President's Commentary: Encryption Policy Debate Pits Privacy vs. Security
The need to secure data never has been greater, and that need is growing. Encrypting data is one of the main methods of securing information at the source, in storage and in transit. With data breaches becoming more common and more serious, organizations and individuals increasingly are encrypting information. This trend ultimately could lead to significant changes in the data security realm.
Fraud, theft and information corruption have become a way of life in cyberspace. Vital information such as health care data has joined financial and personal data as a prime target of hackers.
At the same time, heavier reliance on encrypting information highlights other issues defining one of today’s most complex debates: privacy versus security. This issue encompasses at least six parties, including owners of data repositories; users who need to protect data; organizations with proprietary encrypting tools; companies that transport data; policy makers; and law enforcement and counterintelligence as well as other authorized groups. The needs of all six groups are legitimate and must be considered.
When Apple declined to circumvent several security features to unlock the cellphone of one of the shooters in the 2015 terrorist attack in San Bernardino, California, the company brought the digital privacy issue into the open. Looking for leads, counterintelligence and law enforcement groups needed to examine information on the phone. But Apple chose not to turn the keys to its security kingdom over to the government, fearing it would jeopardize proprietary information and customer security. Passing along corporate proprietary technical information to any third party risks weakening a company’s security framework.
The key issue in this debate is how to ensure the free flow of information and protect data. This is not solely a technology issue. Its ramifications extend deeply into government, industry and society at large.
The expanding capabilities for encrypting data are increasing pressure on industry to assist law enforcement. Meanwhile, people want their data protected. Policies are needed to provide essential security, protect intellectual property and allow for access without inviting abuse through government overreach.
But what is the greater good: the ability to easily exchange information or to protect information from all unauthorized exposure? As a matter of policy, any legitimate national security issue should usurp all other issues. After that, individual privacy rights and proprietary industrial information protections should reign. Unfortunately, no one can agree where the dividing lines should go.
Part of the reason is that we often cannot fully agree on security standards, and when we do, those standards are open to broad interpretation. Rapid technological changes complicate the matter, and the cyberthreat is progressing faster than technologies and policies can counter it.
U.S. elected officials, working with industry and academia, must unite to solve this challenge of security versus privacy. We are in the early stages of developing philosophy, policy and law, and these elements promise to change over time. But policy is moving at a slow, linear pace, while technology is growing exponentially. This solution will be as much about human factors, behaviors and perceptions as it is about technology.
Additionally, we need to determine now under what circumstances government will be granted access to encrypted information and the rules of engagement.
However the debate unfolds, data encryption may bring this issue to a head. The increased adoption of encrypted information probably will complicate the security versus privacy faceoff. This issue must be resolved with great care, as its importance will only grow with each emerging cyberthreat. Our leaders must address it now.