Exceptional Access in a Trump Administration

It didn’t take long after Trump’s unexpected election as the 45th president of the United States for the encryption debate to reemerge. Here on Lawfare, for example, Susan Landau argues that because of the risk that Trump may seek to institutionally and illegally misuse law enforcement for his own ends (as President Nixon famously did), we must end any plans for “exceptional access” schemes for law enforcement to safeguard democracy before Trump can grasp the levers of power in January.

Unfortunately, this logic is backwards.

From the outset, let me be quite clear: to say I have been alarmed by the president-elect’s actions and rhetoric during the campaign and during the past three weeks is something of an understatement. The grave harms against U.S. institutions, alliances and political norms that Trump seems to repeatedly, instinctively and almost casually inflict are quite shocking to me, and the sheer number of his actions and remarks that fill me with a sense of horror and disbelief could fill libraries. But I am not at all convinced that Trump will be able to misuse law enforcement or the national security establishment to illegally spy on his political opponents, journalists and dissidents, even if he chooses to do so.

The president clearly has very considerable powers in a broad range of areas, but there are limits to what even he can do. After all, the United States is a rare example of a country founded explicitly on the principle of insulating its citizens from a tyrant at the helm, and those protections are at their strongest when protecting journalists, rival politicians and activists from their president. As others have also noted, the federal government is a vast and bureaucratic organization with considerable institutional inertia to rapid cultural change, and neither Trump nor many of his closest advisors and initial appointees have much experience in public administration. So, if Trump seeks to govern as he campaigned, I suspect he will quite rapidly find his plans frustrated by constitutional, legal, cultural and institutional opposition.

But here’s the thing. Even if I’m wrong, and the United States is now doomed to enter a dark era of top-down illegal misuse of law enforcement, with Trump able to quickly steamroll over all institutional safeguards and obstacles, civil libertarians should be lining up in support of exceptional access mechanisms; it is only by moving law enforcement towards the technically constrainable and enforceable transparency of exceptional access mechanisms and away from unconstrained, non-transparent capabilities such as device hacking that there can be any hope of technically containing or exposing a president’s illegal misuse of law enforcement.

Of course, if we are now destined to enter such dark times, the notion that encryption will effectively protect against a malevolent commander in chief may be laughable and self-indulgent in any event. If Trump seeks to misuse law enforcement, the most meaningful constraints against abuse will derive from exposure by good journalists and the actions of good lawyers, politicians and public servants, not the technical prowess of academic cryptographers and Silicon Valley technologists. But to the extent that encryption is a safeguard at all, foregoing exceptional access to encrypted data to defend against a tyrant misusing law-enforcement from the Oval Office is precisely backwards.

The principal value of exceptional access for law enforcement is not that it might empower law enforcement to solve more crimes. Rather, its value is that it disempowers misuse of law enforcement tools by providing a mechanism to constrain law enforcement’s ordinary searches of digital devices so they must jump through pre-defined and publicly auditable technical checks and balances that closely mirror their legal counterparts. In doing so, exceptional access slowly but surely takes the tools that do not have those technical checks and balances off the shelf of as many law-enforcement officers as possible.

Indeed, the point of split-key exceptional access schemes is not to give law enforcement an access tool and trust them not to misuse it. Rather, we split the key precisely because we don’t (or, at least, shouldn’t have to) trust them with it. The key is split between multiple organizations precisely to avoid needing to trust that the law-enforcement officer as an individual, or law enforcement as an institution, is incorruptible.

A conspiracy to misuse a properly built exceptional access system must be vast, cross multiple branches of government and private industry, and would be impossible to hide after the fact in any case. By contrast, a conspiracy to misuse, say, device hacking can be as small and self-contained as a single rogue officer in a far-flung field office; can be conducted completely unchecked by other branches of government, the device manufacturer, or even the rogue officer’s immediate superiors; and could be completely invisible to judicial or congressional oversight, the public, or the victims of the conspiracy.

More generally stated, the point is that, outside of a libertarian fantasy, the alternative to exceptional access systems for encrypted data is not law enforcement giving up on access and going home. The alternative is law enforcement (and society as a whole) adapting and developing other capabilities to fill the investigative gap. Such capabilities will inevitably have weaker safeguards, weaker security guarantees, make data access more physically dangerous, and have more illiberal social corrective consequences. These include not just gaining access via remotely hacking devices but also, for example, subverting software updates, subverting supply chains to install malware on devices before they are sold, distracting arresting officers with the knowledge that once a suspect locks their device its content will be inaccessible, and the erosion of legal safeguards and precedents (such as Riley v California) by making devices that are not searched immediately incident to arrest impliedly inaccessible.

These corrective responses not only leave users less secure and worse off, they are also more easily, quickly and quietly subverted by rogue law enforcement officers or, heaven forbid, a rogue president.

The more you worry about President Trump turning into a President Nixon, and the more you distrust law enforcement to use its powers and tools faithfully and lawfully, the more you should want law enforcement’s tools to look less like hacking and more like a properly secured exceptional access scheme. Exceptional access does not only allow technologists to bake-in a formally transparent, regulable system where multiple organizations get to check both the existence and validity of a warrant before a search is approved, and where citizen researchers can audit their own devices to prove to themselves by whom, by what process, and with what safeguards their device may be searched; technologists can go even further if they so choose.

For example, it becomes possible for concerned Silicon Valley technologists to allow device searches that nevertheless cryptographically prevent illegal evidence tampering or planting during the search. It becomes possible to build systems that partition device data so that search warrants can specify that some but not all parts of a device may be searched, and to have those restrictions cryptographically enforced ahead of time, rather than needing to simply trust the honesty and competence of the searching officer to limit the search to the scope specified on the face of the warrant. These are all protections that cannot be technically imposed if we resign ourselves to the inevitable alternative access mechanisms such as device hacking.

Put simply, if President Trump wishes to illegally misuse law enforcement and to steamroll over all norms and internal safeguards, then encryption will not stop him. But his abuses will be easier to achieve and easier to hide if law enforcement uses hacking as its default, go-to investigative technique. Conversely, such abuses will be harder to secretly conduct if law enforcement’s default investigative technique requires co-opting or tricking multiple organizations as part of a split-key decryption process, where each organization can demand to see and validate a judicial warrant prior to decryption, and where the illegal request will be forever, indelibly chiseled onto a public ledger afterwards.

If you trust law enforcement to always act properly both at the institutional and at the individual level, then perhaps these safeguards against misuse don’t matter. But the more worried you are about misconduct by rogue law enforcement officers or institutional misuse of law enforcement by President Trump, the more you should be advocating exceptional access from the rooftops.