New Report On Encryption Confirms There's More Of It, But Still Not Much Of A Problem For Law Enforcement
from the brute-forcing-mountains-out-of-molehills dept
CSIS (Center for Strategic and International Studies) has just released its report on encryption and it comes to the same conclusions many other reports have: encryption is good for everyone and law enforcement fears are overstated and mostly-unrealized. (h/t Kevin Bankston)
The report [PDF] opens up with this statement:
It is in the national interest to encourage the use of strong encryption. No one we interviewed in law enforcement or the intelligence community disagreed with this.
The disagreement comes when law enforcement is prevented from pursuing investigative leads because of encryption. According to FBI Director James Comey and Manhattan DA Cyrus Vance, encryption is already a huge problem for law enforcement and will only get exponentially worse in the next few years. The CSIS report rebuts both of these statements.
While encryption use is growing rapidly, the share of traffic that is both of interest to law enforcement and unrecoverable is still relatively small. Most companies use encryption that allows law enforcement agencies to recover plaintext data. Most e-mail, if it uses encryption, also allows for recovery. Currently, an estimated 18 percent of global communications traffic is end-to-end encrypted. It is estimated that 22 percent of communications traffic will be end-to-end encrypted by 2019.
This is far from the encryption apocalypse promised by Comey and Vance. There's an incremental increase taking place, not an exponential one. What could pose serious problems, though, is encryption-by-default on smartphones. As the report points out, if Android devices go the way of iPhones, 99% of the world's phones would keep law enforcement locked out.
But that's only if law enforcement isn't able to access data and communications through device manufacturer/service provider cooperation, third-party app developers, email providers, and other, more old-fashioned techniques. One sure way to beat device encryption is to obtain the passcode from the user. This won't help much when the phone's owner is dead or can't be located, but compelling the production of a password is still far from settled, constitutionally-speaking. For phones secured with a fingerprint, owners are likely out of luck. A couple of courts have already reached the conclusion that providing a fingerprint isn't testimonial and has no Fifth Amendment implications.
CSIS could have put together a better estimate on how many investigations are thwarted by encryption, but law enforcement agencies -- even those fronted by encryption opponents -- aren't interested in sharing this data with the public. The report points out that the problem remains mostly theoretical. Without data, all we have are assertions from law enforcement officials that something must be done. Failure to legislate backdoors or bans will apparently lead to a sharp uptick in criminal activity… except that's not happening either. The report points out that there's no data linking increased default encryption to increases in criminal activity.
As for the world's terrorism, encryption is seldom a barrier to investigations or surveillance. There's no shortage of access points to intercept communications while they're still decrypted (or post-encryption stripping). According to the CSIS report, 90% of the world's instant messages are still accessible by law enforcement, even without interception. With surveillance data-sharing being the new normal in the US, law enforcement agencies will be able to dip into NSA collections to obtain communications that might otherwise be inaccessible through a suspect's device.
The report notes that there's likely no consensus to be reached on the encryption issue. Because it protects both criminals and the innocent, it's difficult to see a nation's government -- at least those in the Western half of the world -- deciding to eliminate innocents' protections in hopes of nabbing a few more criminals. In the United States -- where certain rights have been long enshrined (if far too frequently ignored) -- the chance of anti-encryption legislation remains lowest. And, as the report's authors note, if the US doesn't make a move to curb encryption, it's unlikely the rest of the free world will do so on their own.
The law enforcement agencies making the most noise about encryption are doing the least to help their own cause. Most of what's offered is anecdotal, rather than data-based. According to the FBI's own testimony, it only has about 120 inaccessible phones in its possession. As for other law enforcement agencies, the numbers are mostly unknown. Those that have chosen to make their numbers public have failed to show anything more than the expected rise in inaccessible phones due to default encryption. While the locked devices may number in the hundreds (Cy Vance's office says 423 locked phones were seized in a two-year span, which -- according to the office's numbers -- is still only a third of the devices in law enforcement custody), they're still in the minority of those obtained.
These numbers will increase as the use of encryption increases, but if law enforcement and intelligence agencies don't like the way the future looks, they really only have themselves to blame. The report notes that the Snowden leaks -- which detailed massive surveillance programs operating under almost-nonexistent oversight -- prompted an encryption revival, both in terms of individuals doing more to ensure their privacy as well as well as device manufacturer encryption implementation.