Should the Government Have Access to Decryption Keys?

FROM THE LECTURE SERIES: The Surveillance State: Big Data, Freedom, and You

September 20, 2021 Technology

By Paul Rosenzweig, The George Washington University

Should a government be able to require the manufacturers of encryption technology to limit their distribution, to prevent strong cryptography from falling into malevolent hands? Should the state, in effect, be able to require that code makers build in a back door, by which authorities can access, and decrypt, encrypted messages? Let us look at the US government’s attempts to access encrypted information.

security backdoor concept with encryption letters showing through a keyhole and a man's silhouette walking through it
The US government prefers that people who develop encryption software should provide a backdoor decryption key for the government. (Image: BeeBright/Shutterstock)

Backdoor Keys

The US government’s preferred solution is that those who manufacture encryption software should build into the system a backdoor decryption key that will allow the government to read any encrypted messages.

According to the government, these decryption keys would then be stored or escrowed with a trusted third party say a judge at a federal court, who would release the key under only specified, limited circumstances. Needless to say, many privacy advocates oppose the effort, and their opposition has been successful so far.

Clipper Chip

In the 1990s, the FBI sought to require encryption-technology manufacturers to incorporate a back door that went by the name of Clipper Chip. Opposition to Clipper was based, in part, on civil liberties objections. Many people were concerned that the back door would be used for political purposes, rather than to combat crime.

The opposition was also based on a practical realization that the government itself was a beneficiary of strong encryption to protect its own secrets. A backdoor in encryption programs would not, necessarily, be available only to the U.S. government, after all. So, the state would primarily have a back door into its own secrets.

This is a transcript from the video series The Surveillance State: Big Data, Freedom, and You. Watch it now, on Wondrium.

Companies and Customer Data

Until recently, though, the balance still favored the government because companies would often hold master encryption keys to their customers’ data. You can see why they might want to do that. They might, for example, do so as a matter of convenience. If you, as a user, encrypts data, and then forgets it, or loses the uncrackable encryption key, then the data is lost forever.

Since strong encryption is, for most purposes, uncrackable, governments have turned to an alternate method of securing access to encrypted communications. That is, forcing those who do the encryption to provide it with the encryption keys to decrypt the messages directly. As a result, governments are bringing increasing pressure on service providers to turn over their master keys.

Intermediate and Local Encryption

cloud computing illustration
If you upload a locally encrypted file to the cloud, then it will be secure even if the cloud service is forced to hand over their decryption key. (Image: Blackboard/Shutterstock)

There is a distinction between endpoint encryption and intermediate—or service provider—encryption. Google, Microsoft, Dropbox and all the other cloud-service providers use forms of intermediate encryption. When, for example, you store data in Dropbox—or you leave your e-mail in your Gmail folder on the Web—the service provider encrypts that information. The encryption techniques tend to be quite strong, making them relatively well-protected against outside attack.

But for long-term storage, the service provider itself retains that encryption key.

By contrast, if you use a strong encryption program locally on your own hard drive, and then upload the encrypted file to the cloud, the fact that your cloud service provider further encrypts the data is good. But, with respect to the government’s demands, it is irrelevant.

Even if Dropbox, let’s say, were compelled by a lawful order to give the government its decryption key, all that it would turn over would be your encrypted file, which you would still have encrypted locally.

Learn more about the unauthorized surveillance programs in the 1950s and 1960s.

Key with Provider

When the encryption key is held by your service provider, it is likely that the government can get access to the passwords. When you hold it, it is much harder for the government to get access. And that’s why the move toward automatic endpoint encryption is so significant for privacy and civil liberties.

Orin Kerr, a fellow professor of law at George Washington University, has summarized the general rule: Third-party data holders cannot assert a Fifth Amendment protection on behalf of their customers.

In other words, when your data is in Dropbox’s hands, your rights don’t apply, and you can’t use those rights to try and prevent Dropbox from giving the government your information.

Learn more about the problems with privacy.

Subpoena Disclosure

Many companies pride themselves on never allowing the government any kind of direct access to their servers. And, of course, by challenging the request and by being subject to an order to compel disclosure, the service providers will, at a minimum, demonstrate that they have made the effort. But in the long run, that just won’t work.

If the government inquiry is tied to some grand jury inquiry or it will be difficult to resist a valid subpoena. It is pretty close to black letter law—that is, a well-established rule not generally open to dispute—that the grand jury can investigate merely on suspicion that the law is being violated, or even just because it wants assurance that it is not.

No Avoiding a Grand Jury

So, this is pretty much an absolute. As a necessary consequence of its investigatory function, a grand jury investigation is not fully carried out until every available clue has been run down and—as the Supreme Court has said—all witnesses examined in every proper way to find if a crime has been committed. Investigative demands from a grand jury must be complied with unless there is no reasonable possibility that the data will be relevant to the investigation.

And so, the conclusion is that service providers like Google and Microsoft may resist the government’s pressure but, in the end, they will not succeed. By contrast, the end-point user—that is you—who holds his own encryption key, has a much stronger argument to withhold that key under the Fifth Amendment protection against self-incrimination.

Common Questions about Government Access to Decryption Keys

Q: What is the US government’s approach to accessing encrypted data?

The US government’s preferred solution is that those who manufacture encryption software should build into the system a backdoor decryption key that will allow the government to read any encrypted messages.

Q: What is the objection to building in backdoors to encryption?

The opposition to backdoor decryption was based not only in terms of civil rights but also on a practical realization that the government itself was a beneficiary of strong encryption to protect its own secrets and would primarily have a back door into its own secrets.

Q: What is the risk if the service provider holds the encryption key?

Since strong encryption is, for most purposes, uncrackable, governments are bringing increasing pressure on service providers to turn over their master keys. These providers do not have the same Fifth Amendment protection that individuals have.

Keep Reading
Electronic Surveillance: Challenges in Laws
Privacy, Anonymity, and the Rules of Surveillance
Technology and Anti-crime Surveillance

Related Articles

Professor Chats

The State of Cybersecurity

January 7, 2016

On March 23, 2015, Professor Paul Rosenzweig sat down for a live Q&A session with his fans from across the globe. The chat is over, […]