The "contentious debate" over when and how law enforcement agencies can lawfully access encrypted data has reached an "impasse", according to a new paper by the Washington-based Encryption Working Group.
Encryption has made criminal investigations more difficult, say the cops, and they aren't happy. But strong encryption also thwarts criminals, preserves privacy, and protects marginalised communities, say others.
Can any proposal satisfy both groups, let alone all the other stakeholders?
Your writer's view is that everyone's been talking past each other, especially in Australia.
Lawmakers, whose actual job is synthesising coherent policy from competing priorities and turning it into legislation, are clearly unwilling or unable to think through the complexities.
In Australia, they seem unable to see the legislative process as anything other than partisan point-scoring.
As a result, Australia's encryption laws are riddled with confusing definitions that try to cover every possible scenario, and fail.
The Encryption Working Group, formed in 2018, is a joint project of the Carnegie Endowment for International Peace and Princeton University.
It includes includes former government officials, business representatives, privacy and civil rights advocates, law enforcement experts, and computer scientists.
Its paper, titled Moving the Encryption Policy Conversation Forward, calls for the debate to abandon two straw men:
- that cops can't protect the public unless they can access all encrypted data through lawful process; and
- that we should stop looking for ways to enable access to encrypted information because it can't be done safely.
"[These are] absolutist positions not actually held by serious participants, but sometimes used as caricatures of opponents," the group wrote.
See also: The encryption wars are back, but this time it's different
The paper calls for a "pragmatic" debate, with an understanding that no approach can ever address every concern perfectly. Stakeholders must accept that whatever path is taken there will be some level of risk.
"Cybersecurity advocates should not dismiss out of hand the possibility of some level of increased security risk, just as law enforcement advocates should accept that they may not be able to access all of the data they seek," the group wrote.
Policy discussions should be "specific, honest, and open-minded" and include "diverse perspectives".
"There will be no single approach for requests for lawful access that can be applied to every technology or means of communication," the group wrote.
"Few public statements from national governments, for example, have distinguished between approaches for data at rest and data in motion. Similarly, when groups raise concerns about undermining encryption, they tend to emphasise the general risks versus those related to specific applications of encryption."
The paper lists some debate guidelines, including the need to accept imperfection, and a recognition that security takes many forms and is intertwined with privacy and equity.
There also needs to be a balance between the need for a strategic approach and the need for technical detail, the paper said.
"The world of cryptography, digital communications, and data management is deeply technical; this complicates the broader societal conversation that is needed on encryption."
"On one hand, more strategic, accessible approaches are needed to broaden this circle. On the other, some risks often can only be identified at very detailed, technical levels of investigation."
The encryption question isn't just about technology, the group wrote. Any proposal must also address process, infrastructure, and policy, otherwise there won't be a full understanding of its risks and benefits.
It's worth reading the paper in full. It outlines a set of core principles that any proposed encryption policy should follow, and an approach to identifying and weighing risks through practical threat scenarios.
It makes a lot of sense, and it's only 27 pages.
Here's just one hypothetical scenario it discusses: What happens at an international border.
"A border protection or foreign intelligence service, at the arrival or connection airport in their country, confiscates a traveller's mobile phone to seek access to its contents without relying upon the traveller's assistance," the group wrote.
"Key questions: Could a foreign entity exploit or subvert the capability and proposed protections at an individual level? Would it provide new opportunities to subvert at scale?"
By contrast, the Australian government has stubbornly refused to discuss specific technical scenarios. No wonder the vague language that resulted has triggered so many fears.
For Australia, the challenge will be revisiting the encryption legislation with fresh eyes and a process structured as coherently as this one from the Encryption Working Group.
That would involve accepting that the original process was flawed, and that the legislation is flawed. It would also mean including the full range of stakeholders early in the process, and actually listening to them.
Is that even possible? Probably not. Our politicians will probably persist with the pointless puppetry of their parliamentary processes.
Disclosure: Stilgherrian wrote the Encryption Working Group's country brief on Australia, for which he received an honorarium.