[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
[tor-talk] Fwd: [Cryptography] WashPo: Leaked NSC Memo on Encryption
---------- Forwarded message ----------
From: Henry Baker <hbaker1@xxxxxxxxxxxx>
Date: Wed, Sep 16, 2015 at 8:38 PM
Subject: [Cryptography] WashPo: Leaked NSC Memo on Encryption
To: cryptography@xxxxxxxxxxxx
FYI --
This is my OCR'd version of the National Security Council memo leaked
to the Washington Post and available at the link below. The pdf of
the original looks like it was typed on a *manual* typewriter -- the
NSC clearly following the lead of Russia to avoid being intercepted
electronically! [The irony of the NSC using a manual typewriter for a
memo on encryption is truly delicious!]
http://www.theguardian.com/world/2013/jul/11/russia-reverts-paper-nsa-leaks
The most distressing part of this memo is its obscene disregard for
the Constitution. The only "stakeholders" -- according to this NSC
memo -- in favor of "civil liberties" and "human rights" seem to be
organizations -- e.g., the EFF and the ACLU; ordinary citizens are
apparently not "stakeholders", and have no "stake" in this discussion.
Of course, every time someone uses the term "stakeholder", the only
images that come to mind are those scenes from black-and-white horror
movies in which the townspeople are chasing a vampire with wooden
stakes that they intend to drive through his heart!
http://apps.washingtonpost.com/g/documents/national/read-the-nsc-draft-options-paper-on-strategic-approaches-to-encryption/1742/
REVIEW OF STRATEGIC APPROACHES
Option 1: Disavow Legislation and Other Compulsory Actions
Engagement Strategy and timeline
Z September: Outreach to foreign allies to signal our strong
resistance to efforts to compel access; outreach to U.S. industry, the
technology community, and civil society to coordinate messaging;
attempt to convince other allies to come out with a similar statement
at the same time.
Z October: The President issues a statement strongly disavowing
legislation or other efforts to compel access and calling on U.S.
industry to resist efforts by other nations to compel access;
coordinated industry and civil society statements of support;
coordinated foreign partner statements of agreement.
Z November: Outreach to other governments to bring more allies in
alignment with our position; outreach to U.S. industry to build
voluntary cooperation in the absence of compulsion; host public
discussions and debates on encryption policy with U.S. industry and
foreign allies.
Top Line Message
Z The problem of criminals using strong encryption to frustrate law
enforcement's information gathering is a real and growing problem but
we have not found a secure, practical solution.
Z People around the world rely on the security of U.S. products and
services in their daily lives. Mandating the design of those systems
to include known vulnerabilities makes all of us less safe and
undermines trust in these digital services.
Z It is critical that law enforcement be able to access the
information that it needs to protect public safety and national
security. We will continue to use all of the tools available to us
lawfully to keep American citizens safe.
Z Overall, the benefits to privacy, civil libertine, and cybersecurity
gained from encryption outweigh the broader risks that would have been
created by weakening encryption.
Z Accordingly, the Administration will not seek legislation that
compels providers to design their products to enable government access
to encrypted information, even pursuant to lawful process.
Z We expect that foreign governments will also take a hard look at
this difficult issue, and hope that they will come to the same
conclusion. We call on U.S. industry to resist efforts by other
governments to mandate such access.
Impact on Policy Equities
Public Safety and National Security. In the near term, this approach
would not provide any relief to law enforcement efforts to counter the
increasing use of encryption by criminals, including terrorists. As a
result, the public safety drawbacks would be significant, though the
precise extent of the drawback versus other proposals is unclear
because bad actors will increasingly be able to frustrate law
enforcement efforts to access their communications through lawful
process. This approach would remove technology companies' most
consistent grievance with the Administration, which could improve
cooperation across a range of important priorities on technology
issues including, but not limited to, encryption. It may also foster
better cooperation on information that is not encrypted and will not
fracture the Internet products and services market which may also
preserve better access to unencrypted information, thus aiding public
safety/national security.
Cybersecurity. Pro-encryption statements from the government could
also encourage broader use of encryption, which would also benefit
global cybersecurity. Further, because any new access point to
encrypted data increases risk, eschewing mandated technical changes
ensures the greatest technical security. At the same time, the
increased use of encryption could stymie law enforcement's ability to
investigate and prosecute cybercriminals, though the extent of this
threat over any other option is unclear as sophisticated criminals
will use inaccessible encryption.
Economic Competitiveness. This approach could help undercut foreign
competitors' criticisms that U.S. companies' products are instruments
of U.S. mass surveillance, and would clearly differentiate U.S. policy
from moves by China and others to mandate decryption. However, if
other markets do not follow our lead, and instead demand access, it is
more difficult to assess the impact of this approach. On the one
hand, U.S. companies could be forced to avoid those markets or develop
access solutions. On the other, the failure of some nations to follow
the U.S. lead could bolster the reputation of the United States as a
leading source of technically secure products and. services.
Civil Liberties and Human Rights. Domestically, many privacy and
civil liberties advocates would regard this approach as a significant
step in defense of privacy and free expression around the world. If
other nations follow our lead or companies successfully resist country
demands, this approach could limit repressive regimes' willingness to
demand access to encrypted information, which likely would help
protect dissidents and other communities in danger of human rights
violations.
Likely Reaction of Key Stakeholders
Industry and Civil Society. This sector would strongly support this approach.
Other Governments. Likely to be divided. This position would
contradict the stated policy of some allies (e.g., the United Kingdom,
France, and the Netherlands) who argue that governments should not
allow âsafe spacesâ for extremists. As a result, those allies could
criticize the U.S. position as endangering the safety of their
citizens. Other foreign partners that are strong advocates for free
expression online and have not argued for government access to
encrypted information (e.g., Germany and Estonia) are more likely to
support this approach.
Pros
Z Some in industry have indicated that a strong statement disavowing
legislation is a precondition to voluntary cooperation with the United
States Government. Since the prospects of legislation are dim, this
approach could help build cooperation without limiting broader policy
options.
Z Counters the narrative that the United States is seeking to expand
its surveillance capability at the expense of cybersecurity, and could
help repair trust in the United States Government and U.S. companies
overseas.
Z A strong statement from the United States could make it more
difficult for authoritarian regimes to seek compulsory legislation,
although working group participants are divided on whether adopting
this approach would actually stop such calls.
Z May weaken future calls for data localization since it will be
harder for other countries to claim they are âprotectingâ their
citizens' data from the United States.
Z Could provide some positive benefit for U.S. negotiations on the
U.S.-EU Data Protection and Privacy Agreement, Safe Harbor, and
Transatlantic Trade and Investment Partnership.
Z Is the strongest option for cybersecurity, economic competitiveness
and civil liberties and human rights.
Cons
Z This approach provides no immediate solution to the challenges that
the expanding use of encryption poses to law enforcement and national
security today and is the weakest option from that perspective.
Z Some working group participants argue this approach would remove a
key point of leverage -- the threat of legislation in our negotiations
with industry (although few, if any, in industry likely find this
threat to be credible).
Z U.S. providers have not indicated they would be willing to
voluntarily modify their systems to enable law enforcement access to
encrypted information, even if the government were to eschew
legislation, and could result in the United States being isolated in
its position.
Option 2: Defer on Legislation and Other Compulsory Actions
This option could be pursued with two distinct goals in mind. Under
option 2(a), the Administration would seek industry's voluntary
assistance to modify their technology to address law enforcement's
concerns. Under option 2(b), the Administration would accept the
current status quo and not seek technical modifications, but would
still ask providers to assist law enforcement in any way that they can
within their current technological framework. In either case, these
calls for assistance could be done publicly or privately, depending on
the preferred engagement framework.
Engagement Strategy and Timeline
Z September: Outreach to foreign allies to assess their positions;
signal to allies that the United States does not think legislation is
the right way forward at this time; work with other governments to
identify voluntary action by industry that would help to mitigate
their concerns; outreach to U.S. industry to coordinate messaging.
Z October: The President issues a statement disavowing legislation,
but acknowledges the serious challenges posed by encryption for public
safety and national security; secure coordinated statements of support
or agreement from industry, civil society, and partner nations.
Z October-November: Outreach to foreign allies in the wake of the
statement to bring more allies in alignment with our position;
outreach to U.S. industry to build voluntary cooperation in the
absence of compulsion; if some allies persist in demanding access,
consider whether the United States Government should highlight the
difference in positions and the U.S. emphasis on privacy-protections.
Z Post-November: Host public discussions on encryption policy with
U.S. industry and foreign allies; should foreign allies demand and
secure access, consider whether to call upon U.S. industry to provide
the same access to the United States Government.
Top Line Message
Z The United States is not seeking legislation at this time to compel
providers to change their products to enable government access to
encrypted information pursuant to lawful process.
Z At this point, legislation appears neither feasible or easily
draftable. We need considerable public discussion before we would be
in position to contemplate a legislative solution.
Z However, we also cannot ignore the barriers that inaccessible
encryption can create to law enforcement's critical need to
investigate and prosecute criminals, including terrorists -- and the
threat these barriers create for public safety.
Impact on Policy Equities
Public Safety and National Security. Does not reverse the long- term
trend of increasing use of encrypted technologies by criminals, but
could open potential avenues for cooperation with industry, without
removing all law enforcement leverage (although working group
participants disagree on whether calling for legislation will provide
meaningful leverage). Some working group participants, however, have
indicated they think it unlikely that industry will be willing to
voluntarily modify their technology -- even if the threat of
legislation is removed. This suggests that Option 2(a), in which the
Administration would seek such technical modifications, is unlikely to
succeed. However, unlike option 1, it retains flexibility on the
approach should the public safety picture deteriorate to overtake
competing equities. This approach would also make compromise with
foreign governments not currently seeking legislation easier, but
would still provide some help in resisting attempts by
governments like China to use encryption policies to skew markets or
oppress citizens by retaining strong public statements (e.g., âwill
not seek legislationâ).
Cybersecurity. Could encourage the use of more encryption, which
would likely be good for cybersecurity. If a statement under this
approach is perceived as positive but not sufficiently strong,
however, this could be less successful in forestalling other nations
from pursuing encryption-weakening measures. Also, because any access
point to encrypted data increases risk, if government efforts to
secure access are successful, this approach would reduce
cybersecurity. However, the degree of impact on cybersecurity would
vary significantly, and could be great or small, depending on the
specific policy and technical decisions.
Economic Competitiveness. Could have a positive, though incomplete,
effect in removing barriers to Administration engagement with the tech
sector on this issue. Removing the prospect of United States
Government calls for legislation would likely have positive effects on
international competitiveness. If long-term successful in gaining
government access, this option would significantly harm economic
competitiveness though the harm might be somewhat mitigated if there
was broad international success in getting government access.
Civil Liberties and Human Rights. Some will be dissatisfied with lack
of outright disavowal, but may appreciate the pragmatic recognition of
the practical limitations of a mandated approach. However, others
almost certainly will continue to have concerns about government
access to encrypted information being used to suppress dissident
populations. Should some companies cooperate voluntarily and enable
government access, the United States Government will need to accept
that other nations -- including some repressive ones -- will use this
access as well.
Likely Reaction of Key Stakeholders
Industry and Civil Society. Although industry and civil society may
be less positive to this approach than a hardline disavowal, those
communities would likely see this outcome as a solid win. However,
further government pressure on industry to build access into their
products would likely generate negative reactions. Therefore, it is
likely that Industry and Civil Society would have a much better
reaction to Option 2(b), which does not seek technical modifications,
than to Option 2(a), which does.
Other Governments. Allied governments that prefer an access regime
may push back on the core U.S. message. However, those governments
likely would react more positively to this approach than a complete
disavowal of government access to encrypted information.
Pros
Z Responds to a key ask from industry, although industry might prefer
a stronger statement. To the extent that industry is satisfied with
the strength of the statement, this approach could help build
cooperation without limiting broader policy options.
Z Could help counter the narrative that the United States is seeking
to expand its surveillance capability, and help repair trust in the
United States and U.S. companies overseas.
Z Could allow the United States to serve as a broker between
pro-access allies (e.g., United Kingdom, France, and the Netherlands),
and U.S. industry, which could mitigate some demands from foreign
partners and ensure U.S. companies do not have to build multiple
access regimes.
Z If long-term successful in gaining government access, this option
would help public safety and national security.
Cons
Z Could lead to disparate approaches by governments to the encryption
issue, leading to more or different compliance regimes that U.S.
companies will need to comply with, which could have a negative effect
on their economic competitiveness.
Z Does not provide an immediate solution to the challenges that the
expanding use of encryption poses to law enforcement. Without a
disavowal of legislation, many U.S. technology companies in the long
term likely will not pursue voluntary design changes in products and
services to enable access for law enforcement.
Z If long-term successful in gaining government access, this option
would harm cybersecurity, economic competitiveness and civil liberties
and human rights.
Option 3: Remain Undecided on Legislation or Other Compulsory Actions
Engagement Strategy and Timeline
Z September: Outreach to foreign allies to assess their positions;
Private outreach to key industry leaders to argue that we need a more
fulsome policy discussion before we decide how to proceed.
Z October: Organize or participate in closed-door, small group
discussions with U.S. industry to facilitate a more in-depth policy
discussion. At the same time, organize bilateral and multilateral
conversations with foreign partners to discuss the challenges and how
to proceed.
Z November: High-level Administration statement highlights initial
discussions, outlines key challenges, distills a few key questions and
principals, and announces a meeting or series of meetings (potentially
both domestic and international) to discuss and debate these key
questions.
Z December: After the discussions, reassess our position and determine
whether to take a position on encryption legislation or to continue to
call for discussion.
Top Line Message
Z The President has said that there is no situation in which you
wouldn't want strong encryption.
Z At the same time, there are situations in which the government
cannot obtain information related to a specific potential national
security threat. If there is not a way of accessing that information
and protecting the American public, then the Administration believes
need to have a public debate.
Z Having a broad discussion about this is essential -- over the next
several months, [we or several entities] will host discussions on the
challenges posed by encryption and how we can best address them. I
would urge everyone to participate.
Impact on Policy Equities
Public Safety and National Security. This approach has, to date,
failed to incentivize cooperation with law enforcement. It could in
the long-term sway public opinion to create greater responsiveness --
particularly while the government retains the leverage resulting from
the threat of legislation. On the other hand, silence on our part
could encourage foreign governments to control the agenda. They might
pressure U.S. industry to provide lawful access, which, if successful,
would make it easier for us to require similar accommodations. This
approach could also encourage companies to continue to aggressively
pursue developing inaccessible encrypted services, and could make
future cooperation significantly more challenging. Therefore, it is
hard to predict the impact that this approach would have on public
safety.
Cybersecurity. Although it would not actively conflict with our
message on the importance of encryption to cybersecurity, the
uncertainty of public perceptions about the government's position
could perpetuate distrust in encryption technologies related to the
United States Government, and could undermine the effectiveness of the
National Institute of Standards and Technology and other entities at a
time when our cybersecurity agenda is already at risk. If long-term
successful in gaining government access, this option would harm
cybersecurity. -
Economic Competitiveness. This approach does little to counter
current distrust of the government by industry or foreign competitors.
Further, by not taking a position on legislation in either direction,
this approach does little to shape the reactions of other governments,
increasing the risk that they will splinter into multiple camps,
presenting U.S. industry with fractured markets. Therefore, this
approach is likely harmful for economic competitiveness.
Civil Liberties and Human Rights. Because this approach would likely
not stop -- and could encourage -- other nations from demanding
access, it is likely harmful for the Administration's efforts on civil
liberties.
Likely Reaction of Key Stakeholders
Industry/Civil Society. Will likely continue to strongly object until
the United States Government explicitly eschews compulsory
legislation. As time passes, if we continue to fail to take a
position, industry and civil society positions will likely harden as
people perceive our silence as an implicit endorsement of legislation.
As a result, the United States Government risks losing credibility if
it fails to participate robustly in a public debate and with a unified
voice. There is also a risk that industry chooses not to participate
in meetings on the subject and escalates lobbying and public relations
efforts.
Other Governments. Allied governments that seek access will prefer
this approach to either of the approaches that come out against
compulsory legislation, and will likely see this as an opportunity for
them to press for legislation themselves.
Pros
Z Provides flexibility to course correct and negotiate with U.S.
industry and our foreign allies.
Z Retains a key negotiating chip (the threat of legislation) in our
engagement with industry (although few, if any, in industry find this
threat credible).
Z If other governments call for legislation and/or compel companies to
change their encryption solutions to enable better access in the
meantime, this could provide us with cover to use that same access.
Cons
Z Delays establishing a coherent Administration position, which could
result in: (1) the United States being portrayed as increasingly
ineffective/unable to resolve this challenge; (2) disputes among
departments and agencies bleeding out into public discussion; (3) U.S.
industry continuing to have challenges operating overseas (although it
is unclear that a pro-encryption statement would by itself address
this challenge); and (4) public and foreign government positions may
harden in the absence of an affirmative U.S. position, limiting our
ability to influence the global debate.
Z Does not provide an immediate solution to the challenges that the
expanding use of encryption poses to law enforcement. Moreover, this
approach does not resolve the current policy debate. The United
States Government likely will be faced with this same discussion again
in several months' time.
_______________________________________________
The cryptography mailing list
cryptography@xxxxxxxxxxxx
http://www.metzdowd.com/mailman/listinfo/cryptography
--
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk