There are many ways to lead. The United States has a long history of being a technology leader, developing ideas and technologies embraced by people and countries around the world. The United States also has a long history of being a moral leader — of doing what is right even when not in its narrow self-interest. When it comes to encryption, it has done neither. It has followed extreme views on the morality of encryption that other countries, unsurprisingly, have been reluctant to embrace. And now, those countries are leading with their own laws that jeopardize all the moral good that strong encryption can bring.
Encryption and the state
Encryption presents difficult issues for states. It is not an overstatement to say that encryption is necessary to the modern economic and political world. Almost every aspect of modern communications relies on encryption for various purposes, such as protecting the confidentiality of information from eavesdroppers and attackers, verifying the identity and authenticity of individuals and resources we interact with online, and ensuring that information transmitted online has not been altered or tampered with. Modern e-commerce and social and political activity would not be possible without encryption.
These are actions that embody values that governments such as ours want to promote and protect. At the same time, however, encryption presents challenges to other values governments want to promote and protect, such as enforcement of civil and criminal law and national security and safety. Just as encryption makes it possible for the good guys to protect their information from bad guys, it also lets bad guys protect their information from the good guys. The same encryption that lets my bank protect my financial transactions and lets aid workers coordinate humanitarian efforts in a war-torn country also lets common criminals keep evidence stored on their iPhone from the police and helps terrorists coordinate attacks in democratic countries.
Encryption in the United States
The United States had its first major policy fight over encryption in the late 1980s into the early 1990s. The law enforcement community, led by the FBI, began pushing telecommunications companies to ensure “exceptional access” to communications traversing their networks. “Exceptional access” is a polite term from a “backdoor,” the ability to decrypt encrypted communications subject to court order.
This fight occurred in response to concerns digitizing telecommunications was leading to the development of switching and encryption technologies that limited law enforcement agencies’ ability to effectuate court-authorized wiretaps. These concerns had two distinct components: intercepting communications traversing networks (whether or not encrypted) and second, decrypting any intercepted communications that happened to be encrypted. The FBI was seeking legislative requirements that telecommunication carriers design their networks such that law enforcement would not lose its ability to intercept communications and also to prohibit telecommunications carriers from carrying encrypted communications that could not be decrypted subject to court order.
The battle over the second of these goals, exceptional access to encrypted information, ultimately stalled. The resulting legislation, the Communications Assistance for Law Enforcement Act (CALEA), only focused on ensuring access to communications, and expressly said that the telecommunications carriers could carry encrypted communications that they did not have the ability to decrypt.
The reasons that the legislation did not address exceptional access are complicated. In an overly short summary, the FBI thought that it had sufficiently addressed the exceptional access problem by developing a technology known as the clipper chip. As a result, it backed down from its efforts to secure a legislative solution to exceptional access in order to secure legislation ensuring its ability to intercept communications — and it did so with the intention of returning to Congress to seek legislation mandating exceptional access if the clipper chip failed. The clipper chip proved to be fundamentally flawed (at both the technological and political level) and failed — but the FBI was not subsequently able to secure a legislative mandate for exceptional access.
The common story told in the technology community is that CALEA was a strong statement of Congressional support for encryption, and that with CALEA, the United States embraced support for encryption as national policy. This is a dramatic overstatement of what Congress said and did in CALEA, but it has nonetheless become unquestionable truth and lore for many: individuals and firms in the United States are free to research, design, use, implement, distribute, and sell encryption-related technologies. No matter the law enforcement or national security concerns, the starting point for discussions is that encryption is sacrosanct, no matter the burdens or challenges this creates for the state.
The rest of the world
In the intervening 25 years, the early digitization of the telephone network that gave rise to CALEA has continued, morphing into the modern internet. Over this period, the United States has been the technological and market leader. At times much to its chagrin, the rest of the world has largely been along for the ride as the internet has grown from a (mostly) US-centric research network to the driving component of much of the world’s modern commercial and political economy.
But most of the rest of the world believes far more strongly in the importance and power of the state than we do in the United States. To the extent that CALEA was a statement of policy — a statement for support of strong encryption technologies even though those technologies can limit and interfere with the power of the government – that is not a policy that most other countries are inclined to embrace. To the extent that they have implicitly done so over the past 25 years, as they have adopted technologies developed in the United States that incorporate strong encryption, they have done so following the technological — not the moral or political — leadership of the United States.
Today we are in a different era, both politically and technologically. While the United States continues to dominate much of the internet ecosystem, we are no longer the sole, dominant force in its development. Europe and Latin America are actively seeking to promote both localization of those firms’ operations in their own countries and development of their own markets. Countries such as China and Russia have substantial technical capabilities and developing internet markets — often based on moral and political values quite contrary to our own.
The rest of the world, in other words, is actively eschewing American technological leadership. And, because the rest of the world is less beholden to the moral values that have been embedded in our technology, those values are jeopardized.
A bleak future of our own making
The moral absolutism of those who advance encryption exceptionalism — those who have steadfastly fought any limits on the design or use of encryption — has carved out a substantial technological hole. American technology firms have done little to develop technologies that exist in the vast space between “encrypt everything” and “exceptional access.” We need not turn to backdoors to satisfy many of the basic needs of law enforcement; we need to strongly encrypt every bit of consumer information, or widely deploy turn-key, platform-based, end-to-end encryption to ensure that those who have commercial, political, or humanitarian need for strong encryption have access to it.
American firms have left this void; it is unsurprising that other countries are moving to fill it. We are seeing this today in spades: Brazil, Britain, Canada, China, France, and Russia are all actively considering or implementing legislation that would, in one form or another, mandate exceptional access. Where encryption interferes with the needs of the state, states are placing substantial limits on encryption.
As firms develop technologies to accommodate the legal requirements of these states, we can expect network effects and economies of scale to kick in — we can expect to see other states imposing similar requirements for technologies used within their borders.
We could have cut this off at the pass. Had we gotten there first, we would have set the standards for responsible information stewardship, including what information the government can obtain access to and on what terms. Even though our values are generally more protective of the individual’s rights against the government, other states would have likely followed our technological lead. That would have been good for America and for the world. So long as the values embedded in our technology weren’t too far off from those held by other states, those states would accept our values to embrace our technology.
Instead, we have left those standards to be developed by countries that do not share our values. We have given up our ability to shape them. When it comes to encryption and the rights of the individual against the state in the information age, we have forfeited our ability to lead.
It is not too late. Most countries are still considering these issues, and those that have taken legislative steps to ensure the government maintains exceptional access to encrypted information will need to work with their political and technological partners. America needs to take a seat at that table, recognize that the moral absolutism of encryption exceptionalists conflicts both with our own needs and the fundamental values of most of our partners around the world, and find a way to lead again.