In the wake of last week’s horrific terrorist attacks in Paris, U.S. law enforcement officials are predictably calling for wider ranging changes to electronic surveillance laws, including limitations on data encryption technologies, which can keep messages, conversations, and other digital exchanges undetected or undecipherable. This despite the fact that, so far at least, there is no evidence that encrypted information played any part — let alone a leading role — in the terrorist acts.
I say predictable because, for the two decades I have been closely following the so-called “privacy crisis,” both civil liberties advocates and law enforcement agencies have become masters at igniting public outrage to advance their respective causes, playing up dramatic news events that often have little or nothing to do with technology.
Whether it’s the disclosures by Edward Snowden and others of unlawful intelligence-gathering practices or the latest hack of a commercial enterprise that exposes consumer information, the most extreme elements on both sides are always there to claim the moral high ground and accordingly demand more or less protection.
Last week’s attack has unleashed the full range of hyperbole, with law enforcement officials arguing that encryption is largely to blame for the failure to prevent the violence, and privacy advocates insisting that regardless of how the terrorists communicated with each other, technology regulation should play no part in the solution.
Here’s my unpopular view: both sides are wrong, and they know it.
First, some context. The encryption fight is just one battlefront in an old and frustrating war over privacy, perhaps the most complicated issue at the intersection of technology and the law. Agreements are hard to reach, because, as I wrote in my 2009 book, “The Laws of Disruption,” the collection and use of personal information in the digital age “evokes an emotional, even visceral, response in most people, making it difficult to talk about rationally.”
The source of the problem is disruptive innovations, which maddeningly redefine what constitutes a reasonable expectation of privacy in an increasingly connected society. Encryption, big data, cloud computing, drones and low cost sensors — every one of them can upset the equilibrium between individual freedom and public protection.
Choose your metaphor: it’s an arms race, it’s a swinging pendulum, it’s a delicate set of scales. Striking the right balance is impossible, at least for any length of time.
Right now what we mostly have is stalemate, with a strong presumption in favor of law enforcement. Under wiretapping statutes that go back to the dawn of the computer age, police can search and seize digital property just as they do physical property. Though still subject to limits built into the Fourth Amendment, those powers were greatly expanded, especially as they apply to non-U.S. citizens, under the USA Patriot Act, which was passed quickly in the wake of the 9/11 attacks.
But long before disclosures by Snowden and others suggested a great deal of illegal law enforcement access was also taking place, electronic surveillance rules were already being criticized for their failure to protect personal privacy, often unintentionally as technology change increasingly outpaced the law.
It’s worth noting that the sides in that fight, as with many public policy debates involving disruptive innovation, defy simplistic characterizations of liberal and conservative. In 2010, for example, an umbrella organization known as the Digital Due Process Coalition formed to lobby for substantial reforms to existing law aimed at re-setting the scales. Founding members include advocacy groups on the far left and the far right, as well as a long list of Silicon Valley technology companies.
The DDP’s objectives include closing loopholes that allow access to emails and other data stored by third parties without fulfilling the Constitutional requirements of a judge-issued warrant supported by probable cause. At the same time, the group concedes the importance of preserving all existing “building blocks of criminal investigations,” including subpoenas, wiretaps and court orders.
As reasonable and balanced as these goals are, the effort has made little progress. Surveillance reform bills have been introduced and supported by dozens of Republican and Democratic sponsors, even as appellate courts in some parts of the country have declared aspects of the existing law unconstitutional. But lobbying by police, the FBI, the NSA and regulatory agencies have kept the bills from moving.
Meanwhile, technology-driven innovations continue to scramble the equation. In the last decade, consumers have gained significant new privacy tools, many driven by advances in the price and performance of encryption technologies. More and more Web interactions takes place using secured protocols. Apple and Google have built strong encryption into their mobile operating systems, as have many apps that do the same for text messages or other information exchanges. Cloud-based storage providers, including Dropbox, offer strong encryption, sometimes for an extra fee.
This growing popularity of cryptography by consumers and Internet services providers is aimed not at thwarting law enforcement so much as protecting sensitive (or not) information from cyber criminals and other unauthorized users. The net result, however, is to make that information increasingly inaccessible for anyone. Already, data encrypted by Apple, Google and others cannot be deciphered by the companies themselves. With or without a warrant, law enforcement officers can only get files that are unreadable.
That trend is almost certain to increase as computing costs fall and consumers grow more wary of both criminals and governments. Joseph Lorenzo Hall, chief technologist at the Center for Democracy and Technology, estimates that within the next five to 10 years, 75 percent of web interactions will be encrypted. Full end-to-end encryption for all information exchange, which his organization advocates, could take two decades. But it will happen.
CDT and other privacy groups see no problem in this. The Internet wasn’t originally designed to be secure, Hall notes; that was an engineering mistake that is now being fixed. “Building insecurity into the infrastructure,” he says, “causes more bad outcomes than requiring law enforcement to adapt to a world of secure systems.” The benefits of an encrypted Internet outweigh the costs. Or so consumers believe, at least for now.
Right or wrong, technical obstacles for government agencies tasked with thwarting terrorism will only grow more overwhelming. Legal reform, if it happens, will only be a stopgap solution on the road to an Internet that can’t be spied on by anybody.
And then what? “Law enforcement will have to learn to do police work that doesn’t hinge on real-time or even delayed access to digital information,” Hall says. “Of course,” he adds, “that may require things that will make some people uncomfortable, such as government-sanctioned hacking.”
Law enforcement officials and their supporters take an equally extreme view of both the problem and the solution. FBI director James Comey believes encryption allows criminals to “go dark.” Encryption has left the police “blind,” according to New York Police Commissioner Bill Bratton. CIA director John Brennan calls Paris “a wakeup call” in the privacy debate.
They all want limits or even outright bans on strong privacy technologies available to consumers. Or, at the very least, a technical “back door” that will give the police legal access to encrypted data when needed.
Last month, under strong pressure from Silicon Valley, the White House agreed not to seek legislation that would force technology companies to do just that. Many even doubt that such a thing is even possible.
So there you have it. Two sides arguing different realities, impossible to reconcile.
Or are they?
Posturing aside, there’s no doubt that the dizzying pace of innovation continues to transform our lives in ways that unintentionally upset the delicate balance between civil liberties and law enforcement.
But that’s nothing new. Since the invention of coded messages used during the Revolutionary War, technology advances have always required adaptations in the law to preserve both privacy and social order.
In the United States, resetting the balance remains the job, as it has for over two centuries, of legal limits on search and seizure backstopped up by the Bill of Rights.
To start, we need the pragmatic reforms called for by the Digital Due Process group to correct problems in the Patriot Act and other overreactions to recent events. But we also need reasonable limits on the commercial use of strong encryption. And new surveillance tools built on the latest developments in data analysis and artificial intelligence.
These changes won’t be popular with anyone. They aren’t likely to happen anytime soon. Resolving the privacy crisis is both messy and technically challenging. And it requires compromise and collaboration, skills that neither side has spent much time developing.
The Constitution isn’t perfect. Imbalances aren’t always corrected fast enough. And at the margins there will always be abuse by both law enforcement and criminals. Still, measured change sure beats the alternative of policies that swing wildly in one direction or the other in response to the crisis-du-jour.
It’s at least worth another try.