Know your encryption workarounds: a paper
As The 21st Century Encryption Wars continue with no end in sight, security experts Bruce Schneier and Orin Kerr have collaborated on a paper that seeks to establish a common understanding of one aspect of the clash: encryption workarounds.
The authors consciously avoid policy recommendations, but rather hope to better the understanding of those who will do so in our political and law enforcement arenas.
From the paper’s abstract:
The widespread use of encryption has triggered a new step in many criminal investigations: the encryption workaround. We define an encryption workaround as any lawful government effort to reveal an unencrypted version of a target’s data that has been concealed by encryption. This essay provides an overview of encryption workarounds. It begins with a taxonomy of the different ways investigators might try to bypass encryption schemes. We classify six kinds of workarounds: find the key, guess the key, compel the key, exploit a flaw in the encryption software, access plaintext while the device is in use, and locate another plaintext copy. For each approach, we consider the practical, technological, and legal hurdles raised by its use.
The remainder of the essay develops lessons about encryption workarounds and the broader public debate about encryption in criminal investigations. First, encryption workarounds are inherently probabilistic. None work every time, and none can be categorically ruled out every time. Second, the different resources required for different workarounds will have significant distributional effects on law enforcement. Some techniques are inexpensive and can be used often by many law enforcement agencies; some are sophisticated or expensive and likely to be used rarely and only by a few. Third, the scope of legal authority to compel third-party assistance will be a continuing challenge. And fourth, the law governing encryption workarounds remains uncertain and underdeveloped. Whether encryption will be a game-changer or a speed bump depends on both technological change and the resolution of important legal questions that currently remain unanswered.
The post on Schneier’s blog is already drawing a stream of suggestions and constructive criticisms.
We can only hope that those actually tasked with establishing our laws and policies take the time to educate themselves in this way.