- Deploying encryption practices where the end user is the only one with decryption capabilities is preventing law enforcement from pursuing "communications in transit" and data, said U.S. Attorney General William Barr, during a keynote at the International Conference on Cybersecurity this week. "Even with a warrant based on probable cause," encryption is thwarting investigations.
- Because modern crimes carry heavy digital evidence, "warrant-proof" encryption is a threat to public safety, said Barr. Encryption is "extinguishing" law enforcement's ability to access and trace evidence in investigations.
- An individual's "zone of privacy" — person, house, papers and effects — are protected from "unreasonable" investigation. But, Barr argues, the zone of privacy is only possible because the public has a right to access when public safety is in question. Encryption prohibits right of access, morphing devices into "law-free zones."
Encryption has long been a fundamental security standard, but Barr is challenging its depths.
"Making our virtual world more secure should not come at the expense of making us more vulnerable in the real world," Barr said. "But, unfortunately, this is what we are seeing today."
Companies like Apple and Microsoft have shown resistance to creating back doors to encryptions for law enforcement. Last year, following the passing of the CLOUD Act, Microsoft President Brad Smith said there's still a need for "new legislation and new international agreements to reform the process by which law enforcement officials around the world gather digital evidence and investigate crimes."
Cybersecurity is a shared responsibility between the public and private sector, but withholding information is touch and go. The digital age has made privacy more complex and justified right of access is blurrier than ever before.
Barr identifies an individual's right to privacy and the public's right of access as "two sides of the same coin," where both parties remain balanced despite the outcome because of technology. "Technology has consistently removed the presumed tradeoffs of the physical world," Jerry Ray, COO of SecureAge, told CIO Dive in an email.
Despite the complexities of technology, it doesn't bar law enforcement from taking the necessary actions it would in physical pursuits of evidence.
But cyberspace has always favored bad actors, who are often two-steps ahead. Because of this, Barr is sensitive to the need for personal protection.
The argument "seeks just enough compassion or empathy from people for them to simply agree to giving up personal security for the sake of some notion of prescribed communal security," said Ray.
But the public is demanding more of companies that store and use their data. People are more critical of how well their personal information is protected.
This week Facebook agreed to pay a $5 billion settlement with the Federal Trade Commission is a case that "diminishes Barr's position" that messaging and smartphone protections come second to "nuclear launch codes" and enterprise operations, according to Ray. "Effective and responsible encryption is agnostic to the content it protects, as it should be."
Barr's arguments against "warrant proof" encryption fail to acknowledge that consumers' personal information are "precisely the precursors to all collective actions taken by society," said Ray.
Specialized communications for purposes of business or law enforcement are antiquated, if not entirely obsolete. It therefore challenges Barr's argument for assessing the "net risk" of consumer cybersecurity because the public, businesses and government now all rely on the same technologies, according to Ray.