August 2020 Privacy’s Best Friend
The Importance of Encryption in Protecting Consumer Privacy
Andi Wilson Thompson & Claire Park
Last edited on August 17, 2020 at 4:33 p.m. EDT Acknowledgments
The authors would like to thank Federal Trade Commissioner Rohit Chopra, Keun Kim, Alexandra Levine, Katie McInnis, Hannah Quay-de la Vallee, and Asad Ramzanali for participating in the event highlighted in this report and Austin Adams, Maria Elkin, Lisa Johnson, and Joe Wilkes for communications support. Open Technology Institute would also like to thank Craig Newmark Philanthropies for generously supporting our work in this area. The views expressed in this report are those of its authors and do not necessarily represent the views of Craig Newmark Philanthropies, its officers, or its employees.
newamerica.org/oti/reports/privacys-best-friend/ 2 About the Author(s)
Andi Wilson Thompson is a senior policy analyst at New America’s Open Technology Institute where she focuses on issues including digital security, vulnerabilities equities, encryption, and internet freedom.
Claire Park is a program associate with New America's Open Technology Institute (OTI), where she researches and writes on technology policy issues including broadband access and competition, as well as privacy.
About New America
We are dedicated to renewing the promise of America by continuing the quest to realize our nation’s highest ideals, honestly confronting the challenges caused by rapid technological and social change, and seizing the opportunities those changes create.
About Open Technology Institute
OTI works at the intersection of technology and policy to ensure that every community has equitable access to digital technology and its benefits. We promote universal access to communications technologies that are both open and secure, using a multidisciplinary approach that brings together advocates, researchers, organizers, and innovators.
newamerica.org/oti/reports/privacys-best-friend/ 3 Contents
Introduction 5
History of the Encryption Debate 7
Encryption as a Consumer Privacy Issue 10
Encryption’s Importance to the Private Sector 12
Encryption Debates in Congress 14
Conclusion 17
newamerica.org/oti/reports/privacys-best-friend/ 4 Introduction
Encryption protects cybersecurity, safeguards vulnerable groups like journalists and victims of domestic violence, and allows people to communicate securely with family, colleagues, and sensitive third-parties. However, encryption is often seen as a safeguard that is only relevant to people with specifc privacy concerns, and that people who have “nothing to hide” don’t need or beneft from strong encryption. This could not be further from the truth. Encryption is crucial to the way that everyone interacts with technology and lives their lives online.
Law enforcement has continually claimed that encryption hampers investigations and protects criminal actors, referring to the spread of encryption as “going dark.” They have pushed for the implementation of mechanisms, commonly described as “backdoors,” that would guarantee them access to encrypted data. Technologists, academics, members of civil society, and allies within government have continually explained that strong encryption is crucial to privacy, security, free expression, and economic growth. Discussing the importance of encryption as a matter of consumer privacy for all people is an important component of the conversation regarding next steps for regulators, Congress, and companies.
Encryption has been under attack many times before, but in the past year we have seen new and serious threats to the ability of companies to provide strong encryption to consumers, and for everyone to have access to the security they need for their communications and stored data. Various U.S. government ofcials have pushed companies to weaken the encrypted technology they provide to users, or to not implement crucial security updates including the implementation of universal end-to-end encrypted messaging. These dangerous and misguided proposals are not based on a factual understanding of encryption.1 Additionally, discussing encryption as an issue of “security vs. privacy” fundamentally misrepresents the way encryption protects everyone. Two of the most recent proposals to undermine encryption, the Eliminating Abusive and Rampant Neglect of Interactive Technologies (EARN IT) Act and the Lawful Access to Encrypted Data Act, both introduced in Congress in 2020, will be discussed later in this paper.
This report builds on an event held by New America’s Open Technology Institute on February 4, 2020 that examined the role of encryption in protecting consumer privacy. The panel began with a freside chat with Federal Trade Commissioner Rohit Chopra and Alexandra S. Levine, reporter and host of Morning Tech at Politico. Levine moderated the following panel discussion, which included Asad Ramzanali, legislative director for Rep. Anna G. Eshoo (D-Calif.); Katie McInnis, then-policy counsel at Consumer Reports; Keun Kim, senior managing counsel, Digital Payments & Labs, Products and Innovation, at Mastercard; and Hannah Quay-de la Vallee, senior technologist at the Center for Democracy &
newamerica.org/oti/reports/privacys-best-friend/ 5 Technology. The discussion covered the history of encryption’s role in the privacy debate, an analysis of its role in consumer protection, and background on how policies surrounding encryption are playing out in both the government and private sector.
This event was designed to move debates about encryption away from hot-button issues, which often distract from discussions about the ways encryption protects everyone and is already embedded in the technologies we use every day. The paper likewise does not focus on those issues, and instead seeks to center the debate around the fundamental issue of consumer privacy. Participants in the “Privacy’s Best Friend” panel helped set the stage for discussions about next steps for policy regarding encryption and consumer privacy, and identifed some of the recurring themes in our decades-long debates about whether to regulate encryption.
Editorial disclosure: This report discusses policies by Apple, Facebook, and Google, all of which are funders of work at New America but did not contribute funds directly to the research or writing of this report. New America is guided by the principles of full transparency, independence, and accessibility in all its activities and partnerships. New America does not engage in research or educational activities directed or infuenced in any way by fnancial supporters. View our full list of donors at www.newamerica.org/our-funding.
newamerica.org/oti/reports/privacys-best-friend/ 6 History of the Encryption Debate
Federal Trade Commissioner Chopra began the event by reminding participants that we had “gone through this same debate 20 years ago… that [the Justice Department] is probably recycling some older arguments, and that it may not fully be taking into account how unencrypted communications may actually be a risk to the public.” These discussions are indeed not new—debates about encryption, individual privacy, and the role of government have circulated in U.S. policy for decades. This section will briefy review this historical context as a primer for understanding the panel’s discussion.
Until the mid-1970s and the development of public key cryptography, the government had a domestic monopoly on the use of electronic ciphers, but in 1976 researchers Whitfeld Dife and Martin Hellman discovered and published a paper that demonstrated how ordinary users could use a pair of related private and public keys to encrypt and decrypt plaintext conversations.2 Unlike previous methods of encryption, this technology allowed two or more parties to communicate privately and securely without ever having met before.3 Although these advances in cryptographic technology made encryption available to non- government users, it took societal factors—including the increasing use of personal computers by large companies, the demand for secure email technology for individual use, and increased use of portable and mobile devices—to bring the importance of encryption from academic conversations into the mainstream.
By the early 1990s the proliferation of encryption as part of modern communications provoked the frst congressional attempt to force the inclusion of backdoors by electronic communications service providers and equipment manufacturers. A 1991 anti-terrorism bill included language requiring that companies “shall ensure that communications systems permit the government to obtain the plaintext contents of voice, data, and other communications when appropriately authorized by law.”4 Although this proposal was withdrawn, it was the precursor to multiple government eforts to fnd a way for law enforcement to reliably gain access to encrypted communications. The most notable early attempt at this was the failed introduction of the “Clipper Chip,” a then state-of- the-art microchip that could be inserted into consumer hardware telephones.5 One of the signifcant vulnerabilities of the Clipper Chip included its reliance on “key escrow,” where third parties held keys to the chip’s encrypted information.6 Ultimately the proposal failed when prominent computer scientist Matt Blaze discovered that the chip was easy to exploit, would not provide the security proponents argued it could, and instead would actually undermine the security of any device it was installed in.7
The Clipper Chip debate, and others occurring during that era, are often described as the “Crypto Wars.” This took place on the domestic front, but there
newamerica.org/oti/reports/privacys-best-friend/ 7 was a simultaneous debate going on at the international level over U.S. export controls and encryption technology. Because they had historically been used by military and intelligence agencies almost exclusively, existing export control regimes classifed cryptographic tools as “munitions” and restricted their export. These controls were based on the strength of the encryption and applied not only to hardware but also to encryption software and source code. The intelligence community was concerned that U.S. companies were selling international customers strong encryption technology, which many ofcials feared could reduce their ability to gather information on foreign targets. However, restrictions on the quality of encryption produced by big companies would all but ensure that surveillance targets would simply use other services, leaving everyone without secure options. This aspect of the debate continues even now, with Chopra noting during his opening remarks at the event that if the government restricted encryption “criminals and crooks are going to use encrypted communication, and the rest of us could be left vulnerable.” Ultimately, after much pushback from advocates, companies, and allies in Congress, these controls were liberalized at the end of the 1990s, which efectively ended the frst Crypto Wars period with a blow against backdoors and a major win for consumer privacy.
Although those 1990s debates focused primarily on encrypted technology that was theoretically available to consumers, the reality is that encryption then played a dramatically smaller role in the lives of ordinary people than it does now. The use of email was increasing, but internet-connected devices, smartphones, online fnancial transactions, and a complete reliance on virtual communication via email or messaging tools were not even on the horizon. A few decades later, many millions of people rely on the security and privacy provided by strong encryption every single day. This rise of a second era of encryption debate was likely inevitable.
The encryption of data “in transit” protects information that is moving over a network from one place to another. End-to-end encryption, the most secure method of protecting this data, ensures that messages encrypted by the original sender can only be decrypted by the recipient—not by other actors who may intercept it or even by the company providing the messaging service.8 Encryption of data “at rest” protects information that is stored somewhere, like on a laptop, smartphone, external hard drive, or in the cloud, and is not moving from one place to another. Both modes of encryption are crucial to protecting consumer privacy, and both have been targeted for government interference.
In 2014, both Apple and Google announced that they would begin encrypting their smartphones by default, ensuring that users would have their data protected at rest without having to take any further steps to activate the feature.9 This was in the wake of the Edward Snowden revelations and increasing concern by customers that large tech companies were sharing customer data with the National Security Agency. These changes meant that not only was all the
newamerica.org/oti/reports/privacys-best-friend/ 8 important data on a phone—photos, messages, contacts, reminders, call history— inaccessible to third parties, it was inaccessible to the companies who made the phones. Companies would no longer be able to provide information stored on devices to law enforcement upon request. This was a huge victory for consumer privacy and security, but it sparked instant backlash from the U.S. government, with the FBI accusing Apple of “[marketing] something expressly to allow people to place themselves beyond the law.”10
Given the increasing amount of personal data stored on smartphones (including health and fnancial data), privacy and security experts agree that further security for these devices is crucial to protecting privacy. The argument by some government ofcials that people who want to use secure devices are somehow nefarious, and that the reason consumers may be interested in an encrypted phone is because they want to evade law enforcement, does not refect the reality of current threats to consumer privacy. If a mobile device stores emails, contact information, photos, location data, audio recordings, and apps that collect sensitive data, theft or loss of that device could have serious consequences for the owner. By contrast, if a device owner could trust that such information would remain private should their phone be lost, stolen, or seized by a government third party, they may prefer to purchase devices with those security features.
Law enforcement opposition to increasing implementation of strong encryption has also targeted end-to-end encrypted messaging services, similarly casting those as tools used by criminal actors rather than ordinary consumers who wish to protect their private communications. Proponents of law enforcement access to encrypted information have argued that it is possible to build a system that only allows “good guys” access to private communications—an assertion technical experts have repeatedly debunked. During the panel, Hannah Quay-de la Vallee, senior technologist at the Center for Democracy & Technology, highlighted one of the key problems with proposals for encryption backdoors— that it is possible to create mechanisms for only the “good guys” to access encrypted data—saying, “[the] fundamental aspect of this is not technically feasible… There's not actually a way to get 95 percent crypto, or 98 percent crypto. It's a little bit of an all-or-nothing situation.”
Specifc events have regularly brought encryption into the public eye, including the terrorist attack in San Bernardino, California in 2016, following which the FBI demanded that Apple break the encryption on the shooter’s iPhone.11 More recently, U.S. government ofcials have cited the role of encrypted communications in limiting Facebook’s ability to report all tips about the online sexual exploitation of children in support of their demands for encryption backdoors.12 However, to this point no U.S. government attempts to legislate backdoors or restrict access to encryption have been successful. The role of government policy in both promoting and undermining encryption, and where these consumer privacy discussions stand now, will be discussed later in this paper.
newamerica.org/oti/reports/privacys-best-friend/ 9 Encryption as a Consumer Privacy Issue
Encryption is often discussed as an issue of law enforcement, cybersecurity, or free expression for specifc groups of users. However, it is also crucial to the privacy and security of everyone who browses the internet, communicates online, or uses websites for convenient activities like banking, shopping, or fling taxes. Unfortunately, many companies do not employ best practices for securing data, such as encrypting databases, which has resulted in many cases of people’s personal, health, and fnancial information being hacked. For example, the Equifax data breach of 2017 exposed the personal information of 147 million people from a database that was not encrypted.13 Cybersecurity incidents like this show that consumers need stronger data privacy protections for their personal information. People are “weary and angry,” said Katie McInnis, policy counsel at Consumer Reports, “at their data being out there,” and of the privacy and security consequences that they might face.
A 2019 survey by the Pew Research Center points to deep public concern about a lack of control over the increasing amount of personal data available to third parties. Eighty-one percent of respondents felt they have very little to no control over the data that companies collect on them, such as their demonstrated interests, past purchases, or other characteristics.14 These types of personal information could potentially be used to identify individuals’ fnancial information and make them more susceptible to fraud or online threats. Consumers are also learning that any kind of data, even anonymized data or metadata, can reveal a lot about their personal activities. Research consistently indicates that anonymized or de-identifed data can be reidentifed to the individual.15
Given increasing user concern over the collection of personal information and the threat of someone accessing that data, companies need to adopt strong cybersecurity safeguards to protect consumer data. This should include encrypting user data, as well as minimizing access to user-created data. As described earlier, consumers have theoretically had access to various forms of encryption for decades; however, it often required a certain level of technical expertise to implement, and was often the responsibility of an individual user to set up. Privacy should not be limited to only those with technical knowledge; rather, companies should broadly protect consumers to the fullest extent. During the event, McInnis pointed out that even if consumers are not well educated on privacy or are going to be reckless in their use of a product, they should be protected, “just like when you drive, a car should have seatbelts and airbags just in case you ram into a wall.”
Encryption by default improves data protection and privacy by removing the obstacle of manual user implementation. As noted above, Apple and Google’s
newamerica.org/oti/reports/privacys-best-friend/ 10 decision to encrypt their mobile devices by default (previously the setting was optional) was a huge shift in the protection of user data at rest.16 As Quay-de la Vallee explained, when an iPhone screen is locked the device is encrypted. Once the phone has been unlocked, any iMessage communication is protected by end- to-end encryption, or encryption in transit, so that nobody along the way is able to read it.
Encryption, therefore, can promote trust between companies and consumers, as it builds in protection not incumbent upon consumer knowledge of privacy practices. Products should be designed with the best interests of the end user in mind. As McInnis remarked, “Just the way your toaster shouldn't set your house on fre, the services you use shouldn't expose your data to the public either.”
newamerica.org/oti/reports/privacys-best-friend/ 11 Encryption’s Importance to the Private Sector
Current debates on expanding the use of encryption in consumer products may overlook the ways in which it is already embedded and relied on in certain industries. Many private companies, like those in the banking, digital communications, and cloud storage sectors, actually compete on the strength of their consumer privacy protections—including strong encryption. These industries hold sensitive information—like social security numbers and credit card numbers—that may easily be hacked and exposed when companies do not encrypt digital fles and transactions. A study published earlier this year by Cisco found that the majority of international cybersecurity professionals across industries see signifcant or very signifcant benefts in operational efciency, data security, and customer loyalty and trust due to increased annual spending on privacy.17
Investing in better privacy practices also shields companies against the high costs of data and privacy breaches. When customers lose trust in companies from their personal data being exposed, it can lead to a loss of business amounting to $1.42 million per organization on average, or 36 percent of the total cost of a data breach, according to a study released by IBM in 2019.18 Encrypting data at rest is a key safeguard against data breaches. One study found that 96 percent of data breaches in 2016 involved data that was not protected with encryption.19 According to the 2019 report from IBM, the average time to contain a data breach in 2019 was 279 days, 73 more days than the span of a breach in 2018.20 The longer a data breach, the higher the costs. Breaches lasting fewer than 200 days were on average $1.22 million less costly than breaches with a life cycle of more than 200 days, which could cost $4.56 million on average.21
Encrypting data in transit while consumers engage with businesses online is also a key privacy best practice used by cloud storage companies. Cloud storage can introduce great security risks for individuals and organizations, since personal and sensitive information is being stored with a third party—encryption can provide a necessary layer of security. Many cloud storage companies use encryption to protect information, with 81.8 percent of cloud service providers encrypting data in transit between the user and cloud service.22 OneDrive, for example, encrypts data in transit, though it does not encrypt data stored in the cloud. On the other hand, iCloud encrypts both data in transit and data at rest.23
One example of how companies have improved privacy measures is in the payments industry, with encryption playing a central role in ensuring personal fnancial data is transmitted safely. During the panel, Keun Kim, senior managing counsel, Digital Payments & Labs, Products and Innovation, at Mastercard, gave the example of companies like his employing magnetic card stripes and CVV numbers for card payments, then evolving to electronic chips
newamerica.org/oti/reports/privacys-best-friend/ 12 embedded in each card. Chips, unlike magnetic stripes, are encrypted, which makes it much harder to read the information stored in the card while also limiting the data stored on any single key at the same time.24 An encrypted credit card with an electronic chip is much harder for criminals to read and replicate the information, since information stole from magnetic stripes can simply be placed on a new strip and used to make fraudulent purchases. Encryption is therefore critical in ensuring that personal data is secure during a transaction.
Messaging and digital communications is another area where encryption is becoming the standard, as McInnis ofered during the panel. Popular messaging services, like Signal, Telegram, and WhatsApp, use encryption to protect messages. In March of 2019, Facebook announced that it was adopting end-to- end encryption across all its platforms.25 The reasons for the change included in Mark Zuckerberg’s announcement refected not only his and his company’s recognition of a change in public opinion, saying that people want to connect privately, and that the industry as a whole is moving towards encryption.26
It is likely that companies will continue to innovate around privacy as more of our everyday lives move online. Encryption promises to be a key part of this innovation.
newamerica.org/oti/reports/privacys-best-friend/ 13 Encryption Debates in Congress
There are a variety of government actors that play key roles in debates around encryption and consumer privacy. As noted earlier, Congress has periodically taken up eforts to enact encryption legislation since the 1990s. Most of these initiatives have involved attempts to restrict or undermine the use of strong encryption. For example, in response to events like the terrorist attacks in San Bernardino, California in 2016, and at a Naval air station in Pensacola, Florida in 2019, law enforcement has asserted that encrypted mobile devices are a signifcant barrier to their investigations. Opponents have also characterized encrypted messaging as a tool used by criminals and drug cartels to coordinate violent activities.27 Based on these assertions, various members of Congress have introduced bills seeking to restrict encryption, with the two most recent being the Law Enforcement Access to Encrypted Data Act of 2020, and the EARN IT Act of 2020, both introduced by Sen. Lindsey Graham (R-S.C.).
The Law Enforcement Access to Encrypted Data Act attempts to force companies to proactively design vulnerabilities in their products, so that they are always able to provide user information to law enforcement. The bill applies to both stored data and data in motion, and is more comprehensive than previous legislative attempts to restrict encryption for a few reasons. First, the bill seeks to amend a sweeping range of law enforcement and surveillance authorities. Second, it would apply to a much broader scope of targets, including nearly every device that includes at least one gigabyte of storage capacity, which would include cell phones and laptops, but probably also Internet of Things devices, gaming consoles, and maybe even voting machines.28 It also targets all encrypted messaging services. Further, the bill would provide two mechanisms to undermine encryption—companies with over 1 million U.S. users would be required to proactively design backdoors, and companies with fewer than 1 million U.S. users could be issued an assistance capability directive by the Attorney General, which would require them to build a backdoor on request. By defnition, if companies must retain the ability to decrypt information for law enforcement, it is not technically possible for them to implement fully end-to- end encryption, so this bill would efectively result in a ban on the use of strong encryption by companies.
The EARN IT Act of 2020 is unlike previous legislative attacks on encryption.29 It is focused specifcally on one type of criminal activity that law enforcement argues is facilitated by strong encryption—the exchange of “child sexual abuse material” or CSAM online. The problem of CSAM is extremely important to address, however the EARN IT Act is not actually well-designed to do so. There are myriad other ways to empower law enforcement to combat CSAM, including redirecting funding to support the addition of badly needed staf and helping them more efectively use current lawful investigative tools. The EARN IT Act
newamerica.org/oti/reports/privacys-best-friend/ 14 does not directly require companies to design backdoors in their products; instead the bill uses Section 230 of the Communications Decency Act to threaten the intermediary liability protections for tech platforms or other providers that publish third-party content. Although the Senate Judiciary Committee approved a revised version that does incorporate an amendment aimed at protecting encryption, the bill still poses a real threat to strong encryption. The latest version increases companies’ Section 230 liability so greatly that companies might avoid ofering encryption services altogether rather than face litigation based on state CSAM laws with varying standards.30
It is worth noting that none of the directly anti-encryption laws have yet passed, and that the United States currently has no laws limiting the use of encryption or restricting the ability of companies to implement it, unlike other countries including Australia and the United Kingdom. Although this is an ongoing debate around the world, supporters of strong encryption in the United States have, so far, managed to prevent any dangerous legislation from passing.
Some members of Congress have also sought to enact legislation that would protect and promote strong encryption. Pro-encryption proposals have ranged from the Security and Freedom Through Encryption (SAFE) Act of 1996, which garnered sponsorship from the majority of the members of the House of Representatives and aimed “to afrm the rights of United States persons to use and sell encryption and to relax export controls on encryption,” to the Ensuring National Constitutional Rights for Your Private Telecommunications (ENCRYPT) Act of 2019, which would preempt states from imposing decryption requirements on a manufacturer, developer, seller, or provider of covered products or services.
Encryption also plays a role in discussions about comprehensive consumer privacy legislation. During the event, Asad Ramzanali, legislative director for Rep. Eshoo, described the importance of including encryption in the Online Privacy Act, a bill proposed by Reps. Anna Eshoo and Zoe Lofgren (D-Calif.) as part of “a broader discussion about the role of technology companies, and technology and society, and how policy should and should not be reacting to some of the harms that we see.” Ramanzanali specifcally addressed the relationship between policy on encryption and the current “techlash,” as well as heightened scrutiny and mistrust of the technology industry in general. As he explained, “Tech can do a lot of good. But when people stop to trust it, it becomes problematic, And so that's where encryption, to us, also plays an important role.”
A crucial component of many companies’ moves to default encryption at rest and end-to-end encrypted messaging is that these protocols also prevent companies themselves from accessing user data. Quay-de la Vallee framed the privacy dynamic as “if you want to live in this world, you're going to cede control to entities that you don't necessarily trust… the whole concept of end-to-end encryption is essentially that I don't have to trust that WhatsApp isn't going to
newamerica.org/oti/reports/privacys-best-friend/ 15 look at my messages. I don't have to trust that they're going to do the right thing and not go snooping. I just know that they can't.” Legislation to protect and promote strong encryption would help safeguard private data, from both companies and other actors, while allowing users to beneft from technology that is crucial to the way we live and work.
newamerica.org/oti/reports/privacys-best-friend/ 16 Conclusion
As long as debates surrounding the importance of encryption are centered on issues of law enforcement access and the need for exceptional access to information to facilitate criminal investigations, an important part of the discussion is missing. A common reaction to advocates’ arguments about the need for strong encryption is that if someone “has nothing to hide,” they should not care if law enforcement has access to their data. As much as proponents try, attempts to reorient the discussion from “privacy vs. security” to “security vs. security” often fail to capture the attention of the general public and convince them of encryption’s importance for privacy and free expression, rather than as a supposed barrier to catching criminals and terrorists.
Reframing encryption as a consumer privacy issue, and illustrating all the ways it is important in everyday life has the potential to bring together advocates from diferent felds, as well as to change the minds of everyday people. Encryption is crucial to the way we communicate remotely, make secure purchases, use online tools to access fnancial information or fle taxes, and access remote medical care. The same technology that allows journalists to communicate securely also allows people to buy groceries using a mobile app without fearing that their sensitive fnancial information will be stolen. The same technology that allows users to chat securely with friends on messaging platforms also prevents tech companies from gathering data from those conversations to use in ways that participants may not be comfortable with. Further including protection for and promotion of strong encryption in comprehensive consumer privacy legislation, both at the state and federal levels, would both provide important recognition of how intertwined it is with other issues of data protection, and would incorporate another much-needed tool as a safeguard to protect privacy.
newamerica.org/oti/reports/privacys-best-friend/ 17 Notes end-end-encryption-how-do-public-key-encryption- systems-work 1 Andi Wilson Thompson, “Separating the Fact from Fiction: Attorney General Barr is Wrong About 9 Cyrus Farivar, ” Apple Expands Data Encryption Encryption,” New America’s Open Technology Under iOS 8, Making Handover to Cops Moot,” Ars T Institute, August 8, 2019, https:// echnica, July 17, 2014, https://arstechnica.com/ www.newamerica.org/oti/reports/brief-attorney- gadgets/2014/09/apple-expands-data-encryption- general-barr-wrong-about-encryption under-ios-8-making-handover-to-cops-moot/ ; Craig Timberg, “Newest Androids Will Join iPhones in 2 Whitfield Diffie and Martin E. Hellman, “New Offering Default Encryption, Blocking Police,” Washi Directions in Cryptography,” IEEE Transactions on ngton Post, September 18, 2014, https:// Information Theory, Vol. 22, No. 6, November 1976, www.washingtonpost.com/news/the-switch/wp/ available at https://ee.stanford.edu/~hellman/ 2014/09/18/newest-androids-will-join-iphones-in- publications/24.pdf offering-default-encryption-blocking-police/
3 Peter Wayner, “A Patent Falls, and the Internet 10 Craig Timberg and Greg Miller, “FBI Blasts Apple, Dances,” New York Times, September 6, 1997, Google For Locking Police Out of Phones,” Washingt https://www.ics.uci.edu/~ics54/ doc/security/ on Post, September 25, 2014, https:// pkhistory.html www.washingtonpost.com/business/technology/ 2014/09/25/68c4e08e-4344-11e4-9a15-137aa0153527_ 4 Section 2201 of S. 266, The Comprehensive story.html CounterTerrorism Act of 1991 11 Leander Kahney, “The FBI Wanted a Back Door to 5 A. Michael Froomkin, “It Came From Planet the iPhone. Tim Cook Said No,” Wired, April 16, 2019, Clipper: The Battle Over Cryptographic Key Escrow,” https://www.wired.com/story/the-time-tim-cook- Chicago Legal Forum Law of Cyberspace (1996), stood-his-ground-against-fbi/ available at http://osaka.law.miami.edu/~froomkin/ articles/planet_clipper.htm 12 “Attorney General Barr Signs Letter to Facebook From US, UK, and Australian Leaders Regarding Use 6 Andi Wilson Thompson, Danielle Kehl, and Kevin of End-To-End Encryption,” United States Bankston, “Doomed to Repeat History: Lessons from Department of Justice, October 3, 2019, available at the Crypto Wars of the 1990s,” New America’s Open https://www.justice.gov/opa/pr/attorney-general- Technology Institute, June 2015, 5, available at barr-signs-letter-facebook-us-uk-and-australian- https://www.newamerica.org/cybersecurity- leaders-regarding-use-end initiative/policy-papers/doomed-to-repeat-history- lessons-from-the-crypto-wars-of-the-1990s/ 13 Seena Gressin, “The Equifax Data Breach: What to Do,” Federal Trade Commission, September 8, 7 Matt Blaze, “Protocol Failure in the Escrowed 2017, available at https://www.consumer.ftc.gov/ Encryption Standard,” AT&T Bell Laboratories, 1994, blog/2017/09/equifax-data-breach-what-do ; Irina available at https://www.mattblaze.org/papers/ Ivanova, “Equifax Ex-CEO: Hacked Data Wasn't eesproto.pdf Encrypted,” CBS News, October 3, 2017, https:// www.cbsnews.com/news/equifax-ex-ceo-hacked- 8 “A Deep Dive on End-to-End Encryption: How Do data-wasnt-encrypted/ Public Key Encryption Systems Work?” Electronic Frontier Foundation, Surveillance Self-Defense, 14 Brooke Auxier, Lee Rainie, Monica Anderson, available at https://ssd.eff.org/en/module/deep-dive- Andrew Perrin, Madhu Kuma, and Erica Turner,
newamerica.org/oti/reports/privacys-best-friend/ 18 “Americans and Privacy: Concerned, Confused and www.skyhighnetworks.com/cloud-security-blog/ Feeling Lack of Control Over Their Personal only-9-4-of-cloud-providers-are-encrypting-data-at- Information,” Pew Research, November 15, 2019, rest/ available at https://www.pewresearch.org/internet/ 2019/11/15/americans-and-privacy-concerned- 23 “iCloud Security Overview,” Apple, available at confused-and-feeling-lack-of-control-over-their- https://support.apple.com/en-us/HT202303. personal-information/ 24 “What is credit card encryption?,” Dharma 15 Alex Hern, “'Anonymised' Data Can Never Be Merchant Services, available at https:// Totally Anonymous, Says Study,” The Guardian, July dharmamerchantservices.com/faq/what-is-credit- 23, 2019, https://www.theguardian.com/technology/ card-encryption/ 2019/jul/23/anonymised-data-never-be-anonymous- enough-study-finds ; Gina Kolata, “Your Data Were 25 Mark Zuckerberg, “A Privacy-Focused Vision for ‘Anonymized’? These Scientists Can Still Identify You, Social Networking,” Facebook, March 6, 2019, New York Times, July 23, 2019, https:// available at https://www.facebook.com/notes/mark- www.nytimes.com/2019/07/23/health/data-privacy- zuckerberg/a-privacy-focused-vision-for-social- protection.html networking/10156700570096634/
16 Joe Miller, “Google and Apple to Introduce 26 Law enforcement officials in the United States, Default Encryption,” BBC, September 19, 2014, the United Kingdom, and Australia wrote a letter to https://www.bbc.com/news/technology-29276955 Mark Zuckerberg on October 4, 2019 asking Facebook to delay the implementation of end-to-end 17 “From Privacy to Profit: Achieving Positive encryption across its messaging services. OTI and 101 Returns on Privacy Investments,” Cisco other signatories urged the three governments to Cybersecurity Series 2020, January 2020, available abandon their misguided efforts to weaken athttps://www.cisco.com/c/dam/en/us/products/ encryption, which would only endanger the security collateral/security/2020-data-privacy-cybersecurity- and privacy of billions of internet users around the series-jan-2020.pdf world. https://www.newamerica.org/oti/press- releases/open-letter-law-enforcement-us-uk-and- 18 “Cost of a Data Breach Report 2019,” IBM australia-weak-encryption-puts-billions-internet- Security, available at https://www.all-about- users-risk/ security.de/fileadmin/micropages/ Fachartikel_28/2019_Cost_of_a_Data_Breach_Repor 27 “Separating the Fact from Fiction: Attorney t_final.pdf General Barr is Wrong About Encryption.”
19 “Encryption Is a Critical Safeguard Against Data 28 Riana Pfefferkorn, “There’s Now an Even Worse Breaches,” BSA: The Software Alliance,” available at Anti-Encryption Bill Than EARN IT. That Doesn’t https://www.bsa.org/sites/default/files/2019-03/ Make the EARN IT Bill OK.” Center for Internet and BSA_Encrypt_DataBreach-web.pdf Society, June 24, 2020, https:// cyberlaw.stanford.edu/blog/2020/06/ 20 “Cost of a Data Breach Report 2019.” there%E2%80%99s-now-even-worse-anti- encryption-bill-earn-it-doesn%E2%80%99t-ma”ke- 21 “Cost of a Data Breach Report 2019.” earn-it-bill-ok
22 Cameron Coles, “Only 9.4% of Cloud Providers 29 “Civil Society Coalition Condemns EARN IT Act Are Encrypting Data at Rest,” McAfee, https:// for Failing to Protect Children While Threatening
newamerica.org/oti/reports/privacys-best-friend/ 19 Encryption and First and Fourth Amendment,” New America’s Open Technology Institute, March 6, 2020, available at https:// newamericadotorg.s3.amazonaws.com/documents/ Coalition_letter_opposing_EARN_IT_3-6-20.pdf
30 “Civil Society Coalition Condemns EARN IT Act.”
newamerica.org/oti/reports/privacys-best-friend/ 20
This report carries a Creative Commons Attribution 4.0 International license, which permits re-use of New America content when proper attribution is provided. This means you are free to share and adapt New America’s work, or include our content in derivative works, under the following conditions:
• Attribution. You must give appropriate credit, provide a link to the license, and indicate if changes were made. You may do so in any reasonable manner, but not in any way that suggests the licensor endorses you or your use.
For the full legal code of this Creative Commons license, please visit creativecommons.org.
If you have any questions about citing or reusing New America content, please visit www.newamerica.org.
All photos in this report are supplied by, and licensed to, shutterstock.com unless otherwise stated. Photos from federal government sources are used under section 105 of the Copyright Act.
newamerica.org/oti/reports/privacys-best-friend/ 21