The value of data is often in its limited dissemination. In other words, protecting data is frequently the same as protecting value—as in a credit-card number, a trade secret or even medical information. Recent events ranging from the Edward Snowden revelations to increasingly frequent security breaches at major organizations (private and otherwise) has raised awareness of the need for strong encryption. Unfortunately, however, not everyone is on board: government agencies—law enforcement in particular—regularly express concerns over encryption. Here is why strong encryption is better than the alternative.
Where We All Tend to Agree
There’s little dispute that better encryption techniques can help protect consumers, employees, patients and so on. Encryption can’t solve all problems, as MIT’s Technology Review argues regarding the Anthem breach, for instance, but it does solve some of them. Of course, no security is foolproof, so even strong encryption is vulnerable. Yet the benefits of broader use of encryption are cumulative: although they may not guarantee protection in individual cases, they make multiple breaches more difficult, which is particularly beneficial in the case of broad surveillance efforts. Furthermore, encryption increases the cost of hacking and thereby decreases the rewards, making the economics of hacking less compelling (whether at the individual or organizational level).
The disagreement is mostly over access by governments. Should technology companies give governments—particularly law-enforcement agencies—a “golden key” to their encryption techniques? That’s not a question of whether companies should defy legitimate court orders to reveal the data of so and so, but whether they should essentially build in a weakness that governments can exploit at will.
Encryption Helps Terrorists—And Everyone Else, Too
Around the world, government representatives are increasingly railing against strong encryption, claiming it hampers their ability to fight crime and terrorism (the precise distinction between these terms, however, is rather cloudy). Jeh Johnson, U.S. Secretary of Homeland Security, said in a talk at the RSA conference, “The current course we are on, toward deeper and deeper encryption in response to the demands of the marketplace, is one that presents real challenges for those in law enforcement and national security...Our inability to access encrypted information poses public safety challenges. In fact, encryption is making it harder for your government to find criminal activity, and potential terrorist activity.”
But really, government is already doing a woeful job of handling ordinary crime, let alone that special class of crime called “terrorism” (whatever that word means). According to FBI Uniform Crime Reports, for property-related crimes—burglary, larceny/theft and motor-vehicle theft, clearance rates (the proportion of crimes resolved as far as law enforcement’s job is concerned) were no greater than 22.4% in 2013. That compares with a maximum of 18.2% in 2000 and about 20% in 1995. For violent crimes, the clearance rates are higher but still atrocious: only about 40% of rapes and less than two-thirds of murders and nonnegligent manslaughters in 2013. Robbery sits at just under 30%. The clearance rate for murders and nonnegligent manslaughters has seen little change since 1995. So, in other words, despite all the surveillance and police militarization, a murderer still has a one in three chance of getting off the hook. Laughably, the “best” place to kill someone is Washington, D.C., which has failed to solve over almost 60% of its murders—that’s better than a one-in-two chance of avoiding prosecution for a horrible crime.
What’s the point of harping on these statistics? The point is that despite a metastasizing surveillance and police state—for instance, civilian deaths at the hands of police far exceed those in many other countries, including China—the rates of unsolved crime remain largely unchanged over the past two decades. Yet government officials claim that strong encryption is a threat. If your property is stolen in the U.S., you are almost guaranteed that the cops will do nothing (successfully, anyway) to return it to you. If you suffer a violent crime, chances are good that your assailant will never be caught. So how much harm can encryption do?
On the other side of the coin, however, governments are notorious for being bloodthirsty monsters, as the twentieth century demonstrated. At least for common crime, government serves as something of a recourse—albeit a lousy one in many cases. When government is the aggressor, there is little or no recourse. It is for such reasons that limits on government power—including the power to snoop—are wise. Given the choice between violent criminals and violent government, the former is the lesser of two evils, particularly since violent crime in the U.S. is dropping even as killings by police rise.
Government Security Is Imperfect
Ignore for the moment the fact that governments shouldn’t be trusted with too much power, including with regard to encryption technologies. Governments also have imperfect security (like everyone else), so if they have special backdoor access to encrypted data, a smart or well-funded hacker could gain similar access either directly or indirectly. In other words, backdoors are weaknesses, and they don’t care who “owns” them or who uses them.
Strong encryption lifts all boats (including bad ones) to be sure, but that doesn’t mean the costs outweigh the gains. According to the Parliamentary Assembly of the Council of Europe, “Mass surveillance does not appear to have contributed to the prevention of terrorist attacks, contrary to earlier assertions made by senior intelligence officials. Instead, resources that might prevent attacks are diverted to mass surveillance, leaving potentially dangerous persons free to act.” Calls for weaker encryption to aid law enforcement amount to a boost in mass surveillance. The temptation to simply unlock everything regardless of absence of legitimate suspicion would be overwhelming.
Again, though, declining to give government a free pass to unlock all data is not the same as preventing government from accessing the data of actual suspects under the oversight of a court (particularly one that is more than just a rubberstamp for police requests). Encryption shouldn’t be viewed as a way around justice, but as means to both protect people and to prevent governments from gaining more power than is good for them (and for the people they govern).
If the U.S. is any indication, governments are awful at resolving crimes. Washington, D.C.—perhaps the most spied-on location in the entire country—is also the worst at bringing justice to murderers. As for property crimes, governments are essentially useless as far as helping victims find justice. So when law-enforcement agents claim that encryption is hindering their efforts, it’s sufficient to let the data speak for itself. A decade and a half of rising technology has done little to change clearance rates, judging from FBI statistics. The motivation for protesting encryption, therefore, is likely more nefarious, having more to do with money and control. For such reasons, stronger encryption is better.
Although encryption doesn’t solve all security problems, it is one tool that can help protect individuals and businesses, who must largely defend themselves rather than relying on law enforcement to protect them before or after the fact of crime.