The Crypto Policy Debate Redux and a Possible Way Forward
Lance J. Hoffman
I feel like I have been transported back 20 years in time. Comments made by FBI Director James Comey and Attorney General Eric Holder, Jr. against the use of stronger encryption by Apple and Google and responses from the computer industry (and others) about the importance of privacy and of customer trust echo the Great Clipper Chip Debate in 1993-1994. Many of the very same issues were being discussed and the same arguments were being made then as now. Even the same solution -- cryptographic key escrow – is being proposed, just as it was in 1993 by the National Security Agency.
The Washington Post editorial of October 4, 2014 that suggested that Apple and Google could invent a “secure golden key” prompted my response in a letter to the editor that was published on Wednesday, October 8. There I pointed out that such a “solution” begs several questions, which I mentioned there, including who trusts whom and whether the benefits are worth the costs.
Many of the arguments being trotted out today are old chestnuts, covered in my 1995 anthology Building in Big Brother: The Cryptographic Policy Debate, published by Springer-Verlag, where 54 of the (then) most relevant articles and documents are collected in one place. The section headings show the depth and breadth of the issues we wrestle with today, even though they were written 20 years ago:
1. Cryptography (from Julius Caesar through Public Key Cryptosystems): Methods to Keep Secrets Secret
2. Key Escrow Cryptosystems: Keeping Secrets Secret Except When …
3. The U. S. Government Policy Solution: Key Escrow Cryptosystems, Policies, Procedures, and Legislation
4. The Policy Debate: How Controlled a Global Information Infrastructure do We Want, and Who Decides?
5. Law Enforcement: What Does It Cost to Commit a Perfect Crime?
6. Civil Liberties: Safeguarding Privacy (and More) in a Digital, Tappable Age
7. Export Policy: Prudent Controls in a Risky World or Making the World Safe for Foreign Competition?
But back then, almost nobody was discussing the Internet of Things, Big Data analytics, or cyberwarfare. And, of course, 9/11 had not occurred, nor had Edward Snowden revealed NSA secrets. It’s time for open research on technological methods that allow us to maintain a free society, including better technological architectures to make the Internet more secure. It’s also time for serious research on the economic, political, and social costs and benefits of the proposed solutions.
Some nascent work by my former student Jonathan Berliner has developed an early model for assessing surveillance costs and benefits, and it comes with a publicly available spreadsheet. I’m sure that the model and spreadsheet can be refined. But of interest here is that different stakeholders may have wildly different evaluations of what works and what doesn't work, and just laying these on top of each other (facilitated by the spreadsheet providing a common frame of reference) will move the discussion along.
If you are interested, try building your own model on top of it, or tweak it. Let me know if you get any interesting results.