Experts, not just politicians, need to be at the table.
Last week, the "Five Eyes" nations of Australia, Canada, the UK, the US and New Zealand took part in their annual meeting on counterterrorism, intelligence-sharing and cybersecurity. While cryptography, particularly ways law enforcement could get around it in the interest of fighting crime, was expected to be a major part of the agenda, an official communication issued following the meeting hardly mentions cryptography, and does so in fairly bland, noncommittal terms:
Encryption can severely undermine public safety efforts by impeding lawful access to the content of communications during investigations into serious crimes, including terrorism. To address these issues, we committed to develop our engagement with communications and technology companies to explore shared solutions while upholding cybersecurity and individual rights and freedoms.
This vaguely worded commitment does little to advance an important issue, says Constellation Research VP and principal analyst Steve Wilson. "A genuine crypto policy debate needs to be had, and needs to be seen to be had," Wilson says.
The 1990s saw widespread debate over cryptography, one that didn't really have a winner, Wilson notes. "Most cryptographers said that encryption should be commercially available, that export controls were counterproductive, that government control was futile and that our enemies would roll their own," he says. While these points were not necessarily accepted by governments, there did come a detente whereby access to cryptographic technologies was freed up.
Today the argument has moved to new fronts. In the US, the FBI's demand that Apple create a backdoor allowing access to an alleged terrorist's iPhone prompted strong pushback from the company and public. (The Bureau ultimately hired outside help to crack the phone.)
"There are strong technical arguments that forcing exceptional access mechanisms into encryption algorithms will weaken the systems, making them more vulnerable to criminal attack," Wilson says. "But the arguments are difficult and technical. Most lay people, lawmakers include, continue to harbor naive visions of how encryption works, which leads to presumptions that cyber lock-picking is doable. Backdoors make encryption vulnerable by design and that's a bad thing."
However, civil libertarians and technologists shouldn't reject the governments' desires out of hand, Wilson says. Points to consider:
•Has the threat of terrorism and organized crime become quantitatively and qualitatively worse since the 1990s?
•To what extent are unbreakable, encrypted messages being used by terrorists? Are there no side channels, metadata or insiders available to law enforcement to monitor criminal activity?
•Have there been mathematical advances in the past 20 years that might enable new encryption methods with safe backdoors?
"I'm not a good enough cryptographer or social scientist to know the answers, but I do know the right people to ask," Wilson says. "I know that we need to ventilate these issues, engage the experts and trust their answers, if we are to move on without too many further distractions."