The end of 2019 and the beginning of 2020 have seen rampant attacks on an aspect of communications technologies we often take for granted: encryption. In addition to being the protective buffer of most internet traffic—everything from commercial transactions to social interactions—it also protects those who may need increased privacy, including vulnerable populations such as LGBTQ+ users living in nations where it is illegal to be part of that community, as well as domestic violence victims.
Law enforcement often voices concerns that encryption allows users to “hide” so they can conduct nefarious activities including, but not limited to, drug dealing, dissemination of child sexual abuse material (CSAM), and terrorism. Encryption protects at-risk populations by shielding the content of some of their communications from anyone—including law enforcement investigators—except their intended recipients. Over the years, Congress considered a number of proposals requiring companies to build intentional vulnerabilities, or backdoors, into encryption for use by law enforcement or national security agencies. However, providing such access to law enforcement investigators also creates access for bad actors seeking personal information to perpetuate cybercrimes, identity theft, or harassment.
On April 14th, 2020, ACT | The App Association President Morgan Reed and Family Online Safety Institute (FOSI) CEO and Founder Stephen Balkam co-hosted a webinar briefing on “Protecting the Vulnerable Online: Why Encryption is Key.” Several panelists joined them to examine the delicate balance between lawful access and privacy:
Stephen Balkam, CEO and Founder, FOSI
Stephen teed up the discussion: “We talk about safety, privacy, and security as being the bedrock upon which digital and media literacy and ultimately digital citizenship can be built. And exercising our rights as well as our responsibilities online depend on how much we can trust the apps, platforms, and devices that we use every day. So, we see encryption as falling right in the middle of the debate with safety on one side and privacy on the other. And it’s become a debate that is particularly polarized in Washington, DC.” He went on to say that law enforcement says it is stymied by encryption and wants tech companies to create a backdoor for them to access dissemination of CSAM and prevent terrorist attacks. Meanwhile, tech companies have been encouraged to build these backdoors which make encrypted information just as easy for law enforcement to access as it is for bad actors.
Carlos Gutierrez, Deputy Director and General Counsel, LGBT Tech
Carlos focused on the specific privacy needs of members the LGBT community online and the specific risks they face when it comes to encryption and the need for encryption. Many LBGTQ+ individuals turn to online communities for support as they consider coming out so it is important that information they intend to keep private stays private. A concrete example of the need for privacy is LBGTQ+ access to healthcare and access to doctors. In rural communities, for example, it can be difficult to be honest with healthcare providers, so members of the LGBTQ+ community turn online to other doctors that might be more sensitive to their needs.
LGBTQ+ individuals also face additional obstacles in states where it is legal to deny housing and medical care or terminate employment due to gender identity or sexual orientation. In the context of travel or living in countries other than the United States, Carlos said, “illegal behavior can be defined very broadly and very differently depending on where you are.” So being gay might not be illegal in the United States, but if one travels to one of these countries for work or any other reason, their communications might not receive the same protection in the way they are here.
Elaina Roberts, Technology Safety Legal Manager, National Network to End Domestic Violence (NNEDV)
Elaina continued the conversation on vulnerable populations by speaking to the obstacles domestic violence survivors face. For instance, survivors of abuse may simultaneously need law enforcement for protection and want their communications protected by encryption to keep their abusers from snooping on them. She elaborated further, “At NNDEV we support law enforcement; we often partner with them. We want to see them have everything available to them to hold offenders accountable. It really is a tricky situation and . . . the moment that you start allowing governments or law enforcement agencies to have that backdoor potentially into the encrypted information, you create a vulnerability in the system in general.” She also shed some light on the reality that there are abusers in all industries at all levels so the need for encryption remains as even those in tech and law enforcement could have bad intentions.
Elaina shared that for a lot of survivors, their privacy is directly connected to their safety. This is especially true for someone who is living with their abuser and trying to escape that situation. For example, the cell phone is a lifeline which is precisely why it’s also a target for abusers. Right now, people are being asked to stay home, so it’s especially critical that communications are encrypted for all of us, especially survivors of abuse.
John Wilbanks, Chief Commons Officer, Sage Bionetworks
Whereas Carlos and Elaina focused on protecting the information of individuals, John outlined why it is important to protect information in aggregate. He illustrated where encryption is important by describing situations where encryption is unnecessary: “When you’re doing collaborative data analysis, you are operating frequently in a high trust environment and so frequently what you want to do is not have data be identified as much or encrypted as much because it increases the transactional cost of the computation to have it be encrypted.”
Outside of a “high trust” environment, however, John emphasized the usefulness of encryption: “if you have an iPhone, you can get your structured medical record data on your phone and then you can upload it and transfer to other places. And so, it’s really important to encrypt that data . . . at rest and in transit because it is so valuable compared to other kinds of data about you. It can be used to obtain insurance [and] medications.”
John also commented on wearable devices while tying it back to the costs of computation: “You see this now with the smart thermometer data that’s come out around COVID [where] you’re showing Florida outbreaks before the health system picks it up. But what we see again—whether it’s a fitness wearable or a smart sort of health wearable—is that these devices almost never encrypt their data at rest or in transit because they’re making these trade-offs at the design level around battery life . . . And so you have this problem where you have data that can be incredibly revealing and it’s not encrypted at all. It can be sniffed. It can be captured at any given point along the way.” At Sage, they are trying to change this: decrypting only when an individual wants to see their data.
Jennifer Daskal, Faculty Director, Tech, Law & Security Program, American University Washington College of Law
Jen Daskal recalled the findings of a report she co-authored almost two years ago in conjunction with the Center for Strategic and International Studies (CSIS). The report examines the challenges that federal, state, and local law enforcement investigators face in dealing with digital evidence. The study calls for a significant increase in resources to help with the training and education of law enforcement, provided mostly by the National Domestic Communications Assistance Center (NDCAC). And so, before jumping to the solution of imposing decryption mandates, Jen’s expert advice was to first provide better training for law enforcement to effectively obtain and use available digital before considering decryption mandates.
Jen warned of the high costs decryption mandates would impose in the form of uncontrolled security risks: “I think one of the reasons why we haven’t seen Congress step up, despite urging across various administrations for some action on this issue . . . is because when you start looking at the cost of doing anything, the costs are quite high. And so, one of the most costly are the security costs . . . [and] cyber security risks . . . There’s a reason why we’ve moved towards encryption and we moved forward with encryption as a means of protecting our data . . . I think it’s pretty well-established that in any system there’s various ways of doing decryption—that can be more or less harmful to security—but once you start going down that road, you make things less secure to some degree or another.”
Recommended Resources by the Panelists
Our panelists also threw out some recommended reading/tools to check out. These include:
- A digital provider toolkit, survivor’s toolkit, and list of secure communications platforms NNDEV recommends at org,
- LGBT Tech one-pager on encryption,
- The Technology, Law, & Security (TLS) Program at American University Washington College of Law, and
- During the pandemic (and always) consider donating to a local food bank!