Feb. 15, 2018
FOR IMMEDIATE RELEASE
New Report Proposes Framework for Policymakers to Address Debate Over Encryption
WASHINGTON – A new report by the National Academies of Sciences, Engineering, and Medicine proposes a framework for evaluating proposals to provide authorized government agencies with access to unencrypted versions of encrypted communications and other data. The framework is the product of an 18-month study led by a diverse array of leaders from law enforcement, computer science, civil liberties, law, and other disciplines.
The decades-old encryption debate reached new public prominence in connection with the FBI’s efforts to compel Apple to decrypt the phone of a dead terrorist in the San Bernardino case. FBI and other law enforcement officials have warned that the growing use of encryption in smart phones, messaging apps, and other devices and software is restricting their access to information needed for criminal and national security investigations. They have increasingly called for reliable, timely, and scalable ways to access this information so they can fulfill their public safety and national security missions.
Meanwhile, critics have raised legal and practical objections that regulations to ensure government access would pose unacceptable risks to privacy and civil liberties and undermine information security in the face of rising cyber threats, and may be less necessary given the wider availability of data and alternative means of obtaining access to encrypted data.
One of the fundamental trade-offs underlying the debate, according to the report, is that adding capabilities for government to access encryption schemes would weaken the security of an encrypted product or service to some degree, while the absence of such an access hampers government investigations.
“The debate over efforts to enable government agencies access to plaintext has long been very polarized,” said Fred Cate, C. Ben Dutton Professor of Law at Indiana University and chair of the committee that wrote the report. “This is the first time that such a diverse array of experts representing so many important and often conflicting viewpoints worked together to reach consensus on the critical issues raised by encryption and the questions policymakers should ask when addressing them. Our hope is that this report and the framework it presents will cut through the rhetoric, inform decision-makers, and help enable an open, frank conversation about the best path forward.”
The framework includes eight questions for policymakers or members of the technical community to consider while evaluating or formulating a proposal to provide authorized government agencies with access to encrypted content:
The framework is designed to be applicable to regulatory requirements, such as when a manufacturer has to ensure lawful access to their products; policy choices such as decisions to provide more funding to support efforts by government to obtain lawful access to plaintext; and particular technologies that might be imposed by law or implemented by companies in response to a general requirement for access.
The report also emphasizes that policymakers will likely face challenges while addressing these questions such as incomplete information about the impact of encryption on investigations as well as deliberate use of encryption by criminals; limits on the current ability to measure security risks; and inability to fully predict the consequences of courses of action. Other difficulties for policymakers include the complexity presented by thousands of communications and computing products available today, an international marketplace where products and services are introduced with regularity, and the interactions of those markets with the strategies and policies that are adopted by other nations.
The aim of this framework is not simply to help policymakers determine whether a particular proposed approach is desirable but also to ensure it is implemented in a way that maximizes effectiveness while minimizing harmful side effects, the committee said.
The study was sponsored by William and Flora Hewlett Foundation, John D. and Catherine T. MacArthur Foundation, and the National Science Foundation. The National Academies of Sciences, Engineering, and Medicine are private, nonprofit institutions that provide independent, objective analysis and advice to the nation to solve complex problems and inform public policy decisions related to science, technology, and medicine. They operate under an 1863 congressional charter to the National Academy of Sciences, signed by President Lincoln. For more information, visit http://national-academies.org. A committee roster follows.
Riya V. Anandwala, Media Relations Officer
Andrew Robinson, Media Relations Assistant
Office of News and Public Information
202-334-2138; e-mail firstname.lastname@example.org
Copies of Decrypting the Encryption Debate: A Framework for Decision-Makers are available from the National Academies Press on the Internet at www.nap.edu or by calling 202-334-3313 or 1-800-624-6242. Reporters may obtain a copy from the Office of News and Public Information (contacts listed above).
THE NATIONAL ACADEMIES OF SCIENCES, ENGINEERING, AND MEDICINE
Division on Engineering and Physical Sciences
Computer Science and Telecommunications Board
Committee on Law Enforcement and Intelligence Access to Plaintext Information in an Era of Widespread Strong Encryption
Fred H. Cate (chair)
Vice President for Research,
Distinguished Professor and C. Ben Dutton Professor of Law, and
Senior Fellow, Center for Applied Cybersecurity Research
Professor of Computer Science and Electrical Engineering, and
Co-Director, Stanford Computer Security Lab
Frederick R. Chang1
Director, Darwin Deason Institute for Cyber Security, and
Bobby B. Lyle Centennial Distinguished Chair in Cyber Security
Department of Computer Science and Engineering
Lyle School of Engineering
Southern Methodist University
Vice President for Security Policy
RSA Professor of Electrical Engineering and Computer Science
Massachusetts Institute of Technology
David A. Hoffman
Director of Security Policy, and
Global Privacy Officer
Associate Professor of Computer Science
Culper Partners LLC
Bridge Professor in Cybersecurity
Department of Computer Science
School of Engineering, and
Fletcher School of Law and Diplomacy
Steven B. Lipner1
Special Agent in Charge
Technical Services Unit
Tennessee Bureau of Investigation
Center for American Progress
Cybersecurity Legal Taskforce
American Bar Association
Peter J. Weinberger
New York City
1Member, National Academy of Engineering
2Member, National Academy of Sciences