Crypto wars: Why weakening encryption misses the mark 

Asymmetric encryption emerged in the 1970s against the backdrop of heavy government surveillance used to weaponize information against domestic and foreign enemies. Since then, law enforcement and government intelligence agencies have argued that widespread private use of encryption can hamper criminal investigations and national security efforts. For many cryptographers and privacy activists, however, this surveillance was the primary threat that made widespread use of cryptography a moral necessity in the first place.

One pivotal moment in this history was the prosecution of Phil Zimmerman by the U.S. federal government for distributing his encryption software, Pretty Good Privacy (PGP), without a munitions export license. In the 1990s, U.S. arms control regulators treated cryptography software like a munition, and as a result, exporting such a program overseas by posting it on the internet was in violation of these regulations. The case dragged on for three years before eventually being dropped, and export control laws were rewritten after it became obvious that software couldn’t be contained like rocket motors.

Fast forward to 2021, when a presidential executive order charged the National Institute of Standards and Technology (NIST) with setting standards requiring the encryption of data to protect software supply chains. What’s more, NIST’s Federal Information Processing Standards have included forms of PGP software for more than two decades. This shift illustrates how the federal government eventually recognized the importance of strong encryption and that, despite the different shapes and forms it has taken over the decades, the conflict between the security and privacy advocates reflects a lag in governmental adaptation to technological advancements.

While the overarching debate generally remains the same, the crypto wars now primarily revolve around end-to-end encryption (E2EE). Widespread public access to E2EE means that criminals can also use it with impunity, making it harder to detect and investigate the transmission of illegal content, such as child sexual abuse material and terrorist plots. Law enforcement officials are challenged with investigations going dark because they are unable to conduct investigations due to a lack of access to communications and data. This situation is a surveillance and security problem and a content moderation problem. In addition, E2EE makes it harder for platforms to defend users from spam, abuse, and harassment, and encrypted communications can become vectors for abusive harassment and misinformation campaigns.

Computer scientists and privacy advocates, in turn, counter these criticisms with the argument that strategies for content moderation go beyond merely reading messages, with automated data analysis, user reporting workflows, and message flagging mechanisms as some available tools. Further, with ongoing research in this field, E2EE isn’t necessarily the roadblock to content moderation that many think it is.

Achieving the balance between security and privacy in digital communications, particularly in the context of E2EE, remains a daunting task. Despite ongoing research in this field, security specialists are far from securing a robust solution to tackle this challenge. However, following are several promising approaches that offer steps in the right direction.

• Homomorphic encryption is a form of encryption that enables computations on encrypted data without decryption, allowing operations such as keyword filtering and pattern matching while maintaining data confidentiality.
  • Pro: Supports complex analysis without exposing data
  • Cons: High computational overhead; cross-platform compatibility issues
• Metadata-based moderation allows platforms to analyze message metadata attributes such as frequency and size to identify patterns indicative of harmful content without accessing message contents. It complies with privacy regulations by focusing on noncontent data and strikes a balance between user privacy and security.
  • Pros: Preserves message confidentiality; complies with privacy regulations
  • Cons: Might miss sophisticated threats; subject to legal concerns over metadata usage and storage
• Source tracking is a way to integrate the original sender’s identity into message metadata, allowing platforms to trace the dissemination of harmful content across networks. Source tracking enhances moderation capabilities while preserving user anonymity and confidentiality.
  
  • Pro: Preserves user anonymity by only using metadata
  • Con: Complex to implement in decentralized systems
• Client-side moderation is another way of minimizing user data exposure in content moderation. It keeps tasks such as spam filtering and malware detection on the user’s device. By processing sensitive data locally, client-side moderation enhances user privacy and reduces server-side exposure, thereby mitigating risks associated with centralized data storage. 
  • Pro: Sensitive data remains encrypted and within the user’s control
  • Cons: Limited by user devices’ processing power; requires constant updates to client software
• Perceptual hashing is a technique that can be used to generate unique fingerprints of media files, facilitating efficient comparison against databases to detect known harmful content, thus enhancing content moderation capabilities across diverse media formats while preserving the encryption of original files.
  
  • Pros: Effectively identifies illicit materials without breaking encryption; works across diverse media formats 
  • Cons: Needs regular database updates; might struggle with new or sophisticated threats 

The bottom line is that continued advancements in encryption technologies and regulatory frameworks will play pivotal roles in shaping the future landscape of digital communication and can help protect privacy as a fundamental right in the face of evolving security threats.

Security and privacy aren’t two sides of the same coin. Rather, they are overlapping functions within society’s technological framework. Prioritizing one over the other fails to respect the balance necessary for good public policymaking. With the world no longer being divided between the physical and the digital, the crypto wars aren’t a state versus citizen or security versus privacy conflict but rather a societal risk management challenge.

As the Zimmerman story highlights, governmental understanding can evolve, albeit slowly. The ongoing struggle underscores the need for governments and businesses to keep pace with technological advancements and adapt their policies accordingly. Organizations must understand the critical role of encryption in securing data and fostering customer trust, adapt to regulatory changes, and invest in innovative solutions that balance security and privacy.

Looking ahead, continued research and technological innovation will lead to the development of more robust encryption methods and effective moderation strategies. This progression can enhance security measures and reinforce user trust in digital platforms. Aligning such advancements with global privacy regulations will be crucial in fostering a secure and transparent digital environment.