ACLU to UN: Encryption is Not A Problem to be Solved, But a Crucial Tool For Freedom and Security
A few weeks ago, a U.N. Special Rapporteur solicited comments for a report on the relationship between free expression and the use of encryption and anonymity online. The report that he is writing will be submitted to the Human Rights Council in June and could help shape the international discussion surrounding the role of encryption and anonymity today.
Yesterday, we submitted our comments addressing both of those extraordinarily significant and timely topics.
We made two points that we think are critical:
- We explained that encryption and anonymity are the modern safeguards for free expression. Without them, online communications are effectively unprotected as they traverse the Internet, vulnerable to interception and review in bulk. Encryption makes mass surveillance significantly more costly, and anonymity allows dissidents, whistleblowers, and human-rights defenders to freely express themselves, organize, and expose governmental abuse without fear of retribution.
- We argued that strong encryption is essential to cybersecurity. You won’t hear this point addressed at any length by the FBI or others pushing for “backdoors” in the encryption that secures the Internet. But the point could not be more important—without strong encryption, we would be essentially defenseless against the increasingly regular and devastating cyberattacks that officials have warned us about.
What the FBI and others have focused on, instead, is their claim that encryption makes surveillance harder.
As we explain in our submission, there is an unavoidable respect in which that might be true: securing our communications with encryption necessarily secures them against everyone—against democracies, oppressive regimes, and criminal hackers alike. But the debate over encryption is simultaneously about much less and much more: much less because encryption poses nothing like the existential threat officials have cautioned, and much more because the proposals offered thus far would not simply trade a little security for a little surveillance. Rather, they would wholly subvert our security by sacrificing our best defense against the growing threat of cyberattack: strong encryption.
In other words, the security that encryption provides is not a problem to be solved, but rather the solution (or at least a critical part of one) to a looming disaster. This is so for several reasons.
First, law-enforcement authorities are now operating in a “golden age of surveillance.” While technology promises to secure the content of our communications, it has at the same time made our lives more transparent to law enforcement than ever before. With little effort, police forces can now determine a suspect’s exact location over a period of months, his every confederate, and every other digital fingerprint he leaves when interacting with technology. Federal, state, and local law-enforcement authorities in the United States have eagerly embraced these unprecedented surveillance capabilities. The security that encryption provides must be judged not in a vacuum, but in the context of the pervasive surveillance enabled by our increasingly digitized lives.
Second, prohibiting technology companies from offering backdoor-free communication services would do little to aid in the most important investigations. Sophisticated criminals and terrorists already have access to a wide array of encryption technologies that do not rely on intermediaries like Apple or Google. The primary effect of preventing Apple and Google from offering their own backdoor-free encryption, therefore, would only be to make everyone else less secure.
Third, for those who do pose serious threats, governments often have other tools at their disposal. For example, where the NSA cannot crack the encryption used by its targets, it circumvents it in other ways. The FBI, too, has tools that allow it to remotely hack into its targets’ computers and surreptitiously log passwords or gain access to private data. Those methods generally have the virtue of being targeted in nature. In other words, they do not undermine the security of everyone in order to monitor the few.
Proposals to deliberately weaken encryption must be recognized for what they are: efforts to prioritize surveillance over cybersecurity. The balance should come out exactly the other way. In recent years, there have been major hacks of U.S. government agencies, educational institutions, and private corporations. Tens or hundreds of millions of individuals have had their private data compromised. Major companies have endured unprecedented intrusions into their systems. And even the government has seen sensitive military information stolen. Virtually every high-level intelligence official in the United States has identified cyberattacks as the most serious threat to the nation’s security.
Strong encryption is our first line of defense against that threat. Weakening that encryption would make us all—private citizens and companies alike—more vulnerable to attack. Backdoor access may make law enforcement more efficient, but it would do so only at the expense of everyone’s security.