Download Encryption Substitutes PDF

TitleEncryption Substitutes
TagsPrivacy Encryption Whats App Cryptography Personally Identifiable Information
File Size3.3 MB
Total Pages16
Table of Contents
                            Title Page
The Encryption Debate in Context
Law Enforcement Substitutes
Privacy Substitutes
Implications for Better Policy
About the Author
Document Text Contents
Page 1



l S









Andrew KeAne woods Aegis Paper Series No. 1705


Policy experts have suggested that the rise of encrypted data is not the end of

intelligence collection because law enforcement can look to substitutes—other

sources of intelligence, such as metadata—that prove to be just as valuable or more

valuable than decrypting encrypted data.1 This paper focuses on the other side of that

insight: on the substitutes available for privacy-seekers beyond encryption, such as

placing one’s data in a jurisdiction that is beyond the reach of law enforcement. This

framework puts encryption in context: there are many ways to keep one’s data private,

just as there are many ways that the government might get access to that data. While

encryption is typically treated as a stand-alone computer security issue, it is a piece of

a larger debate about government access to personal data.2

Law enforcement officials are, in general, agnostic about the method through which

they obtain evidence—what matters is obtaining it. Privacy-seekers are similarly

agnostic about how they secure their privacy—what matters is having it. This means

that policymakers have a wide set of options—not only about whether to allow law

enforcement to access personal data, but also how to do so. This wide set of options

is not reflected in the debate over encryption, which is typically framed in all-or-

nothing terms. Some privacy advocates take a stance that seems to allow no room

for compromise (an argument that can be boiled down to “it’s math!”3) and some

government actors do the same (essentially arguing, “it’s terrorism!”4). Widening the

scope of the policy discussion to include related issues—what I will call “encryption

substitutes”—may increase the chances of compromise and may generate better


In this short essay, I make a few simple assumptions that bear mentioning at the outset.

First, I assume that governments have good and legitimate reasons for getting access

to personal data. These include things like controlling crime, fighting terrorism, and

regulating territorial borders. Second, I assume that people have a right to expect

privacy in their personal data. Therefore, policymakers should seek to satisfy both

law enforcement and privacy concerns without unduly burdening one or the other.

Of course, much of the debate over government access to data is about how to respect

Page 2


Andrew Keane Woods • Encryption Substitutes

both of these assumptions. Different actors will make different trade-offs. My aim in

this short essay is merely to show that regardless of where one draws this line—whether

one is more concerned with ensuring privacy of personal information or ensuring

that the government has access to crucial evidence—it would be shortsighted and

counterproductive to draw that line with regard to one particular privacy technique

and without regard to possible substitutes.

The first part of the paper briefly characterizes the encryption debate two ways: first,

as it is typically discussed, in stark, uncompromising terms; and second, as a subset

of a broader problem. The second part summarizes several avenues available to law

enforcement and intelligence agencies seeking access to data. The third part outlines

the alternative avenues available to privacy-seekers. The availability of substitutes is

relevant to the regulators but also to the regulated. If the encryption debate is one

tool in a game of cat and mouse, the cat has other tools at his disposal to catch the

mouse—and the mouse has other tools to evade the cat. The fourth part offers some

initial thoughts on implications for the privacy debate.

The Encryption Debate in Context

The debate about backdoors to encryption leaves little room for compromise.

One side characterizes the government’s demands for exceptional access as “math

denialism”: exceptional access simply cannot be introduced into a cryptographic

system without overwhelming risk.5 The other side insists that it must be done and it

can happen, if only cryptographers and software engineers try hard enough. Former

FBI director James Comey’s recent testimony on the matter is a good example—

suggesting that Silicon Valley entrepreneurs simply need to apply the same grit and

determination to the encryption problem that they apply to creating new software

businesses.6 The terms of this debate are zero-sum: either it is technologically

possible to create a system that is safe but also contains a backdoor, as the FBI asserts,

or it is not.

Perhaps there is a better way to frame the debate. The government does not actually

seek exceptional access to encrypted data per se; indeed, governments did not

seek exceptional access until it became relevant to law enforcement operations.

What the government is really after is crucial evidence of crimes and national

security intelligence. Encryption is just one barrier—among many—to that evidence

and intelligence.

Page 8


Andrew Keane Woods • Encryption Substitutes

Technological Substitutes

Just as there are jurisdictional substitutes to device encryption, there are technological

substitutes as well.

Anonymization Tools Perhaps the most useful way to ensure a measure of privacy

online is to operate anonymously. Often, law enforcement will need some amount

of identifying metadata before it can search or seize a suspect’s digital content

data, like e-mails and photos. Suppose that the police receive a tip (or intercept a

message) that suggests that a criminal is communicating using the e-mail account

[email protected] . com . ” Without having some way to connect a particular suspect

to this account number, it may be difficult for law enforcement to gather enough

evidence to ask for a warrant to get access to the account’s contents. This is

why privacy-seekers use anonymization tools like Tor, which masks their online

activities.35 If hiding the contents of your communications is good, not having

anyone know they are yours is even better. If a user cannot be identified, it does

not matter what his messages say (or whether the messages are encrypted, either

locally or in transit).

Encrypted Services In addition to encrypting their devices, users can also

communicate—both send and receive messages and other content—via an encrypted

channel. The largest service to offer encrypted communications is WhatsApp, with a

user base of more than one billion users.36 Although the messages may be stored on

users’ devices in the clear, they are encoded while in transit so that if law enforcement

or any other third party managed to see the message—as it passes through the

service’s servers, through a local fixed or mobile telecommunications service, or

through the larger fiber-optic channels that connect the Internet’s major nodes—

all that they would see is encoded text. This has led to considerable frustration

on the part of law enforcement and states have begun to pursue anti-encryption

measures directed at data in transit. Brazil recently jailed a Facebook employee after

the company refused to comply with a judicial order to decrypt messages on the

WhatsApp service—something the company cannot do after the fact.37 If a law is

passed allowing law enforcement to seek to decrypt devices, a user may still be able

to communicate in a secure (encrypted) channel. While Apple’s recent dispute with

the FBI revolved around access to an iPhone’s physical drive, that access would be

of limited use to law enforcement if the suspect’s communications were entirely

encrypted in transit.

http://[email protected]

Page 9


Implications for Better Policy

What conclusions can we draw from the fact that encryption is neither the only tool

available for privacy-seekers nor the only barrier to law enforcement seeking access to

digital evidence? I think at least five conclusions follow.

Society will likely prefer one substitute over another

It seems likely that social preferences will be maximized by picking one domain

to delimit government access to data over another. Each domain presents a different

set of privacy trade-offs and social preferences will be maximized by some domains

more than others. Consider the following privacy concerns, which any particular

government action might trigger: How widespread is the privacy harm (how many

people’s privacy interests are at stake)? How total is the privacy harm (how much

stuff—and what percentage—gets revealed to the government)? How long (temporally)

is the harm (finite or otherwise)? And so on. Reducing jurisdictional barriers to law

enforcement access to data may, on balance, be preferable to creating exceptional

access to encrypted services. That is, building a backdoor to Gmail’s servers may

raise more of these concerns than the contemplated US-UK agreement regarding law

enforcement access to data. Even among technological domains, one approach to

delimiting government access to data may more closely track social preferences than

another. For example, allowing the police to lawfully hack into individual suspects’

devices is likely less privacy-invasive than forcing providers to create backdoors to

their services.

Blocking one domain places pressure on the others

Suppose that the French government is investigating an attack in Paris. The suspect is

thought to have used an encrypted device to communicate with his conspirators using

an unencrypted American service. The government has two avenues for accessing

relevant evidence: decrypt the phone or obtain the suspect’s e-mail from the American

service. If jurisdictional barriers prevent the French government from obtaining the

e-mails from the American service, there will be significant pressure to decrypt the

phone. If the e-mails can be obtained in a timely manner by asking the US service for

them, the pressure to decrypt the phone may wither.

Some domains create more displacement than others

Suppose that the US government is contemplating two laws. One would prohibit

American providers from encrypting users’ communications while the other would

Page 15


Hoover Institution • Stanford University

The publisher has made this work available under a Creative Commons Attribution-NoDerivs license 3.0. To view a copy
of this license, visit

Hoover Institution Press assumes no responsibility for the persistence or accuracy of URLs for external or third-party
Internet websites referred to in this publication, and does not guarantee that any content on such websites is, or will
remain, accurate or appropriate.

Copyright © 2017 by the Board of Trustees of the Leland Stanford Junior University

Preferred citation for this publication is Andrew Keane Woods, Encryption Substitutes, Hoover Working Group on
National Security, Technology, and Law, Aegis Series Paper No. 1705 (July 17, 2017), available at

Page 16

Hoover Institution, Stanford University
434 Galvez Mall
Stanford, CA 94305-6003

Hoover Institution in Washington
The Johnson Center
1399 New York Avenue NW, Suite 500
Washington, DC 20005

Jean Perkins Foundation Working Group on
National Security, Technology, and Law

The Working Group on National Security, Technology, and
Law brings together national and international specialists
with broad interdisciplinary expertise to analyze how
technology affects national security and national security
law and how governments can use that technology to defend
themselves, consistent with constitutional values and the rule
of law.

The group focuses on a broad range of interests, from
surveillance to counterterrorism to the dramatic
impact that rapid technological change—digitalization,
computerization, miniaturization, and automaticity—are
having on national security and national security law. Topics
include cyber security, the rise of drones and autonomous
weapons systems, and the need for—and dangers of—state
surveillance. The working group’s output, which includes
the Aegis Paper Series, is also published on the Lawfare blog
channel, “Aegis: Security Policy in Depth,” in partnership
with the Hoover Institution.

Jack Goldsmith and Benjamin Wittes are the cochairs of the
National Security, Technology, and Law Working Group.

For more information about this Hoover Institution Working
Group, visit us online at http:// www . hoover . org / research - teams
/ national - security - technology - law - working - group.

About the Author

Andrew Keane Woods is an

assistant professor of law at

the University of Kentucky

College of Law. He writes

about law and technology,

and his scholarship has

been cited in the Economist,

the Wall Street Journal, the

Washington Post, Bloomberg,

and NPR.

Similer Documents