The Encryption Debate We Need
In late March, the FBI announced that it would drop its lawsuit against Apple because it was able to unlock the iPhone of Syed Rizwan Farook, a gunman in the December shooting in San Bernardino, California, without the tech giant’s help and using an undisclosed vulnerability. Apple remains alarmed – and for good reason. Between Apple and the FBI alone, there are over a dozen cases pending in which the government seeks access to encrypted data stored on iPhones. As a result, the company has resolved to increase the security of its products and improving encryption to such a degree under no circumstance its own software engineers would be able to gain access. Indeed, it is unlikely that the crypto war between Washington and Silicon Valley will end soon.
Without a doubt, encryption is the most important technology today for the safeguarding of online security and privacy. But it does not protect only the data of law-abiding citizens. FBI Director James Comey has repeatedly referred to the dangers of “going dark” : “Armed with lawful authority,” he declared, “we increasingly find ourselves simply unable to do that which the courts have authorized us to do, and that is to collect information being transmitted by terrorists, by criminals, by pedophiles, by bad people of all sorts.” In his view, this is precisely why tech companies should facilitate access for law enforcement agencies. But Tim Cook, CEO of Apple, categorically rejects any sort of backdoor and warns of a slippery slope that could threaten civil liberties. In his words, if the FBI can “force us to do something [that] would make millions of people vulnerable, then you can begin to ask yourself, if that can happen, what else can happen?”
While the crypto war plays out in the United States, all seems quiet on the German front. “We support more and better encryption,” the German government declared in its 2014 Digital Agenda. According to the agenda, Germany seeks to become the “world leader in encryption” – and promisingly, German companies are only second after the US in the market for encryption products. By taking such a clear stance on encryption, the German government hopes to assuage its citizens about security concerns and increase trust in IT products “made in Germany.”
Upon closer inspection, however, the situation is much more fragile in Germany. There will be more and more cases in which German law enforcement bodies, such as the Federal Criminal Police Office (Bundeskriminalamt), are unable to access data stored on a criminal’s phone or to listen in on online conversations between terrorists. This has made policymakers in Berlin increasingly nervous. In the wake of the Charlie Hebdo attacks in 2015, German Interior Minister Thomas de Maizière demanded that authorities be able to “decrypt or bypass encrypted communication.” He quickly qualified his statement, emphasizing that the Ministry of the Interior does not have any plans to weaken encryption. But de Maizière’s statement reveals just how easily the rhetoric could change after a terror attack on German soil.
In preparation for such a situation, Germany needs to invest in building strong consensus on encryption. The German government should promote a discussion that goes beyond the often unproductive and overly charged debates in the US. To this end, Germany should take an “encrypted world” as a given. It should not waste much time debating the practicability of government backdoors, for there are no legal or technical solutions that would not undermine encryption as a whole. Most law enforcement officials accept this condition, not least because encryption is essential in the protection of citizens’ data against criminals. Even if a country like Germany or the US were to make it harder or illegal for companies like Apple to offer encryption, users could choose from a wide variety of alternative tools to encrypt their data.
Therefore, the discussion in Germany should focus on identifying the tools and resources that law enforcement needs in order to fulfill its duties in a world of ubiquitous encryption. In this context, Federal Prosecutor General Peter Frank correctly emphasized that “law enforcement and security agencies need to be able to keep pace with technological progress.” It is encouraging that the governing parties CDU/CSU and SPD recently promised to technically equip security agencies so that they can carry out their work in an increasingly digital world.
To follow up on such promises, they need to address legal frameworks, technical capabilities and staffing. One key aspect is computer network exploitation software for the surveillance of individual targets. Such software makes it possible to extract data directly from a suspect’s computer before encryption puts the data out of reach. The latest version in Germany, the Bundestrojaner, has just been authorized for use by the Bundeskriminalamt. But the software still has a number of problems. It lacks a crystal-clear legal framework, and it monitors all of a user’s activities and cannot focus on, for instance, Skype or email. In addition, there are open questions regarding the computing capabilities needed by law enforcement to, say, access hard drives through “brute force,” by trying out all possible password combinations. Finally, law enforcement needs more specially trained staff who know how to put these new technologies to the best possible use.
To achieve consensus on how to equip law enforcement with the right capabilities, the German government should appoint a commission of key players and experts from law enforcement, intelligence agencies, political parties, NGOs, academia and business. The commission should develop clear recommendations for both the parliament and the executive branch. Once established, a compromise on encryption would be able to withstand the heated debate that will inevitably follow an attack in which terrorists use encryption as part of their operations security.
The work of the expert commission would have three other important effects. First, it would help foster a professional relationship between the private sector and law enforcement, while simultaneously clarifying the legal and political situation for those companies using and offering encryption. Second, it could shed light on the challenge of information exchange among law enforcement agencies, as well as between law enforcement and intelligence agencies. In the European counterterrorism context, encrypted data are often not the problem – data are often available in plain text, but not to the relevant agencies.
Third, the commission’s work could influence the discussion on encryption in Europe. The debate is already heated in France and the United Kingdom: a draft bill inFrance threatens to fine tech companies unwilling or unable to decrypt user data, and similar measures were being discussed in the UK as part of the draft Investigatory Powers Bill. These national measures on encryption would do nothing to further joint European anti-terror measures, the common digital market or the EU’s influence on global standard setting. A strong consensus in Germany would not only strengthen its own users and law enforcement authorities, but also serve as an important starting point for achieving a European consensus on encryption.
…
This is an updated English version of a commentary originally published by Handelsblatt on May 19, 2016.