Aug 15, 2018

Is the War Between Encryption and Law Enforcement Overblown?

As more of our conversations are digitized, problems surrounding law enforcement access to secure messages have become more salient. Officials argue that the same techniques that keep us safe online are preventing them from catching criminals. On the other hand, technologists and civil liberties advocates fear the security and surveillance risks that unfettered access to digital communications would present.

But what if the debate over whether engineers should break encryption to facilitate government access to data misses the mark on the relationship between law enforcement and technology? According to a new report, some of the biggest problems with digital evidence may be far less exotic.

Some researchers with the Center for Strategic and International Studies recently conducted a survey and series of interviews with law enforcement authorities, digital service providers, and civil society representatives across multiple levels of jurisdiction. Their verdict? The officials working in the trenches to examine digital evidence often don’t know where to access the data relevant to their investigations in the first place. When they do know how to access the data, they don’t know what tools to use to analyze it.

For example, let’s say that a municipal law enforcement office needs information on where a suspect was on the night of a crime. They’ve procured all of the necessary warrants, but don’t know where to go to actually get the data. What service provider did the suspect use? Once investigators figure out the right provider, how should they go about asking for the data? How narrow or broad can their query be? Will the data be returned in a readable, easy-to-analyze format, or will advanced analysis be needed? Did the suspect have any unknown devices or wearables? What kinds of equipment will be needed to analyze them? Does the department have adequate technical personnel who can navigate the maze of technological and legal barriers involved in handling digital evidence?

Apparently, there is a wide gulf between what law enforcement can legally do with data and what they are actually able to do. Thus, the authors conclude that there is still digital low-hanging fruit that could considerably modernize law enforcement investigatory processes. Law enforcement agencies just need the right resources, training, and communication. Of course, this kind of inter-jurisdictional coordination is often easier described than done.

We are living in a veritable ocean of accessible digital data, and much of it is not encrypted.

Share this

There are some caveats. The report specifically analyzes instances where law enforcement agencies are legally able to access digital data with a warrant, thereby avoiding thorny legal debates over privacy and national security. And the authors take pains to point out that the results of their study are in no way a substitute or solution for the ongoing debates over encryption and access. Still, the study illustrates just how much some of the popular discussion over the “Crypto Wars” misses the forest for the trees.

The argument that encryption routinely prevents law enforcement from carrying out justice is puzzling. We are living in a veritable ocean of accessible digital data, and much of it is not encrypted. Indeed, security researchers often bemoan just how vulnerable people’s trail of unencrypted data actually is!

An earlier report from the Berkman Center for Internet and Society made precisely this argument in 2016. Penned by some of the leading thinkers in cryptography and technology law, “Don’t Panic: Making Progress on the ‘Going Dark’ Debate” points out that we are far from living in a “darkened” online environment where the majority of data transmissions are simply unavailable to authorities. Rather, there are only a few pockets of “darkness,” while a good bulk of online communication is still accessible. Furthermore, they point out that there are structural impediments that make universal encryption quite unlikely, at least in the near future.

High-profile tragedies involving encrypted devices, like the 2015 terrorist attack in San Bernardino, understandably shine a spotlight on security technologies. There seems to be a straightforward trade-off between privacy and security. It might seem that if we want to be more secure and nab the bad guys, undermining our privacy is a necessary evil. But in the case of encryption, this familiar trope doesn’t work. Undermining encryption technologies actually undermines security for everyone. There is no trade off, only two negatives.

In the case of the San Bernardino attack, an outside vendor was eventually able to unlock the suspect’s iPhone without compelling Apple engineers to break their security techniques. But maybe this will not always be the case. The difficult question of what to do in these rare situations is probably a long way from being solved.

But these situations are fortunately far from common, and (according to the CSIS report) are hardly the only technology issue facing law enforcement. Focusing on bridging the gap between authorities’ lawful opportunities and their technical prowess may do a lot of good in the short term to further the cause of justice.


Support Mercatus

Your support allows us to continue bridging the gap between academic ideas and real-world policy solutions.Donate