William Barr Despises Your Power to Keep Him from Snooping on You

Attorney General Bill Barr gave a speech yesterday at Fordham that revived the encryption debate in the U.S. after a relatively quiet period. Since the departure of Rod Rosenstein, we hadn’t had a federal law enforcement official out there regularly giving speeches condemning encryption (though FBI Director Chris Wray threw his hat in here and there). Barr’s is the first such speech I’m aware of in quite a while—and, atypically for such speeches, he devoted the entire thing to anti-encryption rhetoric, rather than confining it to just one part of the remarks as Rosenstein, Wray, and James Comey had done before him.

Even so, we didn’t hear much that was new from Barr. For the most part, as CDT observed, he pulled out the same tired lines that I’ve grown accustomed to hearing over the years. Early last year, I released a whitepaper in which I analyzed U.S. law enforcement officials’ demands for “responsible” encryption, based on my blog post about a Rod Rosenstein speech in October 2017. In the whitepaper, I tried to determine exactly what the officials were asking for, and then explored the risks and limitations of that vision. That whitepaper still covers much of what Barr has to say now, a year and a half after I published it. If you go back and compare his speech to Rosenstein’s from October 2017 (which provided the template for many other nearly-identical Rosenstein speeches over the following months), you’ll see a lot of similarities.

Yesterday’s speech did play a few minor variations on the “going dark” theme. For one, U.S. officials’ past remarks have largely focused on access to encrypted devices rather than encrypted communications in transit. As my whitepaper explained, their remarks suggested they were interested in both, but it was kind of hazy. Yesterday, cryptographer and CS professor Matthew Green observed on Twitter that Barr’s speech was much clearer about wanting access to both devices and communications. This comes as no surprise—the latest Wiretap Report from the federal judiciary showed an uptick in the number of instances where encryption impeded wiretaps. Plus, Barr personally has a track record of mass warrantless surveillance of Americans’ phone calls from his first stint as AG. Unsurprisingly, he’s still just as eager to snoop on our conversations now. (Having clearly stated he wants access to encrypted communications in transit, Barr then misrepresented what federal law says about telcos’ duty, and Internet services’ lack thereof, to make communications wiretappable. But just as most of his remarks were recycled, this also wasn’t the first time the Department of Justice has made misrepresentations about that law, known as CALEA—a law in which Barr held himself out as an expert, making his inaccurate statements all the more troubling.)

Another difference from the usual anti-crypto spiel was that Barr invoked Australia’s new anti-encryption Assistance and Access Act as an example of “many of our international partners” that “are already moving on statutory frameworks to address” the “going dark” issue. Since last fall, I have expended a very significant amount of energy opposing Australia’s law, which passed in early December 2018. Before the bill’s passage, I said on a Stanford Engineering podcast that I worried that Australia’s actions would have a “domino effect” on other countries, particularly Five Eyes countries. Australia set an example of a Western democracy passing legislation that undermined encryption, making it look like that’s normal and OK. Just as I feared, Barr has now expressly invoked the Australian law, not as something to be condemned in the name of individual rights, economic interests, and national security, but as a model that America could follow. Our legal context is not identical to Australia’s—we have a Bill of Rights, for one thing—and our Congress is unlikely to pass any encryption-related legislation anytime soon, whether pro- or anti-. Nevertheless, it shows how Australia’s actions are reverberating beyond its own shores on the opposite side of the planet.

Finally, perhaps the most startling difference between Barr’s speech and the remarks of his predecessors is the one my Stanford colleague Herb Lin remarked upon over at Lawfare. That is Barr's admission that the guaranteed access he demands would undermine everyone’s security, and that we would just have to deal with it. In the past, as my whitepaper explained, Director Wray had flatly denied that his desired exceptional-access regime would necessarily and unavoidably mean weakening security. [Edited 7/26/19 to add: In fact, Wray continued denying it in a speech he gave two days after Barr's that otherwise largely agreed with Barr.] Rosenstein, meanwhile, had admitted that such a regime “would be less secure,” but bunted on the question by saying “that’s a legitimate issue that we can debate—how much risk are we willing to take in return for the reward?” Barr, by contrast, outright admits that there’s “residual risk of vulnerability”—and tells us that we, the hundreds of millions of users of encrypted smartphones, messaging apps, etc., must simply assume that risk. Why? Because that is what law enforcement wants. Barr does not even pay lip service to the notion that the risk/reward calculus of mandating weakened encryption is an important issue for society to debate and determine for itself. He just downplays the risks while making the usual move of overstating the expected return, and in response to any concerns his approach raises, he sneers: “Welcome to civil society.”

This is not how civil society works. We will not let our best defense against cybercrime (as well as many real-world crimes, which Barr wholly ignores) be thrown away so lightly. And we certainly will not stand to see it done by a man who has shown before that he can and will abuse any capability to spy on the people he is charged with protecting. Strong encryption protects us from those who would do us harm. To Bill Barr’s chagrin, that includes protecting us from Bill Barr. That does not make strong encryption "illegitimate," as he calls it. It only serves to underscore that defending strong encryption and making it ever more ubiquitously available is a more important goal than ever.