This report from the Berkman Center's Berklett Cybersecurity Project offers a new perspective on the "going dark" debate from the discussion, debate, and analyses of an unprecedentedly diverse group of security and policy experts from academia, civil society, and the U.S. intelligence community.
The Berklett group took up some of the questions of surveillance and encryption as some companies are encrypting services by default, making their customers' messages accessible only to the customers themselves. The report outlines how market forces and commercial interest as the increasing prevalence of networked sensors in machines and appliances point to a future with more opportunities for surveillance, not less.
Foreword to the Report
Just over a year ago, with support from the William and Flora Hewlett Foundation, the Berkman Center for Internet & Society at Harvard University convened a diverse group of security and policy experts from academia, civil society, and the U.S. intelligence community to begin to work through some of the particularly vexing and enduring problems of surveillance and cybersecurity.
The group came together understanding that there has been no shortage of debate. Our goals were to foster a straightforward, non-talking-point exchange among people who do not normally have a chance to engage with each other and then to contribute in meaningful and concrete ways to the discourse on these issues.
A public debate unfolded alongside our meetings: the claims and questions around the government finding a landscape that is “going dark” due to new forms of encryption introduced into mainstream consumer products and services by the companies who offer them. We have sought to distill our conversations and some conclusions in this report. The participants in our group who have signed on to the report, as listed on the following page, endorse “the general viewpoints and judgments reached by the group, though not necessarily every finding and recommendation.” In addition to endorsing the report, some signatories elected to individually write brief statements, which appear in Appendix A of the report and also as individual posts on Lawfareblog.com, written by Jonathan Zittrain, Bruce Schneier, and Susan Landau.
Our participants who are currently employed full-time by government agencies are precluded from signing on because of their employment, and nothing can or should be inferred about their views from the contents of the report. We simply thank them for contributing to the group discussions.
Findings of the Report
In this report, we question whether the “going dark” metaphor accurately describes the state of affairs. Are we really headed to a future in which our ability to effectively surveil criminals and bad actors is impossible? We think not. The question we explore is the significance of this lack of access to communications for legitimate government interests. We argue that communications in the future will neither be eclipsed into darkness nor illuminated without shadow.
In short our findings are:
End-to-end encryption and other technological architectures for obscuring user data are unlikely to be adopted ubiquitously by companies, because the majority of businesses that provide communications services rely on access to user data for revenue streams and product functionality, including user data recovery should a password be forgotten.
Software ecosystems tend to be fragmented. In order for encryption to become both widespread and comprehensive, far more coordination and standardization than currently exists would be required.
Networked sensors and the Internet of Things are projected to grow substantially, and this has the potential to drastically change surveillance. The still images, video, and audio captured by these devices may enable real-time intercept and recording with after-the-fact access. Thus an inability to monitor an encrypted channel could be mitigated by the ability to monitor from afar a person through a different channel.
Metadata is not encrypted, and the vast majority is likely to remain so. This is data that needs to stay unencrypted in order for the systems to operate: location data from cell phones and other devices, telephone calling records, header information in e-mail, and so on. This information provides an enormous amount of surveillance data that widespread.
These trends raise novel questions about how we will protect individual privacy and security in the future. Today’s debate is important, but for all its efforts to take account of technological trends, it is largely taking place without reference to the full picture.
Since our report was published on February 1, 2016, we received a letter with substantive reactions by Cyrus R. Vance Jr., the District Attorney for New York County, who published a white paper in 2015 with concerns about smartphone encryption. He asked us to post his reply to our report on this page, and we're happy to do so immediately below:
The Berkman Center for Internet & Society’s Berklett Cybersecurity project convenes a diverse group of security and policy experts from academia, civil society, and the U.S. intelligence community to explore and evaluate the roles and responsibilities of the U.S. government in promoting cybersecurity. This group is examining a wide range of topics including, among others, the ongoing encryption debate, public-private information sharing, and responsible disclosures of software vulnerabilities.
The project is led by Professor Jonathan Zittrain, former National Counterterrorism Center Director Matthew Olsen, and cryptographer and civil liberties author Bruce Schneier. The name “Berklett” is a portmanteau of “Berkman” and “Hewlett,” as in the William and Flora Hewlett Foundation, which generously supports the effort. More information at https://brk.mn/cybersecurity.
Berklett Cybersecurity Project Members
John DeLong *
Hon. Nancy Gertner (ret.)
Anne Neuberger *
David R. O’Brien
Matthew G. Olsen
* Our participants who are currently employed full-time by government agencies are precluded from signing on because of their employment, and nothing can or should be inferred about their views from the contents of the report. We simply thank them for contributing to the group discussions.