For more than a year now, this site has posted dozens of articles critiquing the US government’s claims that it needs a method of accessing encrypted digital communications lest criminals and other ne’ers-do-wells be able to “go dark” from the eyes of law enforcement and intelligence agencies. Meanwhile just about everyone else, including tech companies and some of the world’s foremost information security minds, maintain that there’s no way to provide such access without weakening the backbone of online security to a near unacceptable extent. But what if everyone has been missing the forest through the trees?
Just Security editors Jonathan Zittrain and Julian Sanchez are among a group of experts from many walks of life gathered by Harvard’s Berkman Center for Internet & Society who have just released a new report, Don’t Panic: Making Progress on the “Going Dark” Debate, urging privacy advocates, government officials, and technology companies to reframe the debate about surveillance and encryption. The Berkman group, made up of everyone from privacy advocates to government officials, found that both sides of the so-called “going dark” debate have valid concerns, but instead of focusing on encryption, it’s time to for all of these constituencies to start examining the larger trends in the evolution of the Internet to better frame the debate about privacy, surveillance, and security.
You might not agree with all of their findings, but at the end of the day, this report is a genuine, and much needed, attempt to advance an incredibly important conversation. Here’s a quick rundown of their key findings:
• End-to-end encryption and other technological architectures for obscuring user data are unlikely to be adopted ubiquitously by companies, because the majority of businesses that provide communications services rely on access to user data for revenue streams and product functionality, including user data recovery should a password be forgotten.
• Software ecosystems tend to be fragmented. In order for encryption to become both widespread and comprehensive, far more coordination and standardization than currently exists would be required.
• Networked sensors and the Internet of Things are projected to grow substantially, and this has the potential to drastically change surveillance. The still images, video, and audio captured by these devices may enable real-time intercept and recording with after-the-fact access. Thus an inability to monitor an encrypted channel could be mitigated by the ability to monitor from afar a person through a different channel.
• Metadata is not encrypted, and the vast majority is likely to remain so. This is data that needs to stay unencrypted in order for the systems to operate: location data from cell phones and other devices, telephone calling records, header information in e-mail, and so on. This information provides an enormous amount of surveillance data that was unavailable before these systems became widespread.
• These trends raise novel questions about how we will protect individual privacy and security in the future. Today’s debate is important, but for all its efforts to take account of technological trends, it is largely taking place without reference to the full picture.
As Jonathan wrote in a post on Lawfare, “The label is ‘going dark’ only because the security state is losing something that it fleetingly had access to, not because it is all of a sudden lacking in vectors for useful information.” And as he went on to say, “we are hurtling towards a world in which a truly staggering amount of data will be only a warrant or a subpoena away[.] … That’s why this report and the deliberations behind it are genuinely only a beginning, and there’s much more work to do before the future is upon us.”