From the Frontlines of the Second Crypto Wars
We’re currently living in the midst of the Second Crypto Wars. While that may sound like the title of a campy Star Wars knock-off from the ‘80s, it’s actually the most recent iteration of a long running debate over the ubiquity of strong encryption in consumer-grade devices and services. By ubiquitous strong encryption, I mean both the expanded availability of device encryption for smartphones, and end-to-end encryption of communications protocols with only the sender and recipient (but no third parties) holding keys.
This sort of strong encryption has proliferated for a variety of reasons. Hacks and data breaches are larger, more consequential, and more prevalent than ever. The last four years have also been marked by controversy over widespread government surveillance in the U.S. and elsewhere. These circumstances have caused consumers to demand, and technology companies to develop, the tools to protect sensitive personal and financial information—both online and offline—from those who consumers would prefer not have access. Today, strong encryption protects most online connections, all financial transactions, and an ever-increasing number of communications. It is the core of modern digital security.
Naturally, the renewed focus on product and platform security on behalf of consumers has led to a conflict, with the tech industry and consumer advocates on one side, and law enforcement (mostly) on the other. This version of the Crypto Wars was kicked off in 2014, when then-FBI Director James Comey gave voice to frustrations long-festering in the federal, state, and local law enforcement communities—that the increasing availability of encrypted smartphones and communications services would cause some set of their investigations to “go dark” without access to access to vital evidence. Law enforcement worldwide began seeking some technical solution, from backdoors to key escrow, that would somehow keep encryption secure while affording them access. Everyone from leading security technologists and consumer advocates to former intelligence community leaders and government experts realized this was a futile, dangerous, and legally dubious exercise, but law enforcement pressed on.
Setting aside the significant flaws in law enforcement’s premise, this phase of Crypto Wars 2.0 came to a head in early 2016, when the FBI sought to compel Apple to develop a tool to allow investigators to crack the encryption in an iPhone relevant to the investigation of a tragic terrorist shooting in San Bernardino. While the FBI eventually withdrew its demand after being approached by a third party, battle lines had been drawn, and the stage was seemingly set for decisive Congressional action. That action came in a widely derided piece of draft legislation called the “Compliance with Court Orders Act of 2016,” which eventually went nowhere.
And that’s where we stand today. Congress and the White House remain conflicted about the appropriate path forward, though there is a recognition in important Congressional quarters that weakening encryption and digital security is an unwise choice. Law enforcement and their advocates in government will continue to call for an “adult conversation” about their concerns of “going dark,” but the adults have gone and moved on to argue about a whole host of new and exciting developments in the digital security space.