• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Excelitas Qioptiq banner

BATTLESPACE Updates

   +44 (0)77689 54766
   j.nettlefold@battle-technology.com

  • Home
  • Features
  • News Updates
  • Company Directory
  • About
  • Subscribe
  • Contact
  • Media Pack 2021

Posturing and Politics for Encryption By James A. Lewis

February 22, 2016 by Julian Nettlefold

cia17 Feb 16. The encryption debate has been largely unencumbered by facts. That deserves a separate discussion, but for now, let us consider Apple’s stout refusal to cooperate with the FBI in gaining access to data stored on the phone of one of the San Bernardino murderers.

Apple’s motives are clear, if not clearly expressed. The Snowden revelations damaged the brand of all American technology products. To assuage their customers, some companies offer “end-to-end” or unrecoverable encryption. It is the growth of these commercial encryption services offering unrecoverable encryption to a mass market that is of the greatest concern to law enforcement and intelligence agencies. To reassure a global market, these companies announce they will not cooperate with American authorities. This is a reasonable response to rebuild credibility, but it is not sustainable.

Let’s clear away a few egregious errors before we examine this in detail. First, the encryption debate is not about backdoors. Use of the term “backdoor,” is both pejorative and misleading. A backdoor is a flaw or access point intentionally introduced into software to allow access to unencrypted text. To argue against backdoors is a sham, since what law enforcement agencies want is access to the plain text when this is authorized by law. Access by intelligence agencies is a different matter that will be discussed separately. Pretending that a desire for backdoors drives government policy misses the point. What law enforcement agencies want is access to plaintext – the unencrypted message or traffic.

Most encryption products provide access to plaintext because this is what customers want. Companies and individuals want to be able to “recover” plaintext in those cases where an encryption user loses the ability to access their encrypted content – a forgotten password, a programming flaw, or a lost key. Companies want recoverable encryption for liability reasons and for corporate due diligence. They do not want their employees to engage in surreptitious or illegal behavior. No corporate General Counsel would allow the use of unrecoverable encryption by anyone in their firm and it would be surprising if any of the big tech companies currently battling the government let their employees use unrecoverable encryption. Some of the big internet service providers also use recoverable encryption because it is consistent with their business models. A company cannot mine traffic for advertising purposes if it is encrypted in ways that prevent anyone but the sender and recipient from seeing the content. Anyone who talks about backdoors is either uninformed or attempting to manipulate you.

Second, the debate is not solely about the American market or American policy. What will drive this debate is the global market. Foreign consumers want assurance that the U.S. government cannot access their data. A minority of foreign consumers- largely people who go to Burning Man or Earth Festivals at Stonehenge – want to escape any government surveillance, but the source of most foreign outrage is Snowden’s revelations about U.S. activities.

This outrage is based on understandings that are neither fair nor accurate, but that is beside the point. The release of the Snowden documents was done in a way to cast a harsh light on the United States while ignoring what other countries do – Snowden’s obsequious conversation with Putin about Russian communications surveillance was an embarrassing indicator of this slant. The point to bear in mind is that most countries surveil the communications of their own citizens and they are unlikely to stop. A few – those with resources and interest – surveil communications in other countries. They are also unlikely to stop. Powerful information technology companies could steamroll smaller nations into accepting end-to-end encryption, but that will not work with big countries. China, for example, has one of the most sophisticated and complete monitoring systems in the world. Let’s imagine a conversation between Apple and China similar to the one Apple is having now with the FBI:

Apple: “We won’t cooperate.”

Chinese Government: “You’re out.”

When your second biggest market tells you to play ball or else, (objections from Chinese consumers are unlikely to influence government decisions about encryption), it is a rare company that will sacrifice itself. Nor will it be politically sustainable to accede to requests from authoritarian governments while denying requests from democracies. China is putting an immense effort and billions of dollars into building an independent and competing IT industry to avoid the perceived risk of using foreign products. This is a somewhat paranoid, and won’t really improve security, but China is not alone in its concerns. To pick a few, the United Kingdom, France, and other northern European countries (except perhaps Germany), Brazil, India and Russia all share concerns about encryption and want to have the ability to gain access to plaintext under varying degrees of lawfulness.

That is actually what the global encryption debate is about – what are the rules under which a government can access plaintext, and what transparency and oversight is required in this process. Concern about American products is driven by the belief that there are no constraints, little transparency, and no oversight (by the consumers own government) on U.S. agencies’ access to their data. Europe is the most passionate, but other markets have similar, if less vehement worries about U.S. practice. Frankly, Americans should have similar concerns about other nations, including European nations, on how they are surveilled when they visit other countries. A little reciprocity is in order.

This might point to the way ahead on encryption – common reciprocal rules on accessing plaintext and a degree of transparency for both rules and requests. Reciprocal rules could resemble agreements among governments, similar to agreements to cooperate against money laundering, drug trafficking or other transnational threats to public safety. These agreements are apolitical in a way that it will be difficult for encryption policy to match to a degree, but not impossible. The recent efforts led by the UK to streamline the process for serving warrants in another country – called Mutual Legal Assistance Treaties or MLATs – are an example of this kind of agreement, although the UK effort has been mischaracterized, even demonized, in the media.

A sustainable encryption policy needs to be perceived as legitimate by the global market. They key to legitimacy is that citizens will accept actions from their own governments that they will not accept from other governments (particularly the U.S.). The best outcome would a multilateral agreement that let people secure their data with the strongest possible encryption, using products that allow for the recovery of plaintext by national authorities under agreed rules. This may not please privacy zealots, but it will complicate the lives of people using encryption for nefarious purposes.

James Andrew Lewis is a senior fellow and director of the Strategic Technologies Program at the Center for Strategic and International Studies in Washington, D.C.

Commentary is produced by the Center for Strategic and International Studies (CSIS), a private, tax-exempt institution focusing on international public policy issues. Its research is nonpartisan and nonproprietary. CSIS does not take specific policy positions. Accordingly, all views, positions, and conclusions expressed in this publication should be understood to be solely those of the author(s).

© 2016 by the Center for Strategic and International Studies. All rights reserved.

Filed Under: News Update

Primary Sidebar

Advertisers

  • qioptiq.com
  • Exensor
  • TCI
  • Visit the Oxley website
  • Visit the Viasat website
  • Blighter
  • Arnold Defense logo
  • SPECTRA
  • InVeris
  • Britbots logo
  • Faun Trackway
  • Systematic
Hilux Vehicles situational awareness conference

Contact Us

BATTLESPACE Publications
Old Charlock
Abthorpe Road
Silverstone
Towcester NN12 8TW

+44 (0)77689 54766

j.nettlefold@battle-technology.com

BATTLESPACE Technologies

An international defence electronics news service providing our readers with up to date developments in the defence electronics industry.

Recent News

  • Biden requests $715bn for Pentagon

    April 9, 2021
    Read more
  • South Korea unveils KF-X prototype

    April 9, 2021
    Read more
  • MANAGEMENT ON THE MOVE

    April 9, 2021
    Read more

Copyright BATTLESPACE Publications © 2002–2021.

This website uses cookies to improve your experience. If you continue to use the website, we'll assume you're ok with this.   Read More  Accept
Privacy & Cookies Policy

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled

Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.

Non-necessary

Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.

SAVE & ACCEPT