Re-factoring the Crypto Debate

"Broken Key" CC-BY-NC unrequitedlife on flickr

The Carnegie Endowment for International Peace is hosting a working group to move the crypto debate forward by adding two valuable dimensions to the conversation. The WG added use cases to more capture concerns of various stakeholders and defined its technical scope, selecting a specific point to engage in this debate (around the ability to break encryption on mobile devices under the physical control of national law enforcement, but not in-transit or, theoretically, remote device access).

That said, I find the report and its use cases dangerously US-centric; ignoring the role of authoritarian states and how even this tightly scoped debate would put human rights defenders, activists, and advocates for change in these places at risk. The use cases include a wide variety, but exclude the use cases of authoritarian, state-level actors and also exclude activists who will be targeted with technologies that break end to end encryption guarantees.

We need to look beyond markets to how crypto regulation advances or undermines long-term goals around democracy and human rights around the world. "Exceptional Access" or however we frame it will be used against human rights defenders - either directly, or through pressure on tech platforms to provide equivalent access to states we might consider authoritarian. It may be a bitter pill for the law enforcement groups who seem themselves as the good guys fighting human trafficking and other horrible crimes; but promoting e2ee to encourage and protect opening civil spaces, more safely confronting corruption, and sustaining democracy could be a bigger win on a long-term, global level.

Ending the Crypto War

After three decades of effectively no progress, and despite significant effort here to identify points of agreement, we need to call it done. The argument that end to end crypto can be responsibly backdoored or realistically controlled in a way that provides only "good guys" reliable access without opening risks to bad actors is a dead end.

There is simply not a technical solution that doesn't result in significant negative consequences for the majority of the global population while not actually solving the problems presented by the minority of high-tech criminals, who will simply adopt tools not limited by the domestic policies of any one country - which seems most likely to make the problem even worse for everyone involved, except the most tech-savvy criminals, who will maintain or even improve their opsec.

It's important to frame this death not as a technical "problem," but as a process one. We simply do not have institutions or transparency with the trust and accountability to wield the eternal responsibility these systems would require. Even if we did have this at a point in time, we demonstrably cannot guarantee it over time. We don't have this domestically in the US, and again, even if we did, we live in an international world where the concept of being able to control and limit the spread of end to end encryption is a pipe dream.

But this is the debate that we cannot seem to put a pin in after three decades, so perhaps this is the wrong argument to be having. We need to flip this debate.

We should frame any further "cryptowar" debate in much longer-term, internationally-informed impacts and strategic goals. The ability to have dissenting opinions, to resist authoritarianism, and simply to live as human beings with personal privacy requires moving offline concepts of privacy, norms, and expectations into our digital world. Among many things, this also means an ability to have private conversations, which in a digital world requires end to end encryption, full stop.

If we want more democratic societies with resilient civil societies providing debate, watchdog functions, advancing transparency, and protecting human rights, then we need to accept the risks and complications that that requires.

A Path Forward

This isn't to say that we throw our hands in the air and give up on limiting criminal behavior; but that we look at it from a different, and more strategic angle.

We can take a stronger stance overall; that we can and do accept this limitation, and that and we are strong enough and effective enough to fight crime that is organized and facilitated online as well as offline, and that we can do this in a rights-respecting manner in both cases. This isn't a simple path, and it requires resources and training; but protecting human rights while undermining human rights activism is an untenable path.