On Lawfare Alan Rozenshtein talks about the encryption debate and just who’s the target – not terrorists:
My experience—which accords with what I’ve heard from many seasoned prosecutors—illustrates the critical importance of default settings. It’s been widely known for decades that only a sliver of users ever change the settings on their devices, or even know that the settings are there for the changing. And if users can’t be bothered to change easily accessible settings, they certainly won’t go to the trouble of switching smartphones or messaging apps just to frustrate law enforcement. But when WhatsApp decides to make end-to-end encryption a default setting on its already immensely popular messaging program, the communications of a billion people are suddenly warrant proof. That’s the stuff of law-enforcement nightmares.
There’s no question that sophisticated bad actors—whether terrorists or spies—won’t just settle for the default setting. They’ll always find a way to encrypt their communications, whether by adopting products that don’t fall under national laws mandating third-party access or by taking technological countermeasures. (For instance, bad actors can sideload secure messaging apps that might otherwise be restricted from the Apple or Android app stores).
But end-to-end encryption won’t cripple counterterrorism investigations. (If this were a serious concern, one would expect a former NSA director to lead the charge against end-to-end encryption, not support its wide deployment.) There aren’t that many would-be terrorists, and the ones who exist get ample attention from the FBI and U.S. intelligence agencies. At such a high ratio of good guys to bad guys, the government can generally get around encryption where it needs to, whether by paying millions of dollars for third-party hacking tools, exploiting software and hardware vulnerabilities to hack devices, or engaging in physical surveillance. (The same logic also applies to counterintelligence investigations.)
So, rather than 3rd party access to encrypted data, simply make sure the defaults are off and make the criminals figure it out. This will work for the petty, dumb criminals, as Alan points out, but organized crime may figure it out, and sophisticated terrorists will be on the spectrum from “may figure it out” to “will use immune solutions.”
Given Alan’s discussion, I’m having trouble figuring out if there’s any point to 3rd party access. The math & coding skills necessary for nearly impossible to break communication isn’t confined to the security or commercial worlds. Only if a quantum computing solution is found will the government have a one size fits all potential solution to the problem. So far, I have not seen any reports of an actually capable quantum computer.
