial and social roles in the world. With new threats from terrorism and organized crime, law enforcement has again raised the challenges they face with encryption. Moving forward, it is imperative that we make decisions on how to regulate encryption that consider both the challenges faced by law enforcement and the economic and social importance of encryption.
The issue of encryption and its effects on law enforcement has been raised by Apple’s and Google’s moves to increase the strength of encryption within their mobile devices. Law enforcement argues the need for companies to provide access to encrypted data. Law enforcement fears an increase in encrypted phones and articles will outstrip their capacity to perform timely investigations. However, companies and industry professionals argue for the need to maintain high security standards to protect users from cyber-attacks. Events like the attacks in Paris in November 2015, which were organized through encrypted channels, illustrate the growing importance of striking this balance.
The courts cannot force a witness or defendant to surrender an encryption key or password due to rights to self-incrimination. We recommend that policy focuses on technical solutions to the problem, particularly those that maintain strong encryption standards.
Some suggest enhancing law enforcement’s access through encryption backdoors, giving the government the capability to bypass encryption. However, backdoors risk allowing malicious actors to damage critical economic infrastructure and steal closely guarded trade secrets. Due to the infeasibility of backdoors, we recommend not only that the government seek alternative solutions to the encryption issue, but also ban the presence of backdoors in any U.S. encryption. Congress should mandate that companies must provide metadata for law enforcement when presented with a subpoena, and companies should receive financial incentives to cooperate swiftly. As always, funding for further research into encryption and cyber-security will allow the United States to address the threats we face today, while also enabling us to remain world leaders in finance and information technology.
The students of The University of Texas at Austin are grateful for the opportunity to serve the country and hope that anyone who reads this report finds our analysis useful.
Transmittal Letter 2
We are pleased to report on the controversial issue of phone encryption. Citizens are increasingly dependent on technology and have large amounts of sensitive data stored in phones, laptops, and databases. Technology has become both the main form of communication and the primary way to maintain records. It is the responsibility of both technology companies and the federal government to keep citizens’ information safe and private. However, it is law enforcement’s duty to protect its citizens, which requires the extraction of information through due process. These two perspectives have caused a deadlock amongst technology companies, citizens, and law enforcement. In the past several years, the public focus on terrorism and the exponential growth of technology has made the issue of encryption urgent. To make progress on the issue of encryption, government action is needed.
In the following report, we provide information detailing historical precedents, existing laws and processes, technical details of proposed encryption solutions, and potential policy options. Our report is informed by experts on the topic from the tech industry and law enforcement. Despite the popularity of a blanket ban on encryption amongst members of law enforcement and the political community, our committee strongly urges against any unilateral legislature without consent or acknowledgement from the technology community, as they are the both those most affected by legislature and those with the expertise to implement any technical solution. Action must be taken in tandem with the industry to devise a safe and reliable method, scheme, or law that all parties can agree with.
Main Text of Report
Policy Recommendations 1
We write to provide policy recommendations towards the resolution of the encryption issue. Encryption has come to the fore of public discussion due to recent cybercrime and terrorist attacks. Law enforcement officials are concerned that their inability to access encrypted communications or data dampens their ability to keep the public safe, but many feel that increasing government powers of surveillance threatens freedom and privacy. Some proposed solutions suggest weakening encryption or adding backdoors, but security experts have rejected these as dangerous and costly. Instead, we recommend legislation that strikes a reasonable compromise between cybersecurity and privacy, as outlined below.
First, we agree with security experts’ and researchers’ assertions that mandating backdoors to encryption is dangerous and impractical. We believe that Congress should introduce a ban on any legislation that requires a backdoor to encrypted content. By “content”, we are referring to the substantive body of communicated or stored information, as opposed to metadata, which is information describing or identifying “content.” In order to aid law enforcement in keeping the public safe, Congress should mandate that any company be able to provide access to metadata when presented a subpoena or search warrant.This stance elevates the people’s desire for privacy, while maintaining the ability of law enforcement to extract some amount of information and protect the public. Furthermore, it does not endanger sensitive ecommerce, such as financial transactions, since the data itself is protected.
Second, to incentivize technology vendors’ swift and full compliance with the metadata mandate, we recommend a tax credit program for companies whose cooperation leads to convictions or the prevention of attacks to the homeland. These credits could assist companies who have delayed repatriating foreign profits, and ensure that they have motivation to implement the mandate in a way that will be useful to law enforcement. Measuring a company’s conviction rate will also provide us with a meaningful way to assess the effectiveness of the mandate.
Finally, we recommend that you pass legislation to provide grants for law enforcement agencies to update technology and hire or train skilled security experts. These grants would be provided to any local agency that can provide a plan to use the funds to meet the challenges posed by modern adversaries. For example, several counties might propose to combine forces and funds to form an advanced cybercrime unit. These agencies will be better able to execute warrants against technologically sophisticated criminals. Furthermore, an improvement in the effectiveness of local agencies would both increase convictions and relieve the tremendous demands currently placed on the FBI.
If Congress does not set a clear balance between privacy and the national interest now, law enforcement efforts will be slowly suffocated by their inability to access critical information, and the public mistrust of the government will continue. The outlined recommendations present a feasible resolution to these problems, a resolution that makes society both freer and safer.
Policy Recommendations 2
The Administration should seek bipartisan support for legislation that would accomplish the following:
- Offer financial and other incentives to skilled computer scientists and other technical experts to enter careers in law enforcement. Incentives could include additional government funding to law enforcement and student loan forgiveness to tech workers hired into law enforcement.
- Create public-private partnerships with the purpose of regularizing and streamlining cooperation between law enforcement entities and industry.
- Appropriate funds to local, state, and federal law enforcement agencies to be used for technological upgrades.
Law enforcement agencies should ensure that satisfying career paths are available to tech workers.
Congress should pass legislation requiring certain types of metadata regarding encrypted data to be accessible without breaking encryption. Precedent already permits law enforcement to access certain types of metadata without violating prohibitions on self-incrimination, so the intent of this recommendation is to solidify this precedent rather than create a new one. Rather than forcing industry to create backdoor solutions, policy should require industry to leave certain useful bits of information unencrypted.
Civil liberties organizations should continue to encourage the courts to support the right of all citizens to freely use any cryptographic protocols or software of their choosing in their capacity as private citizens. This should not affect employees of private corporations or the government in their capacity as an employee. Congress should strive to enshrine, in the strongest manner possible, this fundamental right to cryptography, either as a reading of existing law or a new piece of legislation.
The Department of Justice should work with industry and legal experts to establish clear guidelines regarding complex data privacy issues. The United States is the foremost country in the world in terms of technology development, and thus sets precedent for how these technologies should be governed. Complex issues, such as jurisdiction over data held in overseas servers by domestic multinational corporations, have arisen due to the increasingly complex nature of technology. The Administration should establish clear and uniform standards with which to deal with these issues in a way consistent with proposals discussed above in order to avoid ambiguity in the handling of these data privacy issues, which may hinder law enforcement’s ability to use data to prosecute crime and allow for the breach of citizens’ right to privacy. This course of action should be completed on a prompt, but realistic timeline (12–18 months) that allows for thorough deliberation on these issues.