In the wake of the horrific attacks in Paris earlier this month, government and intelligence officials pointed a finger at end-to-end encryption (E2EE) and how it enabled attackers to “go dark” — in other words, become invisible to law enforcement.
This is only the latest development in a years-old encryption debate between intelligence officials and Silicon Valley: Should tech companies give intelligence agencies back-door access to encrypted devices and networks, or hold their ground on strong encryption to protect their customers’ right to privacy? Even before the attacks rekindled the public safety vs. privacy debate, earlier this month a panel of experts from both sides of the argument weighed in on the pros and cons of E2EE at the Advanced Cybersecurity Center’s conference in Boston.
One panelist, FBI General Counsel James Baker, stressed that there is no perfect technical solution to the public safety vs. privacy debate. He added that it’s up to legislators and individual technology companies to decide how far they want to enable government surveillance.
“Under what set of circumstances do the people want that to happen? What do you want us to do, and what risks are you willing to take on all sides of the equation?” Baker asked the audience, which mostly consisted of information security professionals.
He added that Congress remains behind in addressing the problem as well.
“Current legislative thinking is unsatisfactory in balancing all these types of risks,” Baker said. “It’s about creating laws that effectively enable the government to obtain the results of surveillance in a way that’s consistent with our constitutional rights.”
At present, the FBI is offering two solutions for its “going dark” dilemma: Split-key encryption (data can only be decrypted by combining several keys) or encryption via “key escrow” (one key out of many is stored by a government agency).
Eric Wenger, director of cybersecurity, privacy and global affairs at Cisco, argued that these solutions are insufficient for tech companies. He said that they gave the public a mixed message: “We want you to use really strong encryption, but we just want a way to break into it,” he said.
Wenger also questioned whether the FBI and other law enforcement entities needed access to encrypted data for every investigation. With kidnapping cases, for instance, unencrypted geolocation data from a suspect’s device could prove to be the most important piece of information to move the investigation forward.
“We need to tease these problems apart and get to the things that are really the most meddlesome for law enforcement,” Wenger said.
Fellow panelist Susan Landau, a security policy professor at WPI, agreed, saying the encryption conversation is complex and needs to be considered on a case-by-case basis. This would require changing how local and federal law enforcement conduct investigations, however, and would likely come with considerable costs, she said.
“It’s complicated. It takes time. But I find myself in the position of actually supporting extra funding and saying, ‘Look, we’re talking about securing everybody and making investigations more expensive — or the reverse,'” she said.
But reservations around split-key encryption, key-escrow encryption and other proposals that facilitate government surveillance doesn’t mean that technology companies don’t care about public safety, Wenger insisted.
“I want [the FBI’s Baker] to be able to get what he’s entitled to get, but the problem is at what cost?” he said.
Head to SearchCompliance to read more about the panelists’ take on end-to-end encryption.