Skip to main content
  • Sections
  • Search

Center for Strategic & International Studies

User menu

  • Subscribe
  • Sign In

Topics

  • Climate Change
  • Cybersecurity and Technology
    • Cybersecurity
    • Data Governance
    • Intellectual Property
    • Intelligence, Surveillance, and Privacy
    • Military Technology
    • Space
    • Technology and Innovation
  • Defense and Security
    • Counterterrorism and Homeland Security
    • Defense Budget
    • Defense Industry, Acquisition, and Innovation
    • Defense Strategy and Capabilities
    • Geopolitics and International Security
    • Long-Term Futures
    • Missile Defense
    • Space
    • Weapons of Mass Destruction Proliferation
  • Economics
    • Asian Economics
    • Global Economic Governance
    • Trade and International Business
  • Energy and Sustainability
    • Energy, Climate Change, and Environmental Impacts
    • Energy and Geopolitics
    • Energy Innovation
    • Energy Markets, Trends, and Outlooks
  • Global Health
    • Family Planning, Maternal and Child Health, and Immunizations
    • Multilateral Institutions
    • Health and Security
    • Infectious Disease
  • Human Rights
    • Building Sustainable and Inclusive Democracy
    • Business and Human Rights
    • Responding to Egregious Human Rights Abuses
    • Civil Society
    • Transitional Justice
    • Human Security
  • International Development
    • Food and Agriculture
    • Governance and Rule of Law
    • Humanitarian Assistance
    • Human Mobility
    • Private Sector Development
    • U.S. Development Policy

Regions

  • Africa
    • North Africa
    • Sub-Saharan Africa
  • Americas
    • Caribbean
    • North America
    • South America
  • Arctic
  • Asia
    • Afghanistan
    • Australia, New Zealand & Pacific
    • China
    • India
    • Japan
    • Korea
    • Pakistan
    • Southeast Asia
  • Europe
    • European Union
    • NATO
    • Post-Soviet Europe
    • Turkey
  • Middle East
    • The Gulf
    • Egypt and the Levant
    • North Africa
  • Russia and Eurasia
    • The South Caucasus
    • Central Asia
    • Post-Soviet Europe
    • Russia

Sections menu

  • Programs
  • Experts
  • Events
  • Analysis
    • Blogs
    • Books
    • Commentary
    • Congressional Testimony
    • Critical Questions
    • Interactive Reports
    • Journals
    • Newsletter
    • Reports
    • Transcript
  • Podcasts
  • iDeas Lab
  • Transcripts
  • Web Projects

Main menu

  • About Us
  • Support CSIS
    • Securing Our Future
Photo: Adobe Stock
Commentary
Share
  • LinkedIn
  • Facebook
  • Twitter
  • Email
  • Printfriendly.com

Posturing and Politics for Encryption

February 17, 2016

The encryption debate has been largely unencumbered by facts. That deserves a separate discussion, but for now, let us consider Apple’s stout refusal to cooperate with the FBI in gaining access to data stored on the phone of one of the San Bernardino murderers.

Apple’s motives are clear, if not clearly expressed. The Snowden revelations damaged the brand of all American technology products. To assuage their customers, some companies offer “end-to-end” or unrecoverable encryption. It is the growth of these commercial encryption services offering unrecoverable encryption to a mass market that is of the greatest concern to law enforcement and intelligence agencies. To reassure a global market, these companies announce they will not cooperate with American authorities. This is a reasonable response to rebuild credibility, but it is not sustainable.

Let’s clear away a few egregious errors before we examine this in detail. First, the encryption debate is not about backdoors. Use of the term “backdoor,” is both pejorative and misleading. A backdoor is a flaw or access point intentionally introduced into software to allow access to unencrypted text. To argue against backdoors is a sham, since what law enforcement agencies want is access to the plain text when this is authorized by law. Access by intelligence agencies is a different matter that will be discussed separately. Pretending that a desire for backdoors drives government policy misses the point. What law enforcement agencies want is access to plaintext – the unencrypted message or traffic.

Most encryption products provide access to plaintext because this is what customers want. Companies and individuals want to be able to “recover” plaintext in those cases where an encryption user loses the ability to access their encrypted content – a forgotten password, a programming flaw, or a lost key. Companies want recoverable encryption for liability reasons and for corporate due diligence. They do not want their employees to engage in surreptitious or illegal behavior. No corporate General Counsel would allow the use of unrecoverable encryption by anyone in their firm and it would be surprising if any of the big tech companies currently battling the government let their employees use unrecoverable encryption. Some of the big internet service providers also use recoverable encryption because it is consistent with their business models. A company cannot mine traffic for advertising purposes if it is encrypted in ways that prevent anyone but the sender and recipient from seeing the content. Anyone who talks about backdoors is either uninformed or attempting to manipulate you.

Second, the debate is not solely about the American market or American policy. What will drive this debate is the global market. Foreign consumers want assurance that the U.S. government cannot access their data. A minority of foreign consumers- largely people who go to Burning Man or Earth Festivals at Stonehenge - want to escape any government surveillance, but the source of most foreign outrage is Snowden’s revelations about U.S. activities.

This outrage is based on understandings that are neither fair nor accurate, but that is beside the point. The release of the Snowden documents was done in a way to cast a harsh light on the United States while ignoring what other countries do - Snowden’s obsequious conversation with Putin about Russian communications surveillance was an embarrassing indicator of this slant. The point to bear in mind is that most countries surveil the communications of their own citizens and they are unlikely to stop. A few - those with resources and interest - surveil communications in other countries. They are also unlikely to stop. Powerful information technology companies could steamroll smaller nations into accepting end-to-end encryption, but that will not work with big countries. China, for example, has one of the most sophisticated and complete monitoring systems in the world. Let’s imagine a conversation between Apple and China similar to the one Apple is having now with the FBI:

Apple: “We won’t cooperate.”

Chinese Government: “You’re out.”

When your second biggest market tells you to play ball or else, (objections from Chinese consumers are unlikely to influence government decisions about encryption), it is a rare company that will sacrifice itself. Nor will it be politically sustainable to accede to requests from authoritarian governments while denying requests from democracies. China is putting an immense effort and billions of dollars into building an independent and competing IT industry to avoid the perceived risk of using foreign products. This is a somewhat paranoid, and won’t really improve security, but China is not alone in its concerns. To pick a few, the United Kingdom, France, and other northern European countries (except perhaps Germany), Brazil, India and Russia all share concerns about encryption and want to have the ability to gain access to plaintext under varying degrees of lawfulness.

That is actually what the global encryption debate is about - what are the rules under which a government can access plaintext, and what transparency and oversight is required in this process. Concern about American products is driven by the belief that there are no constraints, little transparency, and no oversight (by the consumers own government) on U.S. agencies’ access to their data. Europe is the most passionate, but other markets have similar, if less vehement worries about U.S. practice. Frankly, Americans should have similar concerns about other nations, including European nations, on how they are surveilled when they visit other countries. A little reciprocity is in order.

This might point to the way ahead on encryption - common reciprocal rules on accessing plaintext and a degree of transparency for both rules and requests. Reciprocal rules could resemble agreements among governments, similar to agreements to cooperate against money laundering, drug trafficking or other transnational threats to public safety. These agreements are apolitical in a way that it will be difficult for encryption policy to match to a degree, but not impossible. The recent efforts led by the UK to streamline the process for serving warrants in another country - called Mutual Legal Assistance Treaties or MLATs - are an example of this kind of agreement, although the UK effort has been mischaracterized, even demonized, in the media.

A sustainable encryption policy needs to be perceived as legitimate by the global market. The key to legitimacy is that citizens will accept actions from their own governments that they will not accept from other governments (particularly the U.S.). The best outcome would a multilateral agreement that let people secure their data with the strongest possible encryption, using products that allow for the recovery of plaintext by national authorities under agreed rules. This may not please privacy zealots, but it will complicate the lives of people using encryption for nefarious purposes.

James Andrew Lewis is a senior fellow and director of the Strategic Technologies Program at the Center for Strategic and International Studies in Washington, D.C.

Commentary is produced by the Center for Strategic and International Studies (CSIS), a private, tax-exempt institution focusing on international public policy issues. Its research is nonpartisan and nonproprietary. CSIS does not take specific policy positions. Accordingly, all views, positions, and conclusions expressed in this publication should be understood to be solely those of the author(s).

© 2016 by the Center for Strategic and International Studies. All rights reserved.

Written By
James Andrew Lewis
Senior Vice President and Director, Strategic Technologies Program
Media Queries
Contact H. Andrew Schwartz
Chief Communications Officer
Tel: 202.775.3242

Contact Paige Montfort
Media Relations Coordinator, External Relations
Tel: 202.775.3173
Related
Commentaries, Critical Questions, and Newsletters, Cybersecurity, Cybersecurity and Technology, Defense and Security, Innovation and Digital Transformation, Intelligence, Surveillance, and Privacy, Strategic Technologies Program, The Effect of Encryption on Lawful Access to Communications and Data

Most Recent From James Andrew Lewis

Upcoming Event
Surveying the US-EU Trade and Technology Council (TTC) State of Play
July 12, 2022
Commentary
Cyber Crime and Antitrust
By James Andrew Lewis
June 22, 2022
On Demand Event
The Future of Quantum – Powering the Innovation Ecosystem from the Private Sector
June 21, 2022
In the News
Anticipated Roe Reversal Brings Wave Data Security Reforms
The Washington Post | Joseph Marks
June 16, 2022
On Demand Event
'Never Trust, Always Verify': Federal Migration to ZTA and Endpoint Security
June 16, 2022
Report
Cyber War and Ukraine
By James Andrew Lewis
June 16, 2022
Report
“Never Trust, Always Verify”: Federal Migration to ZTA and Endpoint Security
By Emily Harding, James Andrew Lewis, Suzanne Spaulding, Rose Butchart, Jake Harrington, Devi Nair
June 16, 2022
On Demand Event
Book Launch: Cyber Persistence Theory, Rethinking National Security in Cyberspace
June 14, 2022
View all content by this expert
Footer menu
  • Topics
  • Regions
  • Programs
  • Experts
  • Events
  • Analysis
  • Web Projects
  • Podcasts
  • iDeas Lab
  • Transcripts
  • About Us
  • Support Us
Contact CSIS
Email CSIS
Tel: 202.887.0200
Fax: 202.775.3199
Visit CSIS Headquarters
1616 Rhode Island Avenue, NW
Washington, DC 20036
Media Queries
Contact H. Andrew Schwartz
Chief Communications Officer
Tel: 202.775.3242

Contact Paige Montfort
Media Relations Coordinator, External Relations
Tel: 202.775.3173

Daily Updates

Sign up to receive The Evening, a daily brief on the news, events, and people shaping the world of international affairs.

Subscribe to CSIS Newsletters

Follow CSIS
  • Facebook
  • Twitter
  • LinkedIn
  • YouTube
  • Instagram

All content © 2022. All rights reserved.

Legal menu
  • Credits
  • Privacy Policy
  • Reprint Permissions