Protesters gather outside a district court in March 2016 after Apple was ordered to retrieve encrypted data from the phone of a suspected gunman. Civil rights groups say forcing companies to weaken encryption endangers privacy. (AFP/Frederic J. Brown)

Transition to Trump: Why U.S. needs to be global leader in protecting strong encryption

As a new presidential administration prepares to take over the U.S., CPJ examines the status of press freedom, including the challenges journalists face from surveillance, harassment, limited transparency, the questioning of libel laws, and other factors.

Protesters gather outside a district court in March 2016 after Apple was ordered to retrieve encrypted data from the phone of a suspected gunman. Civil rights groups say forcing companies to weaken encryption endangers privacy. (AFP/Frederic J. Brown)
Protesters gather outside a district court in March 2016 after Apple was ordered to retrieve encrypted data from the phone of a suspected gunman. Civil rights groups say forcing companies to weaken encryption endangers privacy. (AFP/Frederic J. Brown)

On December 20, the encryption working group, a bipartisan committee formed by the House Judiciary Committee and the House Energy and Commerce Committee, came out in favor of protecting strong encryption. “Any measure that weakens encryption works against the national interest,” according to the committee’s report, which cited the importance of strong encryption in protecting national and economic security, as well as civil rights.

More on This Issue

In doing so, the committee supported a point repeatedly made by privacy and civil society activists: that strong encryption is vital. As CPJ notes, encryption is essential for journalists reporting on sensitive issues and their sources. And, by leading the way in protecting encryption, the U.S. enables tech companies to stand strong against repressive nations.

So far, calls from legislators and the FBI for backdoors to encryption–essentially security flaws that allow access to a device–have been fended off. However, Obama failed to implement a strong policy protecting encryption and comments Donald Trump made on the campaign trail suggest the president-elect is unlikely to support measures to protect it.

Trump, his pick for Attorney General Jeff Sessions, and nominee for CIA director Michael Pompeo sided with the FBI during its failed attempt in February to order Apple to retrieve encrypted data from a phone belonging to Syed Farook, who was responsible for a mass shooting in San Bernardino.

When Apple responded in a statement to a judge’s order for it to assist the FBI–comparing a customized version of iOS that would create a “backdoor” for encryption to a master key that could open millions of locks–Trump called on his supporters to boycott the company. An ABC News video from a Republican town hall event in February showed Trump saying, “Apple ought to give the security for that phone, OK. What I think you ought to do is boycott Apple until such a time as they give that security number. How do you like that? I just thought of it. Boycott Apple.”

Civil liberties groups and tech companies joined with Apple in arguing that the FBI’s demand would create a dangerous precedent that law enforcement could use to force companies to weaken encryption, endangering the privacy of iPhone users.

“It became very clear that this was not a fight over getting into one phone, it was about whether the government had the power to force companies to turn off their security,” said Nate Cardozo, a senior staff attorney on the Electronic Frontier Foundation’s digital civil liberties team.

The order would also have had serious implications for journalists.

Jenna McLaughlin, who covers surveillance and national security for The Intercept, described encryption as her outlet’s “bread and butter.” “From the day I started working here as a journalist, the first thing I learned about was security–email encryption, secure chat and messaging applications, and more,” she said. “I work with sensitive sources who could stand to lose their jobs or even their physical security if they were exposed to their employers or others who might retaliate against them. Having secure methods of communicating with them is vital for me to do my job and expose wrongdoing in the national security sphere.”

Apple appealed the ruling and the FBI found another way to access data on the phone before the case could be decided in court. But without protections for strong encryption, Apple and other tech companies could face similar demands from courts or legislation.

A bipartisan draft bill to weaken encryption, introduced by Senators Richard Burr and Dianne Feinstein in April, would have forced companies to decrypt data or offer technical assistance to law enforcement, but it was never submitted for consideration in Congress, Reuters reported.

Kevin Bankston, director of the Open Technology Institute, part of the New America think tank, said that although key lawmakers in the House had come out in favor of strong encryption, threats could still come from the legislature. “FBI director Comey has repeatedly said he intends to continue raising this issue in 2017, and he will now be backed by [attorney general] Sessions, who is a surveillance hawk and was publicly on the FBI’s side of the Apple v FBI debate, who will be backed by a president of whom you could say the same, rather than being held back by an Obama administration that was hesitant to make policy in this area,” Bankston said. “Senator Feinstein, who sponsored last year’s anti-encryption legislation, will now be [a] ranking member of the Judiciary Committee, which has the most direct jurisdiction over the matter.”

Bankston added, “It looks like a perfect storm aligning towards a big anti-crypto push, one that might even be successful if there is a terrorist attack where encryption was involved.”

Officials in the outgoing administration have been divided over encryption due to competing interests about privacy, national security, and the economy, according to news reports and privacy experts who spoke with CPJ. Some–the Department of Justice, the FBI–have supported weakened encryption, while others–State Department, Commerce Department, White House’s Office of Science and Technology Policy–have opposed backdoors.

Obama staked out a mixed position. In a February interview with the tech website Re/code, the president said, “I lean probably further in the direction of strong encryption than some do inside of law enforcement.” But in comments delivered at South by Southwest, an annual gathering of tech, music, and media, a month later, Obama said that strong encryption could create “black boxes” and hurt law enforcement investigations. Ashkan Soltani, an independent researcher and technologist, described Obama’s comments as “kind of all over the place.”

Cardozo said, “The Obama administration ended up not taking a stance on it, which was a huge failure of leadership, and essentially nothing happened.”

The Trump transition team has not publicly discussed its plans for encryption. CPJ’s attempts to contact them were unsuccessful.

If the anti-encryption legislation were revived or if the courts forced companies to weaken encryption, it would pose a serious threat to online security, according to Soltani, a former senior adviser to the U.S. Chief Technology Officer in the White House Office of Science and Technology Policy.

“It’s incredibly difficult to maintain security. Even with the best intentions, systems and software often have bugs and vulnerabilities that allow hackers and others to access content or bypass security measures. By introducing additional avenues for decryption you further open up the ability for hackers to get access to the device,” he said. “For journalists, strong encryption is important because it helps them protect their sources, including in conflict regions where people could be prosecuted for speaking out. We’ve also seen nation-state actors monitoring the information of journalists to see what stories they are likely to produce.”

The debate about encryption is not just important for citizens and journalists in the U.S. but for people around the world, Cardozo said.

“The U.S. is still the technology provider for the rest of the world. There are two major cell phone operating systems out there in the world, both put out by U.S. companies. The biggest messaging clients outside of China are all U.S. based. There are two major desktop operating systems, both are based in the U.S. How the U.S. goes, so goes the world. Full stop,” Cardozo said. “The only reason that WhatsApp has been able to resist demands in Turkey, Brazil, or Saudi Arabia to put in a backdoor is because they don’t give that kind of access to the FBI. As soon as that changes, that calculus changes as well. As soon as WhatsApp gives one country access, then they’re going to have to give everyone. As soon as crypto in the U.S. falls, that’s it. We’re done.”

In September, CPJ welcomed a report by the U.N. Human Right’s Council that recognized the need to protect the rights of journalists to use encryption and anonymity tools, but this hasn’t stopped some countries from attempting to undermine strong encryption.

Last year CPJ documented how Brazilian courts ordered access to WhatsApp to be blocked at least four times after it refused to hand over data. In 2015, Turkish authorities arrested three Vice journalists, in part because one of them allegedly used encryption on a computer, according to reports. The U.K.’s Investigatory Powers Act, signed into law November 29, includes language that would essentially give the government authority to order companies to decrypt communications, according to the tech news site The Register.

Cardozo said that it is more important than ever that technology companies and civil society fight against any demands to weaken encryption.

“If a country like the U.K. makes a demand that Apple or WhatsApp stop offering encryption, we need to see those companies stand strong, and we’ll need to see journalists and users stand strong with them. And if that means calling the bluff and pulling out of the country, they need to do that,” he said.

[EDITOR’S NOTE: The eighth paragraph has been updated to reflect the correct name for the Electronic Frontier Foundation.]