After months of techlash reporting, this morning’s tech headlines are downright boring. Even TikTok’s travails manifest in drab earth tones today, garnering headlines like, “TikTok Tries to Win Allies in the U.S. With More Transparency.” But make no mistake: cybercriminals, foreign adversaries, and even your own personal online bullies are still trying as hard as ever to steal your data and use it to harm you. The attack surfaces at their disposal are proliferating. And that’s why Americans are more fortunate than ever that federal and state governments have thus far declined to force vulnerabilities into encryption.
Two recent developments illustrate clearly how strong encryption plays a key role in our online safety. First, cost-cutting measures for cybercriminals are flourishing. For example, experts note that bad actors are already using open artificial intelligence tools like ChatGPT to amplify their efforts. As we’ve noted before, cybercrime is subject to the rules of economics just like any other endeavor. Bad actors only invest in their activities to the extent they can turn a profit. As the cost of cybercrime at scale decreases, the likelihood of profit increases. ChatGPT is one way to decrease resources needed to develop cyberattacks. However, the widespread use of end-to-end encryption—and full encryption of data at rest—substantially disrupts the cost-saving effect of tools like ChatGPT. For example, if an individual can store sensitive personal information in the cloud, and they are the only one with the key to access it, bad actors’ options are much more limited, regardless of how they can amplify their efforts with ChatGPT. On the other hand, if a federal law required a cloud provider to enable access by law enforcement to any encrypted information stored in that company’s personal cloud offerings, cyber attackers know there’s another way into individuals’ personal clouds and that the company facilitates that access for law enforcement. The attack surface would be much broader, and investing in attacks are much more likely to yield unauthorized access.
Second, the U.S. Supreme Court’s (SCOTUS’) decision in Dobbs v. Jackson Women’s Health Org. raises novel questions about how state governments—or individuals using state courts—could access data that is otherwise strictly personal and encrypted. The kinds of data access requests that could issue in the wake of Dobbs go beyond actual investigations into the provision or access of restricted abortion services. For example, adversarial parties in a divorce proceeding might seek incriminating or embarrassing information about the other party via discovery. Mandatory vulnerabilities built into the encryption that protects the messages and other data that would surface in these production requests increases the likelihood that somebody will seek it—via court order or otherwise—to pressure or blackmail somebody into doing what they want. The Dobbs decision paints a target on digital personal health data, but mandated encryption vulnerabilities would widen that target to other kinds of data and give bad actors the tools they need to misuse it.
As these incentives and avenues to access your personal data broaden, App Association members and companies like them continue to make encryption more accessible and more powerful. As long as public policy supports the use of strong encryption without mandatory vulnerabilities, Americans should continue to rely on it aggressively and wherever companies make it available. Our way of life is deeply rooted in the individual freedoms we have in real life. Encryption helps us protect those freedoms in digital spaces. As real life increasingly merges with our digital footprints and conduct, the importance of strong encryption is more real than ever.