Encryption technologies help protect user data from theft and they help secure critical infrastructure and services that societies depend on. But, encryption is also available to criminals and terrorists. This puts law enforcement agencies in a difficult position. In effect, they are faced with the dilemma of how to gather evidence on criminals and other adversaries who may be using encryption, while at the same time, not putting the safety of law-abiding citizens at greater risk. While we at the Internet Society recognize the challenges facing law enforcement, we believe that strong encryption should be available to all Internet users as it is an important technical solution to protect their communications and data.
This dilemma was voiced by U.S. Deputy Attorney General Rod Rosenstein in a recent speech. He argued that “Encrypted communications that cannot be intercepted and locked devices that cannot be opened are law-free zones that permit criminals and terrorists to operate without detection by police and without accountability by judges and juries.”
This problem, claimed Rosenstein, can be solved with what he calls “responsible encryption.” To Rosenstein, “responsible encryption” could “involve effective, secure encryption that allows access only with judicial authorization.” Unfortunately, if a way is made for law enforcement to bypass encryption, it could be exploited by anyone else. A criminal would only have to discover the bypass to gain the same access as law enforcement. Even the strongest of locks will always open to its key. No matter how a company creates access to encrypted communications or data, they introduce new attack vectors that weaken encryption and put users at greater risk. Fact is, there have been numerous recent examples of governments and corporations losing critical information.
As the Internet Society has noted before, the mathematical theory upon which encryption is built is in the public realm. In fact, there are many reference implementations available of encryption technology. As a result, even if technology companies are required to provide special law-enforcement access, a new black market for underground encrypted products would likely spring up to support criminals and terrorist networks.
Internet trust and secure communications are critical for growing the economy, spurring innovation, and promoting the free exchange of ideas in the United States. Any weakening of encryption will compromise the security of all users, stifle innovation, and reduce trust in the Internet.
As I’ve blogged before, strong encryption is essential to our security, not a barrier. It makes everyone more secure from threats from criminals, terrorists, and other adversaries. Weakening encryption may seem like an attractive option, a quick fix to a real security challenge. However, in the long-term, it will undermine the online safety of everyone.