When the Clinton Administration decontrolled encryption in the late 1990s after a long and acrimonious debate, it did so because it had decided that the benefits of making strong encryption available to internet users, and the benefits to U.S. companies operating in a global market, outweighed the cost to law enforcement and intelligence agencies, whose ability to collect internet communications would be reduced. The White House decided that secure communications and a strong U.S. Information Technology (IT) industry were worth the price.
In practice, the damage to collection from the 1990s decision turned out to be minimal. Very few people actually used encryption, because it was an added expense, difficult to implement, and made computers slow. Free access to encryption was not a problem, and the spread of the internet created a “golden age” for signal intelligence agencies.
But the encryption debate, which we thought had ended, was in fact only dormant and has reemerged in a very different environment. First, the Internet has changed. It was a much less important technology in the 1990s; now it is central to global economic activity, politics, and security. The security environment has changed, as we face much more aggressive state actors and the much more immediate threat of terrorist groups who aim to carry out violent acts against the U.S. and its allies. The Snowden revelations had an immediate global reaction, as people realized that NSA could read their traffic (other spy agencies in big countries can read traffic as well as NSA, but their tradecraft wasn’t leaked).
Foreign consumers regarded U.S. products with suspicion. In response, internet service providers and software producers began to offer strong encryption as a service or as an app, making it easier to install and use, and increasing the amount of encrypted traffic not accessible to government agencies.
In this new environment, the 1990s encryption “bargain” is being challenged. Many of the old issues have resurfaced, the most important of them being the ability of government agencies to gain lawful access to encrypted data and communications. Lawful access runs counter to the global needs of the IT industry. It also raises serious issues for security, since a “back door,” no matter how well hidden, is likely to be discovered and exploited by spies and criminals. At the same time, risks to society from transnational crime and terrorism have increased. Finding a new, public policy that addresses the economic and security issues raised by encryption will not be easy.
Public, because any encryption product is beatable – for a price. Privacy advocates don’t always like to hear this, but two broad approaches can let big agencies read your stuff. First, some companies offer strong encryption but have the ability to decrypt it themselves, so they can do data mining for advertising. What a company can read, FBI can get under a warrant, and foreign intelligence agencies can steal. Second, even if there is end-to-end encryption that no one in the middle can read, the end device can often be infected. This is more complicated than simply reading plain text but far from impossible.
These are important points because in the 1990s, FBI and NSA said it would be the end of the world if encryption was made available to the public. They lost the debate, regrouped, adjusted, and ended up better off than before. The same could happen this time, if we are willing to give agencies a little more money and a little time. Local law enforcement will have a harder time, so we’ll have to find better ways to give them access to national decryption resources. The benefit of letting people have encryption is that they will be safer - not from NSA, the PLA or the Russian FSB, but from criminals and hacktivists – no more Sonys (at least for a while)! The 1990s public policy “trade” of making strong encryption available to internet users and to U.S. companies, despite the cost to law enforcement and intelligence, isn’t as clear or as clean-cut because of the terrorism, but fundamentally, it still holds.
