Recent bills proposed in New York and California, make the bold move to authorize automatic decryption of end-user devices such as your smartphone or tablet as long as a search warrant is in effect. No need to ask the owner of the encrypted instrument about decryption keys.
Currently, there is no legal emergency access permit for local cops to enter your smartphone, unlock it, and decrypt its contents in case of emergency. Should they have one? While devices can be taken into custody, inspected, and used as evidence in the court of law, the challenge has always been extracting data that is encrypted too well to decode. In some legislatures, the policy response has been to require the owner or user to reveal any decryption keys at the request of the court or one of its officers. However, the issue becomes more complicated when such legislation is not in place, or when the person in question is unwilling or unable to reveal the decryption key. Should local law enforcement be granted the mechanisms and authorization to request decryption of the data spontaneously? Of course, these devices are used for activities that are against the law, and thus become valuable to law enforcement during investigations and court cases but so are firearms but we are not required to tell the government how many we own or provide ballistic fingerprints for each and every one of them.
Fire… In Your Smartphone
Most buildings have mandatory emergency exits as well as legal instruments that permit emergency entry though they are less visible. The motivation behind emergency exits is apparent, no one wants legal or mechanical barriers to running for his or her life if a fire breaks out. Nor does anyone get terribly worried about the fact that the fire brigade and cops are legally allowed to enter the building, even by force, should they have a reason to do so. However, are mobile devices similar to buildings? Surely they have no emergency exits except maybe blocking or deleting members off of your friend list. Still, the legal conception of the “right to be forgotten” as the French and Europeans call it, is not unlike granting anyone freedom to leave a friend list or to have their messages and pictures erased from a website. No legal grounds seem to have been required to make such features available, and although one cannot escape entirely, partial emergency exits are available.
A Sword in the Hands of Fools Cuts Deep
Like any weapon or tool, it can be used for good and for ill. Lawmakers and scholars alike have tried to solve the question of how to both protect the people from tyranny and still provide the government with the essential tools to enforce its authority. The final solution remains unclear, and there is good reason to believe that no ultimate solution even exists. The same goes for the question of encryption. Some ten years ago during an Intelligence Security Conference in the Swiss Alps, the question was asked, “Do terrorists encrypt their communications?” The heavily researched response was, at the time, a strong no. The evidence showed that even weak encryption was rarely, if ever, used in serious criminal activity and terrorist planning. If all that was true, why then is the legal instrument to provide governmental backdoors backed up by citing petty crime and terrorism?
There are numerous examples of privacy violations stemming from the use of legal or mechanical backdoors, but in practice, their effect usually is quite different than what’s intended. The question is therefore whether that kind of capability should be institutionalized, and whether the people and nation benefit from both the planned and unintended effects. I strongly feel that the negative consequences of governance by fear are far greater than the supposed benefits of national security. So far. It is pretty clear that I am not alone in this feeling.