The “contentious debate” over when and how law enforcement agencies can lawfully access encrypted data has reached an “impasse”, according to a new paper by the Washington-based Encryption Working Group.
“[These are] absolutist positions not actually held by serious participants, but sometimes used as caricatures of opponents,” the group wrote.
See also: The encryption wars are back, but this time it’s different
The paper calls for a “pragmatic” debate, with an understanding that no approach can ever address every concern perfectly. Stakeholders must accept that whatever path is taken there will be some level of risk.
“Cybersecurity advocates should not dismiss out of hand the possibility of some level of increased security risk, just as law enforcement advocates should accept that they may not be able to access all of the data they seek,” the group wrote.
Policy discussions should be “specific, honest, and open-minded” and include “diverse perspectives”.
“There will be no single approach for requests for lawful access that can be applied to every technology or means of communication,” the group wrote.
“Few public statements from national governments, for example, have distinguished between approaches for data at rest and data in motion. Similarly, when groups raise concerns about undermining encryption, they tend to emphasise the general risks versus those related to specific applications of encryption.”
The paper lists some debate guidelines, including the need to accept imperfection, and a recognition that security takes many forms and is intertwined with privacy and equity.
There also needs to be a balance between the need for a strategic approach and the need for technical detail, the paper said.
“The world of cryptography, digital communications, and data management is deeply technical; this complicates the broader societal conversation that is needed on encryption.”
“On one hand, more strategic, accessible approaches are needed to broaden this circle. On the other, some risks often can only be identified at very detailed, technical levels of investigation.”
The encryption question isn’t just about technology, the group wrote. Any proposal must also address process, infrastructure, and policy, otherwise there won’t be a full understanding of its risks and benefits.
It’s worth reading the paper in full. It outlines a set of core principles that any proposed encryption policy should follow, and an approach to identifying and weighing risks through practical threat scenarios.
It makes a lot of sense, and it’s only 27 pages.
Here’s just one hypothetical scenario it discusses: What happens at an international border.
“A border protection or foreign intelligence service, at the arrival or connection airport in their country, confiscates a traveller’s mobile phone to seek access to its contents without relying upon the traveller’s assistance,” the group wrote.
“Key questions: Could a foreign entity exploit or subvert the capability and proposed protections at an individual level? Would it provide new opportunities to subvert at scale?”
By contrast, the Australian government has stubbornly refused to discuss specific technical scenarios. No wonder the vague language that resulted has triggered so many fears.
For Australia, the challenge will be revisiting the encryption legislation with fresh eyes and a process structured as coherently as this one from the Encryption Working Group.
That would involve accepting that the original process was flawed, and that the legislation is flawed. It would also mean including the full range of stakeholders early in the process, and actually listening to them.
Is that even possible? Probably not. Our politicians will probably persist with the pointless puppetry of their parliamentary processes.
Disclosure: Stilgherrian wrote the Encryption Working Group’s country brief on Australia, for which he received an honorarium.
RELATED COVERAGE
Latest technology could miss Australia due to encryption laws: TelstraEncryption laws are creating an exodus of data from Australia: VaultHome Affairs says no problems with encryption laws even though local companies sufferAmazon asks for clarification of data retention requirements under Australia’s encryption lawsEmployees not the target of encryption laws: Home AffairsHuge scope of Australia’s new national security laws reveals itselfBoomers and Coalition voters least worried by metadata and encryption lawsEncryption: A cheat sheet (TechRepublic)
Related Topics:
Australia
Security TV
Data Management
CXO
Data Centers