The debate over government access to personal and private information dates back decades. But it took center stage after the 2015 mass shooting in San Bernardino, California, when Apple refused to open a backdoor into an assailant's encrypted cell phone for FBI investigators.
The agency ultimately paid a hacker to unlock the phone instead.
Now, the National Academies of Sciences, Engineering, and Medicine has produced a set of guidelines for government agencies to consider before approaching or investigating encrypted data.
To learn more about them, I talked with Frederick Chang, the executive director of Southern Methodist University’s Darwin Deason Institute for Cyber Security.
He's also a member of the National Academy of Engineering and former director of research for the National Security Agency.
Interview Highlights
Interview responses have been lightly edited for clarity and length.
The importance of the guidelines
In the report, we basically posed a framework comprised of eight questions. Rather than specifically seek answers to the questions, the process of working through the questions will help inform the debate. The questions were designed in a way to create some considerations and concerns about the various options and trade-offs that might be possible.
- To what extent will the proposed approach be effective in permitting law enforcement and/or the intelligence community to access plaintext at or near the scale, timeliness, and reliability that proponents seek?
- To what extent will the proposed approach affect the security of the type of data or device to which access would be required, as well as cybersecurity more broadly?
- To what extent will the proposed approach affect the privacy, civil liberties, and human rights of targeted individuals and groups?
- To what extent will the proposed approach affect commerce, economic competitiveness, and innovation?
- To what extent will financial costs be imposed by the proposed approach, and who will bear them?
- To what extent is the proposed approach consistent with existing law and other government priorities?
- To what extent will the international context affect the proposed approach, and what will be the impact of the proposed approach internationally?
- To what extent will the proposed approach be subject to effective ongoing evaluation and oversight?
This is a complex issue with lots of technical details, important policy implications that could affect millions of users, millions of devices. The details really matter. Our hope is that people read the guidelines and understand the nuances and the details so that they will make a better decision when that time comes.
How the guidelines were determined
Fourteen individuals from diverse backgrounds — representing folks from the technology sector, law enforcement, privacy and civil liberties and academia — came together to draft the guidelines. When the National Academies compose a committee, they work very hard to make sure that there is the proper balance of perspectives and so forth. The result is something called a “consensus study.” What that means is all 14 of us have to agree on something. This debate is quite polarizing; it’s been in the media for a couple of years now. It was quite an accomplishment on our part to agree on a set of facts, to agree on a vocabulary and to agree on the framework.
On the biggest concerns in cyber security today
It’s really a topic that changes constantly. The sorts of attacks you saw last year and the year before and what we’re going to say tomorrow and the year after is just constantly changing. So it’s really important to stay current with the technology; it changes so fast. It's something that keeps you on your toes. And I’ve said for a while the problem’s going to get worse before it gets better, and unfortunately, that is proving to be true.
