News, Science & Research

Report explores solutions to encryption debate

With input from University professor, document details ethical, technical issues around police data access

By
Senior Staff Writer
Tuesday, March 20, 2018

In the wake of the 2015 San Bernardino terror attack, the nation witnessed a new and unfamiliar debate when the FBI — in possession of the shooter’s encrypted iPhone 5c — tried to compel Apple to provide “exceptional access” to the phone’s encrypted contents. While national dialogue surrounding law enforcement’s ability to require access to encrypted evidence has waned since then, a committee of academics and professionals including Seny Kamara, associate professor of computer science, formed in 2016 to discuss what policymakers should bear in mind when developing solutions to the encryption debate.

The committee released a report in February that poses questions they believe are critical to the conversation.

Encryption — the act of turning understandable “plaintext” data into unintelligible “ciphertext” — is an old concept, said Fred Cate, vice president for research at Indiana University and chair of the committee that wrote the report. While encryption technology applied almost exclusively to government and industrial interests for centuries, it has become incredibly important with the advent of computers and the Internet, playing a role in most online interactions. “Encryption now just surrounds us,” Cate said.

As it stands, law enforcement agencies can get a warrant to seize a device and access its content. “But if the content is gibberish — if it’s all ciphertext — they have no authority to compel somebody to help them to get access,” Cate said. While law enforcement can compel someone to unlock their device via fingerprint or facial recognition, they cannot require that person to provide a password, he added.

Law enforcement and the intelligence community are concerned with the widespread use of encryption. Members of these communities argue that the Internet is “going dark,” Kamara said. “What this means is that (law enforcement officials are) not able to have access to this end-to-end encrypted data, even though they have a warrant,” he said. It’s not clear, though, whether this increase in encrypted data simply reflects the overall increase in data, he added.

The committee’s report, titled “Decrypting the Encryption Debate: A Framework for Decision Makers,” was sanctioned by the National Academies of Sciences, Engineering and Medicine and focuses on the challenges that come with allowing law enforcement special access to plaintext data. It poses relevant questions that any possible policy proposals should consider, including: “What is the impact on cybersecurity going to be?” and “Will it grant access to everybody’s data?” Kamara said.

“These are pretty commonsensical questions,” Cate said, offering further examples of questions the framework poses: “How many people will be affected by this solution? … Who’s going to pay for it? … If it requires inventing something new, does industry pay for it? Does law enforcement pay for it?”

The report also outlines how encryption works, the challenges associated with granting agencies exceptional access to encrypted data and when granting such access might be needed, Cate said. Cases such as missing children or distribution of child pornography, for instance, are classic instances of when a law enforcement agency would want to defeat encryption, he said.

But there are a number of technical and ethical problems surrounding exceptional access.

Any solution providing exceptional access to an agency would likely open a point of entry for security threats, said Vasileios Kemerlis, assistant professor of computer science. “It’s not clear whether we can provide that functionality to systems, especially to existing systems, without opening a door to everybody who wants to attack,” he said, adding that he does not think there is a solution that can reconcile access and security.

But Kamara acknowledges that future cryptographic research could reveal ways of balancing law enforcement interests with the privacy of ordinary people. “Cryptography is something that is really, really powerful and can do things that we don’t expect, that are very unintuitive,” he said.

Both Cate and Kamara said that the public should be more aware of consequences of the debate and sustain the conversation following events such as the San Bernardino attack. “The time to start thinking about these issues is not after the shooting has occurred,” Cate said.