CRYPTO 2018: “Middle Ground” Proposals for a Going-Dark Fix

On August 19, the CRYPTO 2018 conference on cryptographic research hosted a one-day workshop in Santa Barbara called “Encryption and Surveillance.” The goal of the workshop was to “examine how encryption and related technologies pose both challenges and opportunities for surveillance and reform of surveillance.” I was fortunate to be able to attend this workshop, listen to the panelists’ presentations, and observe the intelligent discussion between speakers and attendees about the topics at hand.

Out of a day-long agenda, perhaps the most noteworthy item was the panel on proposals for law enforcement exceptional access to otherwise-encrypted data. The presenters included Matt Tait of UT-Austin; Stefan Savage of UC-San Diego; Mayank Varia of Boston University; and Ernie Brickell of Brickell Cryptology, LLC. The workshop was not the first or last time their proposals were aired. Two of the speakers—Brickell and Savage—had previously presented a version of their proposals to the committee that published the National Academies of Sciences’ report “Decrypting the Encryption Debate” early this year (as mentioned on page 60). Varia’s paper likewise made the news back in March. And Savage said his work has been accepted into the next ACM CCS.

The goal of these four proposals was to provide suggested ways of implementing the “middle ground” on encryption—a design that gives law enforcement the access they want, without compromising users’ security—that government officials, from former FBI Director Comey to congressmembers to former President Obama, have long claimed must be possible.

The overall opinion of the cryptography and computer security community, formed by a quarter-century of research, is that there is no middle ground. Either you provide “exceptional” access for law enforcement and thereby create a security vulnerability that affects all users and can be discovered and abused by bad actors; or you design your encryption scheme to be as robust as you can, without intentionally adding flaws. It’s one or the other.

That is the general consensus. The proposals presented at the workshop run against that general agreement.

There are some complicated optics to hosting an event like this featuring proposals like these. On the one hand, I am honestly glad that the organizers (Tim Edgar, Joan Feigenbaum, and Danny Weitzner) put on this event. I say this for two reasons. For one, law enforcement officials sometimes claim that a middle-ground solution must surely be possible, and anyone who says it’s not is just being lazy and recalcitrant. This event shows that multiple people are in fact working to answer the government’s call. Name-calling won’t fly anymore.

The second reason I’m glad this event happened is related to the first. There is no better place to float proposals for building exceptional access into encryption schemes than one of the world’s premier conferences on cryptographic research. This wasn’t a roomful of politicians. The audience was academics and experts from industry, including no less than Ron Rivest himself (the “R” in RSA). They were well-positioned to find any technical flaws in the proposals that would make them unworkable. (Not to mention considerations of law, policy, or economics, which must also be taken into account.)

If, upon hearing those proposals, audience members or other reviewers can poke holes in them, that’s a good in and of itself. Testing them forces these proposals to be either revised and improved, or thrown out—that’s just sound scientific practice. Additionally, from a policy standpoint, finding the flaws in these proposals will help to bolster the general consensus that there is no such thing as a middle ground on encryption. To my earlier point: Computer scientists are trying to find the desired middle-ground solution… and they still haven’t managed to. That’s what I think the ultimate takeaway of this workshop is likely to be, once the day’s proposals have been thoroughly vetted.

But that assumes that policymakers and the general public will ever hear about the responses to the proposals. And that’s why there were bad optics to this workshop, too. Several of the speakers were careful to give the disclaimer that their proposals were just starting points, not the definitive answer to the eternal “going dark” debate. But now that they’ve put their work out into the world, how that work gets used is largely out of their hands.

The danger of an event like this is that the government can seize upon the mere fact that these proposals were put forth and use it as a wedge. Strong encryption’s many opponents in government can point to these proposals as showing that there is not, in fact, unanimous agreement after all about the impossibility of a middle-ground solution. When 9 out of 10 dentists agree (as the old toothpaste commercial used to say), that’s supposed to cast doubt on the lone holdout—not the other way around.

Never mind that these exceptional-access proposals likely all have serious shortcomings, whether technical and/or (as I observed on Twitter) practical. Never mind that, as the authors themselves said, these proposals are just suggestions, and suggestions are meant to be critiqued, not to be taken as gospel. The presenters’ work will be weaponized by strong encryption’s opponents to undermine everyone else’s work. And the conclusion of that work, over several decades, is that so far we know of no way to make a secure “golden key.” Using a tiny handful of as-yet-unvetted counterexamples to undermine that conclusion is irresponsible. If law enforcement is effective in touting these untested suggestions to legislators as proof that a “middle ground” on encryption is possible, it could result in disastrous public policy decisions.

Knowing they were putting on something controversial, the event organizers were savvy enough to devote an entire section of the workshop to discussing the four proposals presented. That discussion was lively and engaged, but high-level: there weren’t many comments raising technical critiques of particular details of the individual proposals. That’s not to say there aren’t any, though. I hope the cryptographers in the room who were quietly expressing their doubts to each other during the presentations (you know who you are) will write up their thoughts and share them publicly. That will help counteract the one-sided narrative that I’m afraid government officials will take away from the day’s workshop.

At the end of the day, I think it’s better to have events like this than to be too wary of how they’ll be spun by anti-crypto interests to hold them at all. That is, the spirit of scientific inquiry and academic freedom should not be overshadowed by a policy agenda. We are better off if ideas are raised—and rigorously tested—than if they are never voiced.

That is particularly true where, as here, the advocates of an idea are better off if nobody actually tests it. Law enforcement keeps theorizing that a “middle-ground solution” on encryption is possible. That idea doesn’t seem to die just because it’s repeatedly shown to be wrong. (Do the words “Clipper Chip” ring a bell? How about “FREAK”? Or “Logjam”?) But it will thrive all the more if it’s countered only with more rhetoric. The best way to rebut that speculation isn’t to let it stand unchallenged. That just lets the “middle ground” proponents keep saying cryptographers are lazy and recalcitrant—or, worse, that they secretly know a middle-ground solution is possible and they want to avoid proving the proponents right. No, the best way to keep countering this deathless fantasy about a “middle-ground solution” is for someone to actually try to prove it—and for others to debunk it, as they have so many times before, from the Clipper Chip to Ray Ozzie.

With all that said, Cindy Cohn of EFF, who was on the day’s first panel and stayed for the exceptional-access proposals, raised a note of caution that I think is worth repeating here. What she said, paraphrased, was: Hey, cryptographers, why are you letting yourselves be played by the government into solving their problem for them? That’s not your job. That’s the job of the technical experts at the three-letter agencies circling D.C. Your job is to work on strengthening computer security—i.e., the thing that most of the rest of the CRYPTO conference presentations were trying to do. You do not have to make it your job to find ways to undermine computer security in order to serve a law enforcement agenda that, as Cindy sharply observed, consistently downplays the vital role that strong encryption holds in protecting the public from hackers, thieves, abusive spouses, and other criminals.

Just because an interesting technical problem is presented to you, that doesn’t mean you have to take the bait. As multiple attendees commented during the discussion period, there is a moral character to cryptographic work. Working on the “middle-ground solution” question is not work that serves only beneficial ends, as sincere as the authors’ desire to help solve and prevent crime seemed to be.

Law enforcement agencies do not have a monopoly over such concepts as public safety or justice. To the contrary, they’ve arguably ceded most of their market share, in this era of police shootings of people of color, families torn apart at the border, mass surveillance, and other abominations by the state. It is no longer defensible to hide behind the rationale of being “just” a technologist working on “just” a technical problem, nor to pretend that technology will necessarily promote freedom. I was glad to see the presenters at the workshop grappling with the moral and ethical aspects of their proposals. I hope they will keep wrestling with those questions as this endless search for a magical golden key continues. And I hope they’ll ask themselves: Who benefits from a search that is never allowed to end?