Skip to main content

Kennedy School Review

Topic / Science, Technology and Data

We need to talk about encryption

Our lawmakers are blundering their way through the challenges of the digital era. It’s time to elevate the standard of debate.

BY ISABELLA BORSHOFF

On December 6, the last sitting day before the Australian parliament’s Christmas break, lawmakers from both major parties united to pass the Assistance and Access Bill 2018. In doing so, they gifted state and federal law enforcement agencies the authority to demand access to encrypted communications (think WhatsApp or Apple-to-Apple iMessage) – a move met with widespread dismay from both the technology sector and civil society.

The bill was introduced to address concerns that criminal networks are using encrypted messaging services to avoid surveillance. Encryption allows users to exchange ‘locked’ messages for which only they have the key. For example, on a platform like WhatsApp, each party to a conversation has a key that changes with every message sent – and decryption occurs entirely on the user’s device, rather than the WhatsApp server. In countries where citizens can’t guarantee the privacy of standard communications, civil society relies heavily on such services.

Practically speaking, the new law requires companies to develop server-based decryption keys so law enforcement agencies have the ability to access communications if authorized with a warrant. This legal development is cause for concern on three fronts. First, it leaves citizens vulnerable to increased government surveillance. For those fortunate enough to live in stable democracies, this might not feel like such a pressing concern. But we shouldn’t take for granted the conditions of the day – political conditions can turn on a dime. What’s more, regulation can have a copycat effect, and opening the decryption door in Australia could lead to distopia elsewhere.

Second, government mandated decryption capability increases users’ susceptibility to malicious activity – the more ‘backdoors’ we install, the more likely we are to be robbed of our information. That is, the decryption key itself becomes an additional target for bad actors.

Third, it undermines Australia’s burgeoning tech sector by essentially acting as a ‘wrong way, go back’ sign to investors in the sphere. The value proposition of technological innovations drastically reduces once backdoors are built and government leaders have the keys, because users cannot be certain their messages are secure.

These threats aside, the legislation may be simply unworkable. Some encryption-based platforms have made it clear they’re technically unable to satisfy the demands of the legislation. In a recent blog post, Signal developer Joshua Lund stated, “Although we can’t include a backdoor in Signal, the Australian government could attempt to block the service or restrict access to the app itself. Historically, this strategy hasn’t worked very well.” If the government started down that slippery slope, they’d have to confront public outrage about free speech restrictions, and a likely explosion in the use of workaround networks – creating a whole new set of challenges.

Given the legislation’s clear downsides, the immediacy and ferocity of public backlash is understandable. However, we shouldn’t let the obvious problems with the law obscure an important normative debate about the inherent tension between national security and individual privacy. As Amitai Etzioni of George Washington University explains, both are legitimate policy pursuits which, unfortunately, cannot be maximized simultaneously.

In this sense, a coordinated global assault on end-to-end encryption – modeled on the Australian law – would prioritize national security but would be fraught with moral and practical challenges. A laissez-faire approach, on the other hand, undoubtedly makes the work of law enforcement agencies more challenging but re-balances the power relationship between government and civil society. Additionally, appeals to a ‘middle ground’ are somewhat misguided – for encryption to be valuable, it must be absolute.

How might governments reconcile these conflicting objectives? Or if they are indeed irreconcilable, which path should policymakers take?

Acknowledging the variety of tools in our national security kit could dampen the hysteria around encryption and prevent knee-jerk legislative reactions. For example, as a 2016 report by Harvard’s Berkman Centre for Internet and Society notes, the bulk of society’s metadata will likely stay unencrypted, while the evolution of digitally-networked smart objects will provide unparalleled opportunities for governments to track criminal activity. This kind of data collection will require its own scrutiny and safeguards, but should reassure lawmakers that there are ways to protect national security while still preserving citizens’ privacy.

The regulation of technology platforms is shaping up to be one of the biggest policy challenges of our generation, but the complexity of the issue often leads to a dichotomous public discourse devoid of constructive solutions. It’s incumbent upon lawmakers to educate themselves on the shades of grey before casting their votes on transformative technology policies in the future.

 

Isabella Borshoff is a Master in Public Policy candidate at the Harvard Kennedy School, having previously worked in the Australian Prime Minister’s Department and a global medical technology firm. She’s particularly interested in technological change, evidence-based social policy and political discourse.

Edited by Hilary Gelfond

Photo: Markus Spiske