Feb. 15, 2018

FOR IMMEDIATE RELEASE

New Report Proposes Framework for Policymakers to Address Debate Over Encryption

WASHINGTON – A new report by the National Academies of Sciences, Engineering, and Medicine proposes a framework for evaluating proposals to provide authorized government agencies with access to unencrypted versions of encrypted communications and other data.  The framework is the product of an 18-month study led by a diverse array of leaders from law enforcement, computer science, civil liberties, law, and other disciplines. 

The decades-old encryption debate reached new public prominence in connection with the FBI’s efforts to compel Apple to decrypt the phone of a dead terrorist in the San Bernardino case. FBI and other law enforcement officials have warned that the growing use of encryption in smart phones, messaging apps, and other devices and software is restricting their access to information needed for criminal and national security investigations. They have increasingly called for reliable, timely, and scalable ways to access this information so they can fulfill their public safety and national security missions.

Meanwhile, critics have raised legal and practical objections that regulations to ensure government access would pose unacceptable risks to privacy and civil liberties and undermine information security in the face of rising cyber threats, and may be less necessary given the wider availability of data and alternative means of obtaining access to encrypted data.

One of the fundamental trade-offs underlying the debate, according to the report, is that adding capabilities  for government to access encryption schemes would weaken the security of an encrypted product or service to some degree, while the absence of such an access hampers government investigations.

“The debate over efforts to enable government agencies access to plaintext has long been very polarized,” said Fred Cate, C. Ben Dutton Professor of Law at Indiana University and chair of the committee that wrote the report. “This is the first time that such a diverse array of experts representing so many important and often conflicting viewpoints worked together to reach consensus on the critical issues raised by encryption and the questions policymakers should ask when addressing them. Our hope is that this report and the framework it presents will cut through the rhetoric, inform decision-makers, and help enable an open, frank conversation about the best path forward.”

The framework includes eight questions for policymakers or members of the technical community to consider while evaluating or formulating a proposal to provide authorized government agencies with access to encrypted content:

  1. To what extent will the proposed approach be effective in permitting law enforcement and/or the intelligence community to access plaintext at or near the scale, timeliness, and reliability that proponents seek?
  2. To what extent will the proposed approach affect the security of the type of data or device to which access would be required, as well as cybersecurity more broadly?
  3. To what extent will the proposed approach affect the privacy, civil liberties, and human rights of targeted individuals and groups?
  4. To what extent will the proposed approach affect commerce, economic competitiveness, and innovation?
  5. To what extent will financial costs be imposed by the proposed approach, and who will bear them?
  6. To what extent is the proposed approach consistent with existing law and other government priorities?
  7. To what extent will the international context affect the proposed approach, and what will be the impact of the proposed approach internationally?
  8. To what extent will the proposed approach be subject to effective ongoing evaluation and oversight?

The framework is designed to be applicable to regulatory requirements, such as when a manufacturer has to ensure lawful access to their products; policy choices such as decisions to provide more funding to support efforts by government to obtain lawful access to plaintext; and particular technologies that might be imposed by law or implemented by companies in response to a general requirement for access. 

The report also emphasizes that policymakers will likely face challenges while addressing these questions such as incomplete information about the impact of encryption on investigations as well as deliberate use of encryption by criminals; limits on the current ability to measure security risks; and inability to fully predict the consequences of courses of action.  Other difficulties for policymakers include the complexity presented by thousands of communications and computing products available today, an international marketplace where products and services are introduced with regularity, and the interactions of those markets with the strategies and policies that are adopted by other nations.

The aim of this framework is not simply to help policymakers determine whether a particular proposed approach is desirable but also to ensure it is implemented in a way that maximizes effectiveness while minimizing harmful side effects, the committee said. 

The study was sponsored by William and Flora Hewlett Foundation, John D. and Catherine T. MacArthur Foundation, and the National Science Foundation. The National Academies of Sciences, Engineering, and Medicine are private, nonprofit institutions that provide independent, objective analysis and advice to the nation to solve complex problems and inform public policy decisions related to science, technology, and medicine. They operate under an 1863 congressional charter to the National Academy of Sciences, signed by President Lincoln. For more information, visit http://national-academies.org.  A committee roster follows.

Contacts: 
Riya V. Anandwala, Media Relations Officer
Andrew Robinson, Media Relations Assistant
Office of News and Public Information
202-334-2138; e-mail news@nas.edu
Follow us:

Twitter @theNASEM 
Instagram @thenasem
Facebook @NationalAcademies
Newsroom

Copies of Decrypting the Encryption Debate: A Framework for Decision-Makers are available from the National Academies Press on the Internet at www.nap.edu or by calling 202-334-3313 or 1-800-624-6242.  Reporters may obtain a copy from the Office of News and Public Information (contacts listed above).

THE NATIONAL ACADEMIES OF SCIENCES, ENGINEERING, AND MEDICINE

Division on Engineering and Physical Sciences
Computer Science and Telecommunications Board

Committee on Law Enforcement and Intelligence Access to Plaintext Information in an Era of Widespread Strong Encryption

Fred H. Cate (chair)
Vice President for Research,
Distinguished Professor and C. Ben Dutton Professor of Law, and
Senior Fellow, Center for Applied Cybersecurity Research
Indiana University
Bloomington

Dan Boneh1
Professor of Computer Science and Electrical Engineering, and
Co-Director, Stanford Computer Security Lab
Stanford University
Stanford, Calif.

Frederick R. Chang1
Director, Darwin Deason Institute for Cyber Security, and
Bobby B. Lyle Centennial Distinguished Chair in Cyber Security
Department of Computer Science and Engineering
Lyle School of Engineering
Southern Methodist University
Dallas

Scott Charney
Vice President for Security Policy
Microsoft
Medina, Wash.

Shafrira Goldwasser1,2
RSA Professor of Electrical Engineering and Computer Science
Massachusetts Institute of Technology
Boston

David A. Hoffman
Director of Security Policy, and
Global Privacy Officer
Intel Corp.
Durham, N.C.

Seny Kamara
Associate Professor of Computer Science
Brown University
Providence, R.I.

David Kris
Founder
Culper Partners LLC
Seattle

Susan Landau
Bridge Professor in Cybersecurity
Department of Computer Science
School of Engineering, and
Professor
Fletcher School of Law and Diplomacy
Tufts University
Medford, Mass.

Steven B. Lipner1
Executive Director
SAFECode
Seattle

Richard Littlehale
Special Agent in Charge
Technical Services Unit
Tennessee Bureau of Investigation
Nashville

Kate Martin
Senior Fellow
Center for American Progress
Washington, D.C.

Harvey Rishikof
Co-Chair
Cybersecurity Legal Taskforce
American Bar Association
Washington, D.C.

Peter J. Weinberger
Software Engineer
Google Inc.
New York City

STAFF

Jon Eisenberg
Staff Officer

1Member, National Academy of Engineering
2Member, National Academy of Sciences