Cybersecurity

Encryption

Background

Encryption is one of the most important technological mechanisms for protecting the privacy and security of data and data systems, but it has frequently been the subject of criticism by governments seeking to maximize the reach of their investigatory powers.

In 1996, a report by the National Academy of Sciences found that cryptography “is a most powerful tool for protecting information” and that “many vital national interests require the effective protection of information.” Since then, cryptographic systems have been essential to the development of the modern internet and advanced communications technologies that we rely on every day. Yet there have been many efforts by governments to weaken encryption standards by imposing extraordinary access requirements on communications providers, device manufacturers, and other companies that facilitate data storage or transfers. For the most part, these efforts have failed. Many refer to the debates around these cryptography issues as the “crypto wars.”

Government Regulation of Encryption

In the 1990s, the Federal Bureau of Investigation played a leading role in advocating for the prohibition of encryption techniques that would not “ensure” law enforcement access to encrypted communications. Officials at the U.S. Department of Justice worked closely with the National Security Agency to inhibit the development of truly secure and private communications systems. On April 16, 1993, the White House announced a proposal for the Clipper Chip, a cryptographic device purportedly intended to protect private communications while at the same time permitting government agents to obtain the “keys” upon presentation of what has been vaguely characterized as “legal authorization.”

Following this announcement, the Clipper Chip initiative was met with widespread criticism from technology and security experts. Believing that much of the criticism grew out of the fact that government agencies would hold spare encryption keys, the government sought to find more acceptable variations of the key-escrow concept. Beginning in 1994, the administration issued a series of proposals calling for the development of escrow-based software (also called “key management” and “key recovery”) by industry. Under these key escrow proposals, encryption keys would be given to a “trusted third party” who had been approved by the government and who would turn over keys in investigations. 

Civil liberties and privacy advocates strongly opposed any attempts to require key escrow, key recovery, or other means of accessing encryption keys, arguing that they are an unjustified restriction of individuals’ fundamental privacy rights, detrimental to security, costly, subject to massive abuse, and ultimately ineffective crime prevention methods. Computer security experts outlined the risks and flaws in the key escrow proposals in a 1998 paper entitled “The Risks of Key Recovery, Key Escrow, and Trusted Third-Party Encryption.” Ultimately the Clipper Chip and key escrow proposals failed, and Internet systems built on strong encryption grew and thrived. But despite the failure of Clipper and related proposals, the Department of Justice has continued to push for policies and rules that would undermine strong encryption or “require” extraordinary access. The security experts later refreshed and expanded their critiques of key escrow proposals in 2015 in the report “Keys Under Doormats: Mandating Insecurity by Requiring Government Access to All Data and Communications.” 

Encryption in the Private Sector

Despite the success of early encryption technologies for files and other Internet system, there was not adequate deployment of strong “end-to-end” encryption for e-mail and other messaging services (i.e. encrypted from the sender to the recipient) until recently. For many years, Google—the company offering the most widely used email service in the world—not only failed to encrypt e-mail messages, the company actively scanned private emails for advertising purposes. Google did put an end to this practice in 2017, and most consumer-facing email services are seeking to improve message encryption in important ways. New purpose-built encrypted messaging services, like Signal, have recently been deployed to provide encrypted messaging functionality to a mass audience. However, many other aspects of our computer systems and digital infrastructure remain vulnerable. 

For one, cloud file encryption is an area that has lagged behind. Critical and sometimes sensitive information is now often stored in remote storage managed by service providers. These cloud storage systems can pose a multitude of risks for users. In a recent study of enterprise IT security decision-makers conducted by Tresorit, it was found that only 30% of respondents used a collaboration and file transfer service with fully integrated end-to-end encryption. When backup files are accessible by the service provider that stores them, they are potentially accessible to law enforcement via a warrant or other order even without prior notification to the user. In fact, many service providers even scan files uploaded to their servers to flag potentially “contraband” content. In August 2021, Apple announced a new CSAM detection mechanism that would scan users’ photos even before they are uploaded to Apple’s iCloud servers. Although Apple delayed the rollout of this new technology based on backlash from privacy and civil liberties advocates, the proposed change still represents a worrying shift towards on-device, client-side scanning. Matt Blaze, a cryptography researcher and the current McDevitt Chair of Computer Science and Law at Georgetown University, refers to the issues surrounding on-device scanning as part of “Crypto War III.” A group of prominent computer security researchers, including Professor Blaze, subsequently published a study of risks associated with this new form of extraordinary access, called “Bugs in our Pockets: The Risks of Client-Side Scanning.

In recent years, many tech companies—including Microsoft, Facebook, Amazon, and Google—have also started researching homomorphic encryption. As homomorphic encryption would theoretically make it possible to use and analyze encrypted data without actually decrypting it, the technique has often been regarded as “the holy grail of cybersecurity.” However, while homomorphic encryption may sound promising, the feasibility of its widespread application is not fully proven and existing systems contain security pitfalls. As the cryptography community continues to develop this technology, we may see a new phase of the “crypto wars” unfold. 

Government Interference With Private Sector Encryption

The government has continued to interfere with and attempt to weaken deployment of encryption in the private sector, with one of the most notable instances in recent years being the Apple vs. FBI case. The dispute arose out of a warrant application that the agency filed in the U.S. District Court for the Central District of California in December 2015, seeking assistance with the search of an iPhone that was seized during the investigation into the December 2015 attacks in San Bernardino, CA. The FBI was unable to access data on the locked iPhone and requested that the Court order Apple to provide assistance in decrypting the phone. However, because Apple had no way of accessing the encrypted data on the phone, the FBI applied for an order requiring Apple to create a custom operating system that would disable key security features on the iPhone. The Court issued an order requiring that this custom hacking tool be created and installed by Apple without unlocking or otherwise changing the data on the phone. Apple opposed the order on the grounds that it is unlawful and unconstitutional, arguing that if the order were granted, it would undermine the security of all Apple devices and set a dangerous precedent for future cases. EPIC filed an amicus brief in Apple v. FBI in support of encryption, arguing the FBI’s demand “places at risk millions of cell phone users across the United States.”

EPIC’s Work On Encryption

Since its founding more than 20 years ago, EPIC has been an advocate for the rights of consumers to use strong encryption. 

In the 1990s, EPIC led one of the first major Internet petitions in opposition to the Clipper proposal. Through the Freedom of Information Act, EPIC obtained documents that demonstrated conclusively that the Federal Bureau of Investigation believed that Clipper-type encryption must be mandated within the United States. EPIC also filed amicus briefs in two important cases concerning export controls and other restrictions on the use of encryption software, Bernstein v. U.S. Department of Justice, 176 F.3d 1132 (9th Cir. 1999), vacated, 192 F.3d 1308 (9th Cir. 1999), and Karn v. U.S. State Department, 107 F.3d 923 (D.C. Cir. 1997). The district court decision in Bernstein established that code is speech and that restrictions on the dissemination of encryption software burdened the First Amendment rights of a computer researcher. Ultimately, the Clipper Chip proposal and efforts to ban strong encryption were defeated.

Since then, EPIC has continued to advocate for the need for end-to-end encryption through various litigation and policy efforts. On July 2nd, 2020, the Senate Judiciary Committee unanimously approved the Eliminating Abusive and Rampant Neglect of Interactive Technologies (EARN IT) Act of 2020 (S. 3398) by a vote of 22-0. In a statement to the Committee on a previous version of the EARN IT Act, EPIC supported both end-to-end encryption and reform to Section 230 of the Communications Decency Act, pointing out that actual end-to-end encryption “protects users, promotes commerce, and ensures cybersecurity.” EPIC recommended that the EARN IT Act make clear that liability should not be imposed for a secure end-to-end encrypted communications system that safeguards the security and privacy of users. The Senate Judiciary Committee adopted an amendment from Senator Patrick Leahy that clarified that companies that provide end-to-end encryption are not subject to liability because they cannot access user communications. 

EPIC has also played a key role in the development of the international framework for cryptography and privacy policy, including helping to establish the OECD Cryptography Guidelines in 1997. Subsequently, EPIC prepared a report entitled Cryptography and Liberty 2000, which outlined the state of international cryptography policy at the time. In June of 2021, EPIC joined other members of the Global Encryption Coalition in a letter urging Brazil to address proposed updates to the Brazilian Code of Criminal Procedure that would threaten encryption and data security in Brazil. As it stands, the text could force companies using strong security protections – such as end-to-end encryption – to introduce security flaws into their systems to be used as backdoors for law enforcement. Such measures endanger users and encourage exploitation of these weaknesses.  

Recent Documents on Encryption

Support Our Work

EPIC's work is funded by the support of individuals like you, who help us to continue to protect privacy, open government, and democratic values in the information age.

Donate