Encryption Policy, from past to present and what lies ahead

good afternoon please join me in welcoming amy stepanovich amy is the executive director of silicon flat irons an interdisciplinary research center at the university of colorado law school she is a nationally recognized expert in domestic surveillance cyber security and privacy law today she'll be presenting her talk encryption policy from past to present and what lies ahead thanks amy thanks so much matt i hope everybody can hear me i'm gonna go ahead and turn on

slides hey i'm so excited um to be here virtually with you all for besides boulder i moved to colorado in um 2019 which seems 20 lifetimes ago now um but it's been really a wonderful experience being here and getting to see the inaugural meeting of besides boulder and i hope it becomes everything that i know it will be so as matt said my name is amy stepanovich i before coming to colorado spent nine years in public advocacy around tech law and policy i was at the electronic privacy information center and then followed up working on international issues at access now and i've been working on encryption policies since 2011 and i have to say i don't think there's

a single talk that i've given since 2011 where i haven't begged people to make it so i don't have to work on this issue anymore let's figure out a resolution to this um because i think that this is one of the very very few issues that everybody tends to agree on so i came to colorado as i said starting in july 2019 working at the silicon flatiron center which is the center at cu law focused on technology law entrepreneurship and policy and it's been such a great experience and i've been able to bring some of the work that i did on encryption in dc here in the boulder including working on the encryption compendium which is now a resource

that's available um featuring a lot of the resources that i'm going to talk about today so i'm going to start with a little level setting um and sprinkle throughout the presentation you're going to find a few photos and some of them i'm going to explain including this one this is a screenshot of a kindle um of a book in this expanse series um a science fiction novel taking place a long ways into the future and i found it really fascinating that they're still talking about security flaws and data breaches um in a book that supposedly takes place that far in the future and i think one of the reasons is um that encryption is is really an

unsteady place and we could still be we could be laying the groundwork now for issues that are going to stay with us long into the future and so the three terms that i want to introduce that you're all probably familiar with but i want to talk about them in the way that policy folks tend to talk about them um one is the term strong encryption which has a vastly different meaning depending on what side of the encryption fight that you're on if you're fighting in favor of encryption strong encryption is going to mean the strongest encryption you could possibly have in the in whatever technology you're utilizing so what is the the best way that you can secure the

data within the constraints that you're working within however if you're one of the people that tends to think that having limits on encryption is yeah you can do that is a good thing then you are going to think of strong encryption perhaps as certain encryption that's good but maybe not as good as it could be um backdoors is another term that might be having that you might have technical understanding of um legally speaking we like to use the term backdoor to mean any design changes made to facilitate access to data um so that could be exceptional access it could be called lawful access using a term like backdoor in the policy space allows us to provide a term that the

general public can understand and conceptualize um encryption workarounds to mean and the final term is the term warrant proof and generally the introduction of the term warrant will tend to lead to some ideas of the fact that law enforcement has an authority and ability to access information but a warrant is a legal construct what's given when you have demonstrated probable cause for a search or seizure it provides a legal right but not a practical certainty around access so there have always been warrant proof searches that have been made available whether the evidence was destroyed or made available through other means um the warrant has never provided an assurance that the search is going to be successful

so with those terms in mind what are the arguments in favor of encryption um and they range and many of you are going to be familiar with one of with many of these um from limiting vulnerabilities and protecting individual security encryption could be a marketing mechanism something that people use to say that their product is really good it could be a way to differentiate themselves on an international marketplace or a response to international regulations um it can be used to increase the efficacy of a project of a product or for the protection what i've always argued of human rights and civil liberties for people around the world on the other side there are several arguments against encryption law

enforcement says that encryption creates a zone of lawlessness and what they mean is it increases their difficulty in investigating certain crimes when it's present and it keeps them from accessing evidence that they're trying to get to in addition to keeping them from accessing certain information it can slow down investigations um and many of you might remember in the wake of the appleby fbi request um on the iphone there was a statement that there might be a dormant cyber pathogen on this iphone and that speed was necessary to break the encryption on the phone in order to get access to it as quickly as possible um this is i think an argument that didn't hold a lot of water um and people

generally didn't tend to agree with but more outside of that specific piece speed it does can slow down investigations um in addition it changes with the alternative alternative methods of investigation available um some of those methods can be quite costly and so it can increase the cost of the investigation um it also can prevent access to some information that aren't that isn't available through those alternative methods

so with the basis of understanding let's dive into the past of the encryption debates and where these debates have come from so aaron burr um at this point we've all seen hamilton it's on disney plus now it's easy to get access to he fought in the revolutionary war he was the third vice president of the united states um and he was also involved in the first legal battle on encryption there wasn't a song about that so you may not know um in 1805 shortly after he left the vice presidency byrd traveled west and he formed partnerships with several individuals who were quite powerful at the time the true story of what he was plotting is really unclear

up till today however in 1807 on account of whatever he was doing he ended up facing trial for treason under the orders of president thomas jefferson he was eventually found not guilty however during trial a letter was introduced as evidence that was written in a cipher and another witness was meant to decipher and explain the letter however they did call upon charles bur burr's charles willie apologies first personal secretary to authenticate that the letter was written by burr himself um basically they asked him if he could understand the letter because if burr's personal secretary could understand the letter then they could say that it was written by burr um instead charles really tried to claim his

fifth amendment right to avoid self-incrimination um the court ultimately held that he did have to answer the question and that merely by stating that he understood the letter wasn't going to violate his fifth amendment rights but it did provide this strange little blip on the screen um of encryption law that dates all the way back to the founding of the country so we can fast forward quite a bit um to the 1990s and in fact to 1993 when the clipper chip was introduced and the clipper chip was a physical chip that was meant to be inserted into hardware um based on what was presented as a powerful algorithm known as skipjack um each chip would

have a key that key would be split into two and each part would be stored in a different government database um either nist or the treasury the clipper chip was officially adopted by the government in february 1994 however mere months later in june matt blais would publish a paper showing critical vulnerabilities in the clipper chip which was supposed to be i'm incredibly strong and he almost single-handedly placed a big nail in the clipper ship's coffin but the government wasn't dismayed um they came up with a new proposal for a new system for key escrow so they learned not to rely on a specific algorithm um but required that no key could be longer than 64 bits

and the keys would have to be held by registered government agents they went through a lot of different proposals to try to make this key escrow system work but at the time because of the opposition around clipper chip there was pretty good organization and people were able to make really well organized and effective arguments that the system was a failure and defeated and pushed back the government from being able to implement a key escrow system still the government wasn't down um and they could instead rely on something that had been in place since the 1970s specifically export controls so starting in the 70s all products using encryption were controlled under export control regulations and they required a license to export

them out of the country this kind of existed quietly until the 1990s when it became a source of contention um in the middle of the clipper chip in the kiesgrove fights the government wanted to delay the expansion of encryption that they couldn't crack from reaching other countries in effect this created a series of quote-unquote export-grade encryption that was significantly weaker and could be used overseas but it impacted international sales from companies and really hurt american business the controls were challenged in court including by the electronic frontier foundation or eff who argue that code is speech and requires the same protections as speech an answer to this mounting opposition commercial encryption was removed from the munitions list in october 1996

and non-military encryption was removed from the u.s munitions list over to the department of congress just the next month um however it still required a license and would continue to require a license until september 1998 when several categories were removed and it wasn't until 2000 that all of the virtually all of the license requirements were removed for exporting encryption so a lot of good victories um in support of the development and use of encryption in the 1990s and there was in fact one more major victory to triumph at this time and that came in the form of the computer communications assistance for law enforcement act or kalia as it's generally called which was passed in

1994. kalia isn't generally seen as a as a good thing in the tech space it forces telephone companies to redesign their network architectures to make it possible for law enforcement to wiretap telephone calls cleo was expanded in 2005 so it would include isps and voice over internet protocol excuse me um discussions around kalia generally consider the extent to which it was going to impact encryption so they weren't sure how to deal with encryption when they wrote kalia and people were in disagreement how it would be written into the law however when khalia passed the terms of the law have specified and continue to specify that it does not apply to information services so it was

maintained to only apply to telephone companies essentially and that it couldn't be used to block encryption that was applied by a third party so it protected the use of encryption so long it was it wasn't implemented by the provider themselves these protections and the fight back against the clipper chip and export controls are what have allowed encryption to grow and to develop into what we know today and to remain on the books despite all of these different efforts to edge those protections backward after the 1990s the conversation on encryption went relatively quiet for a while um in the early 2000s there was a lot of arguing about government surveillance about the usa patriot act but very little talk on the ability to

develop or use encryption this would change in 2009 when the fbi started using the term going dark and the term was popularized in 2011 in testimony by then fbi general counsel valerie caproni who said and this is a quote as the gap between authority and capability widens the government is increasingly unable to collect valuable evidence in cases ranging from child exploitation and pornography to organized crime and drug trafficking to terrorism and espionage evidence that a court has authorized the government to collect this gap poses a growing threat to public safety so that was caproni saying that their systems were going dark and they needed to be able to find a way basically past encryption to preserve

their evidence gathering capabilities these efforts have kept up since then um former fbi director james comey called for a serious conversation on encryption and his calls have been maintained by director christopher wray deputy attorney general rod rosenstein and attorneys general jeff sessions and william barr as well as other prominent officials have all vocally supported backdoors to encryption in 2016 these discussions were brought to national prominence um and what you all may remember as was as the case of applebee fbi involving the phone of one of the attackers in the san bernardino shootings and the case was ultimately dismissed on the request of the fbi so we didn't get an answer in court as to the effect

as to the ability of the fbi to force a company to undermine its own encryption mechanisms um but it really elevated the debates to this kind of fever pitch in the united states that it's calmed a little bit sense but not significantly in the wake of those arguments congress discussed several different approaches to encryption and the house of representatives even set up a working group and released a report the report which was the result of a year-long process of meeting with stakeholders and talking to people and having hearings and it eventually found that encryption works in the national interest and they encourage greater collaboration across different interests that are involved in using or dealing with encryption

congress hasn't done anything else and we're going to talk a little bit or i'm going to talk about um the current efforts in congress right now but since this working group they haven't been able to as with so many other things come to any sort of agreement on a law that they could pass so up until this year things have been in play but not getting the support that they needed to actually move forward and finally one word on nist the national institute for standards and technology and encryption standards um it was generally ignored by the broader public but considered a huge violation of trust by the technical community when one of the snowden documents

provided evidence that as was long expected the nsa had worked to artificially undermine the standards the encryption standards developed by nist in order to preserve their own surveillance capabilities the revelation promptedness to start a process to come up with principles around the development of encryption standards um that process went through several different periods of public comment it um one second sorry about that making sure the record was on um then this process went through several rounds of public comment people fed into it weighed in there were a lot of meetings around it and then in march 2016 the final version was published very quietly with little fanfare um however it was a good thing because

despite um language that had been in the first two drafts of these standards the final version removed a requirement to balance law enforcement and national security interest against the development of encryption standards so it essentially allowed encryption standards to lay on their own without need to reference the needs of law enforcement in their development which brings us to today and what we're talking about right now so i want to say a word on international efforts around encryption because for a while the argument seemed to be placed on pause in the u.s while they picked up everywhere else in 2016 the uk passed the investigatory powers act which allows the uk government to order the removal of any applied

encryption in order to assist with the implementation of a warrant um the they're not there's not great transparency um in uk law so generally i don't think anybody is sure how this has been used although in late 2018 there was a public proposal by two uk officials to implement a procedure known as a ghost where they would compel communications channels to secretly add a government official into certain chats in order for them to observe what was being said that proposal has been met with pretty broad international resistance um there's been a lot of discussion about how that would require huge technical changes for many companies but again with the lack of transparency it's unknown to the extent that it's

been implemented also in 2016 brazil arrested a facebook executive um which met international which made international headlines and the reason for the arrest was the failure of whatsapp to turn over information in a case um the case was related to drug trafficking the government had asked for certain information however because of the end-to-end encryption that whatsapp utilizes the company didn't actually have that information to turn over to the government and this was not deemed an acceptable response and ended up in the arrest of the executive um he was later released but the contention between the brazilian government and whatsapp continues to this day excuse me and then perhaps what i would say is the most egregious international example

of legislation um so far is the australian assistance and access law it was broadly debated but wasn't actually seriously pushed through parliament until the late late hours of 2018 hidden by the rush of the end of year holidays it's a quite lengthy bill but essentially it authorizes australian authorities to order any modification to a service or device in order to further the investigation of any number of australian laws importantly australia is also allowed to use this authority on behalf and with the request from a foreign nation so not only is it able to be used to further australian investigations but other countries including the united states can go to australia and ask them to use this law to ask a

company to change its service on their behalf oh that was a that's another picture i will point out if you all can see it in fighting for the assistant assistance and access bill um then prime minister malcolm turnbull said that the laws of australia um trumped the laws of mathematics so i actually went to australia and it turns out that laws of mathematics still worked um it was quite surprising to me at the time as i'm sure all of you are shocked to know that they continued to work and that the laws of australia couldn't actually change mathematics so i promised that i would talk a bit about current legislation there are two bills pending right now

um that could deal with encryption the most widely discussed bill is the earn it act um currently being debated um and try the there are serious efforts to try to push this for a vote in congress to get it to pass this year specifically it gives government officials like william barr the power to compel online service providers to break encryption or if they don't to be exposed to huge legal liability um basing their essentially their section 230 liability protections on whether or not they would comply with those requests from government the bill it shows this evolution that we've seen internationally in approaches to encryption essentially instead of coming up with a defined mechanism or way to undermine encryption

governments are instead saying companies you have to turn over this information we won't tell you how just nerd harder and do it so we can get the information and in general that prevents the same sort of concerted evidence-based pushback that was able to be done in regard to the kiesker and the clipper chip proposals because we don't have a specific way the government is ordering that information to be turned over other than just a general requirement that it be the other provision is the laed um bill not lead laid or however you want to pronounce l a e d and i really can't describe this any better than this quote from rihanna peppercorn from stanford which

is just perfectly um a perfect summation of what this law would do and this is her quote the bill is an actual overt make no mistake crystal clear ban on providers from offering end-to-end encryption and online services from offering encrypted devices that cannot be unlocked for law enforcement and indeed from offering any encryption that does not build into a means of decrypting data for law enforcement end quote so it's kind of generally believed that the l-a-l-a-e-d bill was introduced to make the ernet act look more reasonable i think generally we can consider both of them to be pretty ridiculous and requiring pretty broad pushback and if you'll give me a minute i'm going to end with some ideas for how that

pushback can take place so as you can see government is continuing its efforts all the way through today this quote is from june 2020 from attorney general william barr who came back out and kind of laid an even finer line in the sand um in order to push for congress or for government to provide a means to undermine encryption so there comes the word the question of where do we go from here what comes next and before we do that let me revisit some of that history that i talked about because i don't know if you can really try to figure out where to go next unless you figure out what was effective what worked

previously and you can pull out some good ideas um so for example in the expert control debate there were lots of different levers being pulled at the same time um advocacy groups including epic and the eff were pushing against um pushing in congress and in washington dc against these efforts the business community um was coming together to show that there could be giant losses um there had been giant losses from export controls um whereas without the export controls they didn't really think that there was going to be any meaningful impact on national security lawyers were coming together there were multiple lawsuits that were filed in order to show how the export controls were unconstitutional um

in carby state they actually were dealing with bruce schneier's applied cryptography um bernstein was an attempt to publish an algorithm in print and online and there the ninth circuit actually ruled that code was speech and the regulations were not constitutional um cryptographers came together ron rivest explained that cryptography was going to get easier to implement and harder to regulate a comprehensive report from the cyberspace policy institute at george washington from 1999 noted that over 500 foreign companies manufactured or distributed foreign cryptographic products in nearly 70 countries outside the us that weren't subject to the encryption controls and in congress um good lot introduced the security and freedom through encryption act with 258 house sponsors um it didn't end up passing but it got

huge support in congress and all of these different actors were able to come together and as i said in the 1990s almost all of the encryption um limitation requirements around export controls basically went away or at least in 2000 another example from the clipper chip where you see again all of these different um disparate groups coming together toward a single goal the advocacy community the computer professionals for social responsibility cpsr organize an online petition with 50 000 signatures which today doesn't sound like a lot but was a significant number at the time when people weren't as used to signing online practitioners or online petitions um the business community 26 computer companies opposed the clipper chip outright

and formed the digital privacy and security working group again cryptographers came out as i explained matt blais was able to show how the clipper chip was vulnerable and really put that final nail in the coffin we had lawmakers coming together and the international community um even supported this the oecd the organization for economic cooperation and development came out with encryption principles at the time that supported the development of strong encryption one more more recent example um the apple the fbi case had more amicus briefs than i believe had ever before been filed at that level of court and in fact my organization access now and the wicker foundation filed the very first brief in the case

with the help of marcia hoffman who's a wonderful lawyer who's actually in colorado and they told us when we filed it that they could call us an amiki but because we were the first one but they only had space for one amica one amiki which is a friend of the court basically filing in support of one of the parties apple in this case um and instead of having every single different brief um filed under that one slot which they couldn't do they ended up filing them all as um defendants in the case they just had to come up with a whole new way to file briefs because there were far too many of them and they never

received that inundation before on companies technical experts advocates international lawyers all came out in support of apple in this case and why is that what does giving up encryption actually mean and i think this takes me back to that first slide with the expanse quote on it there are so many consequences that we'll see across the board and we'll see them longer into the future than i think we can possibly contemplate um consequences for economic growth the internet economy is largely based on digital security and encryption and needs it in order to stay secure and stay trusted by people who use it um from a law and policy perspective who are you going to say no

to when they order you as a company to implement a backdoor is it the u.s that can ask for one is it saudi arabia is it china is it australia how do you draw those lines for companies that do business everywhere and then who gets to use it even within those companies local law enforcement only certain national security individuals there are fine lines about how these would work that present impossible choices for entities having to make the decisions and security whatever the future holds i would never have guessed that anything that happened this year was going to happen um whatever happens in 2021 there will definitely only be more internet and we have to decide where the money

for security goes and if we're going to continue to invest in securing that internet or if only part of the money can go to making the internet more secure and part of it has to go to building backdoors so the fights aren't going away there's a lot at stake and as you can see interdisciplinary cooperation is absolutely critical so i'm going to leave you with a quote from the hunger games of remember who the real enemy is and i think that when we look at the future of the encryption debates what we have to see is more cooperation or continued cooperation from the technical community from the legal community i say this as a lawyer i know that

lawyers can be horrible but we want to work with you on these issues the business community it's really critical that we work toward the common goal to continue to beat these proposals back because they're on the horizon and they're being pushed through hard and they're not stopping um as you can see these conversations have been going on for for decades and they're i don't think they're going away anytime soon so that's it most people would end you with a photo of a cat i don't own a cat i own a dog so you're getting a photo of a dog here at the end and if anybody has questions and you got to hear me through the lag

and you stuck with me um i appreciate it and i'd really be happy to answer them now excellent thanks amy um yeah that was that was a great expansive overview of encryption policy um even with through the technical difficulties um and thanks for rolling with that as well um let's see so looks like we have a question from punk coder uh what is the most effective way that individuals can get involved with the fight for encryption a hundred percent call your representatives i think people who haven't spoken to their member of congress think that it's this futile exercise and i understand why because so many things that deal with dc politics are feudal exercises um that dog is the

most adorable thing in the entire world but calling your member of congress really matters it is so important um they especially when their own constituents are calling they listen and that influences um what positions they're going to take and whether or not they see their position on certain legislation as being tenable something they can sell back to the voters another thing is to support organizations who are working on this issue if you aren't supporting the eff or epic or access now um or the open technology institute i know it's a pandemic and some people can't and that's fine um the economy is hard right now but if you have the means these are organizations that are out

there on the front line every day and they'll keep you educated on what's going on they often post updates when things are happening and they could really use support well thank you um so the next question is from urban sec uh and the question is other than destruction and encryption are there other common forms of warrant proof protection that's interesting the big one has been constructed sorry the big one historically has been destruction flushing things down the toilet throwing them into the fireplace safes have been available but it's a matter of if you can crack them and there have always been people who can get through the security on safes generally um so you can see that

as a potential way you can't be compelled to turn over the combination of a safe um under your right to self-incrimination and so if you do have a safe that just nobody could get through that could be a way other than destruction but it's it depends on how how secure your device is thanks uh so uh i think for now the last question unless we get any others um is from spike and the question is how have the history of these encryption fights led to the problems we're seeing today with ransomware is there any way to balance the need to protect sensitive data versus the need to defend against malicious encryption i think these are really the second part

of that question is there a neat is there any way to balance the need to protect sensitive data with the need to defend um so there are a lot of questions that we should be having more serious conversations around but we can't because we continually have to devote all of our resources to fighting back these proposals to undermine encryption and so being able to actually dig into these more difficult meaty problems i think is something as i started every talk i give i'm like can we stop talking about this um can we just like move on because questions are on government hacking questions around like when should you be able to get access to this information

um we haven't solved these and in the meantime a lot of this really troubling activity is going on and i think i'd love to be able to spend more time on that um on the first part the history of the encryption fights leading to problems yes um export controls the limitations from export controls specifically led to um some of the major vulnerabilities and incidents that we've seen um over the last five or six years the and the encryption standards piece from nsa and this that i talked about um arguably had something to do with the um vulnerability that came through with the juniper networks um a few years ago so we do see the impacts happen over time

and it's another reason why you might not know the eventual outcome of what happens when you require security to be in any way undermined thank you uh so we have uh uh at least one more question um from urban sec again uh so obviously many parties have a lot to lose from backdooring strong encryption um in particular when the back door becomes widely known so have companies who use drm for copy protection taken a position on this issue i'm not sure and i have to say this is going to be an unpopular thing to say i know it already um i've stayed out of a lot of the copyright debates because the world of people who

get involved in the copyright debate like there are toxic spaces in the tech law and policy space and then there's copyright um and it gets intense really fast um so i i haven't dealt with a lot of those companies and there is a direct interplay i think corey doctorow has given some really good talks about the interplay between drm and encryption and backdoors um that i've really loved and so i would actually refer people to his talks and presentations on this issue because i think they provide a much more comprehensive look at that space that i'm going to be able to give cool thanks um i think unless anyone has any a last-minute question or any follow-ups um yeah i think that's

it uh for q and a uh so thank you very much that was that was an excellent talk um thank you uh you know i will try to get the slides from you so we can uh in post-production we'll try to we'll see how we'll try to fix it anything i can do to help um once again thank you for bearing with me i'm so sorry everybody um i appreciate you um i appreciate your patience it's no problem i hope it wasn't too distracting for you presenting not at all