Beyond the Crypto Wars: Outcomes from Crypto Summit 2.0

For decades policymakers in the United States and around the world have been debating the use of encryption. Today, Access Now is releasing four reports to move the conversation beyond the superficial. You can jump straight to the reports here.

As the world has become increasingly digital, it has become easier for law enforcement professionals to conduct active and passive surveillance. And the digital record we leave behind is a treasure trove for prosecutors seeking to put criminals behind bars. At the same time, as more of our lives becomes digital, more of us are demanding strong security and protection for our private information, to keep it safe from theft and prying eyes. Manufacturers have responded to this demand by increasingly encrypting our devices and our communications so they remain secure.

Nearly everyone agrees that encryption and digital security is inherently a good thing. It reduces crime, enables commerce, protects our critical infrastructure, and safeguards human rights. However, it also makes it more difficult for law enforcement and prosecutors to get the data they would like to have access to.

For nearly 40 years, we have debated what to do about this situation. Some have suggested creating a backdoor or a key that law enforcement could use to unlock encrypted communications with a valid warrant. The problem is that any such backdoor or key undermines security for everyone. You can’t create a security vulnerability that can’t be exploited by the bad guys as well as the good. Despite law enforcement’s concerns, the United States government has continued to support the development and deployment of strong encryption.

Yet the conversation about encryption has kept many people busy, representing a constant distraction. This has meant that other critical conversations have not advanced. For example, there was intense debate over encryption in the fight over the iPhone used by San Bernardino shooter. Yet the case — Apple vs. FBI — was resolved when the FBI hired a private contractor to hack the phone.

Everyone expects law enforcement to pursue every legal avenue, but we’ve never had a public conversation about the limits to government hacking. We don’t know what protections are in place for our privacy and security, and it’s not clear whether data obtained by hacking can even be used in a court of law. Instead of repeating dead-end arguments about encryption backdoors, we could be asking other questions. What are our current practices? Should we require the FBI to disclose the vulnerabilities they buy so that these security flaws can be fixed? Should we increase funding to the FBI to build out a hacking department?

We don’t have any answers yet because these discussions are not happening in the U.S. Congress or even — to a large extent — within civil society.

Access Now is working to fix that. In July of 2015, we convened the Crypto Summit where we brought together experts to identify the policy questions that have been neglected. And then, in March of 2016, we convened the Crypto Summit 2.0 in San Francisco to begin addressing them.

It is not possible to answer all policy questions in a single session. However, we wanted to move the conversation forward by creating the beginnings of a body of work on these crucial but neglected topics. It is our hope that other interested organizations will review these documents and advance them. In each track, we have suggested where further work is necessary.

We asked participants to begin to address four policy questions that were identified in the first Crypto Summit. Today, we’re releasing each report representing the work of each working group.

Track 1: What are the rights and responsibilities of both companies and law enforcement in an increasingly encrypted world?

In this panel we identified a structure by which to compare the relative value of alternatives to mandated access. We identified factors to compare these techniques and applied these factors to government hacking as a case study.

Track 2: What are, and how can we quantify, the costs of mandating encryption standards in a borderless digital economy?

In this panel we segmented the industry into layers through which to define costs, and examined costs for each of those segments. We also identified what information is necessary in order to quantify these costs.

Track 3: How can we measure and quantify the benefits of strong encryption?

It is difficult if not impossible to define a negative. In this panel we compiled narrative stories which attempt to quantify the value of encryption, predicted the next stage of debate, and proposed several counter-narratives and talking points.

Track 4: What are the barriers to further adoption of encryption?

In this panel, we touched on some of the technical barriers to adopting encryption, but focused on developing projects that could overcome real-world barriers and help deploy strong encryption across industries.

We at Access Now look forward to continuing to work with civil society and other interested groups to fight for both strong security and protection of human rights.