Yesterday, during a panel on encryption policy hosted by Just Security, an online forum covering national security law and policy, top U.S. intelligence lawyer Robert S. Litt pressed the case for engineering backdoors in encryption without undermining computer security as a whole. As CPJ has documented, leading security and policy experts consider this impossible.
These skeptical experts received a boost last week when The Washington Post disclosed a draft memorandum, allegedly penned by U.S. National Security Council staff members this summer, indicating quiet but widespread agreement among senior Obama Administration officials that the president should either publicly reject, or at least defer, weakening encryption through compelled technical backdoors. The White House declined to comment to CPJ on the veracity or substance of the internal document obtained by the Post, which quoted several anonymous government officials as confirming that the memo accurately reflects debates being had by the administration.
As CPJ has documented, encryption protects journalists and newsrooms in many ways–from keeping conversations with sources private to mitigating networked-based attacks against critical infrastructure. The use of encryption is so vital to free expression that many legal experts have concluded that it is likely protected by international and U.S. constitutional law, a view CPJ shares. In addition, technical experts agree that it is impossible to add backdoors to encryption to give access for legitimate purposes without also making systems vulnerable to malicious actors.
CPJ has pressed each of these arguments publicly and, in July, CPJ Staff Technologist Tom Lowenthal and I flew to Washington, D.C. so CPJ could take its case directly to senior White House and Senate Judiciary committee staff.
Discussing the issue with U.S. business leaders in Washington on September 16, Obama described how state and non-state actors are exploiting vulnerabilities “at an accelerating pace.” “[T]he stronger the encryption, the better we can potentially protect our data,” Obama said. The administration seeks to “reconcile the need for greater and greater encryption” with law enforcement and intelligence agency demands, Obama continued, adding: “I won’t say we’ve cracked the code yet.”
The leaked memorandum–reported to be the result of internal consultations between officials responsible for U.S. national security, commerce, diplomatic, trade, and technology policy–does not anticipate a near-term plan to push for compulsory access to encrypted information, an option that, according to the Post, was removed from an earlier draft. Calls for such backdoors have been led almost exclusively by the FBI and the U.S. Department of Justice. These calls have been broadly resisted by the tech, civil society, and other sectors, and even prompted an op-ed in The Washington Post by former top military and intelligence officials in July explaining why fears about ubiquitous data encryption are “overblown.”
Of the three policy options laid out in the memo, a public position that embraces encryption and rejects backdoors “is the strongest option for cybersecurity, economic competitiveness and civil liberties, and human rights,” its authors conclude. The National Security Council memo notes that this position may serve to counter arguments by other states that favor harmful data localization — which threatens the interconnected nature of the Internet — by building trust in U.S. technology exports.
Further, the memo notes that attempts to publicly defer making a decision would “harm cybersecurity, economic competitiveness, and civil liberties and human rights.” It describes similar consequences if Obama fails to take any public action, noting that remaining publicly undecided could harm broader U.S. influence and credibility.
The memo suggests that the National Security Council sees any U.S. policy that stops short of supporting strong encryption as an invitation to other governments who might demand access to U.S. technology companies’ data. Even if technology companies introduce backdoors voluntarily, the “government will need to accept that other nations — including some repressive ones — will use this access as well.” The memo also recognizes that U.S. policy will influence other countries.
Such concerns are well-founded. In Turkey, Mohammed Ismael Rasool, an Iraqi journalist working with VICE News, remains in custody. He was charged with terrorism offenses alongside now-released British colleagues last month, in part for allegedly using so-called military-grade encryption, according to reports. Ethiopia in July released two members of the Zone 9 blogging collective, who were charged with terrorism offenses for taking part in an encryption workshop. The Zone 9 group will be honored with a 2015 International Press Freedom Award from CPJ in November. Even U.S. allies such as Britain and France have publicly called for access to encrypted communications, including as recently as last week, when the UK’s domestic intelligence agency chief Andrew Parker bemoaned encryption in a radio interview. In July, Lowenthal and I met with E.U. Counter-Terrorism Coordinator Gilles de Kerchove to discuss Europe’s approach to encryption policy.
When asked about the normative power of U.S. encryption policy in countries such as Turkey and Ethiopia, National Security Council spokesman Ned Price told CPJ by email, “This administration strongly supports the critical importance of a free and vibrant press as a cornerstone of any flourishing democracy, and has an enduring commitment to promoting freedom of expression all around the world.”
If the strongest policy suggestions laid out in the leaked security council memo are implemented, it would be a step in that direction. But, as the authors of the memo recognize, only the unqualified support of encryption will fully realize these goals. CPJ urges President Obama to take that path.