The so-called “encryption debate” made national headlines in 2016 after Apple Inc. (“Apple”) declined to enable the Federal Bureau of Investigation (“FBI” or “the Bureau”) to unlock an iPhone recovered from one of the shooters involved in a terrorist attack in San Bernardino, California. The debate concerned whether the government should have the authority to compel technology manufacturers to create an “access key” for encrypted messages and share that key with law enforcement. Apple argued that allowing such access would undermine the security features of its products, while the U.S. Department of Justice (“DOJ”) insisted access was necessary to prevent future attacks. An existing dilemma came to the forefront: Should technology companies be able to use forms of encryption so secure that even they lack the keys? Or is such security not worth the possibility of allowing criminals to “go dark” from law enforcement?
While public attention on this issue has waned in recent years, the problem is not going away; instead, answers are needed now more than ever. As recently as December 2023, a leading technology company announced it would use end-to-end encryption (“E2EE”) as a default for calls and messages across some of its platforms. Analyzing the strengths and weaknesses of laws passed in other countries in The Five Eyes provides guidance for how the U.S. may best proceed with future legislation to promote privacy and security on a global scale.
Introduction
In 2015, then-FBI Director James Comey testified before the Senate Judiciary Committee, saying, “There’s no doubt that [the] use of encryption is part of terrorist tradecraft now.”1 1.Adam Nagourney, Ian Lovett & Richard Pérez-Peña, San Bernardino Shooting Kills at Least 14; Two Suspects Are Dead, N.Y. Times (Dec. 2, 2015), https://www.nytimes.com/2015/12/03/us/san-bernardino-shooting.html [https://perma.cc/4UJN-B78T].Show More Months earlier, a heavily armed couple had killed fourteen people and seriously injured seventeen others in San Bernardino, California.2 2.Daniel Kahn Gillmor, One of the FBI’s Major Claims in the iPhone Case is Fraudulent, ACLU (Mar. 7, 2016), https://www.aclu.org/news/privacy-technology/one-fbis-major-claims-iphone-case-fraudulent [https://perma.cc/YYF5-8UMQ].Show More As part of its investigation, the Bureau obtained a warrant to search an iPhone owned by one of the shooters, but the phone was programmed to automatically delete all data after ten failed password attempts.3 3.Government’s Ex Parte Application for Order Compelling Apple Inc. to Assist Agents in Search 1–2; Memorandum of Points and Authorities at 1–2, 4, In re Search of an Apple iPhone Seized During the Execution of a Search Warrant on a Black Lexus IS300, California License Plate 35KGD203, No. 15-mj-00451 (C.D. Cal. Feb. 16, 2016).Show More Unable to unlock the phone due, in part, to encrypted user data, the FBI requested that Apple rewrite its software to disable security features and install it for investigators to gain access.4 4.See Letter from Tim Cook, CEO of Apple, to Apple Customers (Feb. 16, 2016), https://www.apple.com/customer-letter/ [https://perma.cc/P5G9-5A7N]; Apple’s Tim Cook: Complying with FBI Demand “Bad for America,” CBS News (Feb. 24, 2016, 9:02 PM), https://www.cbsnews.com/news/apples-tim-cook-complying-with-fbi-demand-bad-for-america/ [https://perma.cc/59FU-YKXR]; Shara Tibken, Countdown to Doomsday: Apple, FBI Face Off in Court Tuesday, CNET (Mar. 19, 2016, 5:00 AM), https://www.cnet.com/news/privacy/apple-fbi-case-encryption-iphone-backdoor-hack-terrorism-privacy-surveillance/ [https://perma.cc/5AFT-H2LW].Show More Apple refused, arguing that deliberately weakening encryption on its devices by creating a “backdoor” through the encryption for law enforcement would make its products more susceptible to hacking by bad actors and foreign governments.5 5.See Reema Shah, Comment, Law Enforcement and Data Privacy: A Forward-Looking Approach, 125 Yale L.J. 543, 543 (2015).Show More
The dispute between Apple and the DOJ is the most prominent example of an ongoing and contentious debate about government regulation of E2EE.6 6.Mallory Knodel, Fred Baker, Olaf Kolkman, Sofía Celi & Gurshabad Grover, Definition of End-to-End Encryption, Internet Eng’g Task Force (June 13, 2022), https://www.ietf.org/archive/id/draft-knodel-e2ee-definition-04.html [https://perma.cc/8W7P-FG5L].Show More E2EE describes a secure communication method that prevents third-party access to data transferred from one device to another.7 7.Steven Song, Keeping Private Messages Private: End-to-End Encryption on Social Media, B.C. Intell. Prop. & Tech. F., 2020, at 1, 2.Show More Many forms of encryption can be accessed by anyone with the appropriate decryption key, but E2EE goes beyond other forms of encryption by limiting access to messages and data to only the communicating parties.8 8.How End-to-End Encryption in Google Messages Provides More Security, Google Messages, https://support.google.com/messages/answer/10262381?hl=en [https://perma.cc/2H7S-R3GX] (last visited Feb. 25, 2024).Show More E2EE scrambles data so only the sender and intended recipient may read E2EE messages; not even the manufacturer of the communication devices can access such data.9 9.Lucian Armasu, End-to-End Encryption Could’ve Protected Yahoo Mail Users from 2014 Data Breach and NSA Spying, Tom’s Hardware (Oct. 14, 2016), https://www.tomshardware.com/news/e2ee-yahoo-mail-hack-spying,32857.html [https://perma.cc/YGQ7-K5G2].Show More E2EE also ensures that data is encrypted before it is sent over a network, avoiding exposure of such communications to bad actors (such as hackers) in the event of a data breach.footnote_id_11_10 In this way, E2EE is considered the gold standard for ensuring consumer privacy. However, E2EE’s airtight seal means law enforcement may not be able to effectively investigate dangerous criminal activity unless the encryption is weakened. The modern encryption debate centers around a challenging dilemma: Should the government be able to compel technology companies to build systems in such a way that permits law enforcement access? Or should considerations about safeguarding privacy be paramount, even at the expense of governmental investigation and oversight?
Over the years, the two sides of the conversation have become increasingly polarized, with law enforcement groups on one side and privacy and civil liberties advocates on the other. Much has been written about the constitutionality of potential solutions to the cryptology debate. This Essay adds a new, unique perspective to the existing literature by discussing it within the context of rapidly evolving technology making E2EE policies instrumental to the lives of most Americans. Part I provides an overview of the debate within the technology and law enforcement communities and describes the failures of Congress to address the issue. Part II evaluates the strength of Australia’s and the United Kingdom’s approaches for addressing the problem. Finally, Part III provides recommendations for what Congress should do to address the encryption debate.
- Sen. Charles E. Grassley Holds a Hearing on Oversight of the Federal Bureau of Investigation, S. Comm. on Judiciary (Dec. 9, 2015), https://congressional.proquest.com/congressional/docview/t65.d40.12090003.s98?accountid=14678 [https://perma.cc/DR82-DBN3]. ↑
- Adam Nagourney, Ian Lovett & Richard Pérez-Peña, San Bernardino Shooting Kills at Least 14; Two Suspects Are Dead, N.Y. Times (Dec. 2, 2015), https://www.nytimes.com/2015/12/03/us/san-bernardino-shooting.html [https://perma.cc/4UJN-B78T]. ↑
- Daniel Kahn Gillmor, One of the FBI’s Major Claims in the iPhone Case is Fraudulent, ACLU (Mar. 7, 2016), https://www.aclu.org/news/privacy-technology/one-fbis-major-claims-iphone-case-fraudulent [https://perma.cc/YYF5-8UMQ]. ↑
- Government’s Ex Parte Application for Order Compelling Apple Inc. to Assist Agents in Search 1–2; Memorandum of Points and Authorities at 1–2, 4, In re Search of an Apple iPhone Seized During the Execution of a Search Warrant on a Black Lexus IS300, California License Plate 35KGD203, No. 15-mj-00451 (C.D. Cal. Feb. 16, 2016). ↑
- See Letter from Tim Cook, CEO of Apple, to Apple Customers (Feb. 16, 2016), https://www.apple.com/customer-letter/ [https://perma.cc/P5G9-5A7N]; Apple’s Tim Cook: Complying with FBI Demand “Bad for America,” CBS News (Feb. 24, 2016, 9:02 PM), https://www.cbsnews.com/news/apples-tim-cook-complying-with-fbi-demand-bad-for-america/ [https://perma.cc/59FU-YKXR]; Shara Tibken, Countdown to Doomsday: Apple, FBI Face Off in Court Tuesday, CNET (Mar. 19, 2016, 5:00 AM), https://www.cnet.com/news/privacy/apple-fbi-case-encryption-iphone-backdoor-hack-terrorism-privacy-surveillance/ [https://perma.cc/5AFT-H2LW]. ↑
- See Reema Shah, Comment, Law Enforcement and Data Privacy: A Forward-Looking Approach, 125 Yale L.J. 543, 543 (2015). ↑
- Mallory Knodel, Fred Baker, Olaf Kolkman, Sofía Celi & Gurshabad Grover, Definition of End-to-End Encryption, Internet Eng’g Task Force (June 13, 2022), https://www.ietf.org/archive/id/draft-knodel-e2ee-definition-04.html [https://perma.cc/8W7P-FG5L]. ↑
- Steven Song, Keeping Private Messages Private: End-to-End Encryption on Social Media, B.C. Intell. Prop. & Tech. F., 2020, at 1, 2. ↑
- How End-to-End Encryption in Google Messages Provides More Security, Google Messages, https://support.google.com/messages/answer/10262381?hl=en [https://perma.cc/2H7S-R3GX] (last visited Feb. 25, 2024). ↑
-
Lucian Armasu, End-to-End Encryption Could’ve Protected Yahoo Mail Users from 2014 Data Breach and NSA Spying, Tom’s Hardware (Oct. 14, 2016), https://www.tomshardware.com/news/e2ee-yahoo-mail-hack-spying,32857.html [https://perma.cc/YGQ7-K5G2]. ↑