Encryption & Key Management , Governance & Risk Management , Legislation & Litigation
Why Decryption Legislation Is a Bad Idea
Proposal Would Infringe on American's Right to Privacy, and Set a Bad ExampleDraft legislation offered by the leaders of the Senate Intelligence Committee has a commendable goal: furnish law enforcement and intelligence agencies with critical information to keep America safe from terrorists and criminals.
See Also: How to Take the Complexity Out of Cybersecurity
The Compliance with Court Orders Act of 2016 would compel technology providers to turn over their customers' information, when they receive a court order, and aid law enforcement and intelligence agencies in decrypting data when necessary.
One catalyst for the legislation is Apple's recent battle with the FBI, which obtained a court order to compel the tech giant to unlock the iPhone of one of the shooters in the San Bernardino massacre. Apple strongly resisted the order, and the FBI ultimately backed off after it got outside help cracking the phone (see FBI Unlocks iPhone; Lawsuit Against Apple Dropped).
"Today, terrorists and criminals are increasingly using encryption to foil law enforcement efforts, even in the face of a court order," says the bill's co-sponsor Sen. Dianne Feinstein, the California Democrat who's vice chair of the intelligence panel. "We need strong encryption to protect personal data, but we also need to know when terrorists are plotting to kill Americans."
Feinstein's motives, as well as those of her co-sponsor, Intelligence Committee Chairman Richard Burr, R-N.C., are admirable but misplaced. Their legislation, in the long run, would do more harm than good.
Protecting America's Core Values
Sen. Ron Wyden, D-Ore., the most vocal opponent of legislation to weaken encryption, sounds an important alarm: "This bill will empower repressive regimes to enact similar laws and crack down on persecuted minorities around the world."
Enactment of the Compliance with Court Orders Act, or similar legislation, would diminish America's standing as a moral leader in the world, a nation looked up to by billions of people, even with our many flaws. Our fundamental democratic values of liberty, equality and justice are respected worldwide. The proposed legislation would devalue those principles and diminish our reputation.
U.S. authorities rightly have been criticized for numerous unscrupulous acts, such as the National Security Agency and other intelligence services illicitly spying on American citizens or police maltreatment of criminal suspects and innocent bystanders.
Nevertheless, the right to privacy remains a core American value.
The Compliance with Court Orders Act would erode the right to privacy and give other nations an excuse to adopt similar laws and practices that deprive their citizens of basic human rights. They might do so even without Congress enacting the proposed legislation, but why encourage them? We should not lose the moral high ground.
Flawed Legislation
There is another reason why the Compliance with Court Orders Act is bad legislation, a point often repeated during the battle between Apple and the FBI over cracking the iPhone used by the San Bernardino shooter: Providing backdoors to law enforcement creates opportunities for others - including criminals and terrorists - to employ those exploits (FBI-Apple Aftermath: Finding the Elusive Compromise ). "This flawed bill would leave Americans more vulnerable to stalkers, identity thieves, foreign hackers and criminals," Wyden says.
Encryption, and other safeguards, protect the security and privacy of individuals, and Congress shouldn't weaken those protections. It's an idea that even the bill's sponsors understand. "I have long believed that data is too insecure, and feel strongly that consumers have a right to seek solutions that protect their information - which involves strong encryption," Burr says. But he conditions his statement by expressing a fast-held belief that no technology should be above the law.
Meaningful, Inclusive Debate
Burr says he hopes that circulating the draft legislation will spur a meaningful and inclusive debate on the role of encryption and its place within the rule of law. That conversation has been around for a while, and the reality is that once you give police an encryption workaround, it will become available to everyone. "You can't have a world where the good guys spy and the bad guys can't," says noted cryptographer and cybersecurity author Bruce Schneier.
The conversation must shift to a new focus on how government and industry can collaborate to identify other tools to help get the goods on criminals and terrorists without sacrificing the privacy and civil liberties of American citizens (see Creating a Framework for a Security-Privacy Dialogue).