Cybersecurity & Tech Surveillance & Privacy

Setting up a Straw Man: ODNI's Letter in Response to "Don't Panic"

Susan Landau
Thursday, May 12, 2016, 9:00 AM

As Paul has noted, the ODNI has

Published by The Lawfare Institute
in Cooperation With
Brookings

As Paul has noted, the ODNI has responded to the Harvard study "Don't Panic" by observing that widespread use of encryption provides an "impediment that cannot be fully mitigated by other means" (full disclosure: I participated in the study). His Lawfare post says "The IC Thinks Harvard Study is Wrong about Encryption," but instead, it looks to me like ODNI's letter got it wrong.

The ODNI letter says:

In particular, the report makes three findings we think are incorrect:

(1) The report suggests that the Government need not be concerned about the spread of encryption, since a great deal of information remains, and will continue to remain, unencrypted.

(2) The report notes the fact that the Government will still be able to obtain metadata will lessen the impact of more prevalent encryption.

(3) The report asserts that the Internet of Things (IoT) will provide the Government with new avenues to obtain important information about our surveillance targets that will mitigate the loss of access to encrypted channels.

The letter then goes on to argue various ways that the Harvard report got things "incorrect": lots of adversaries will use encryption to evade us, metadata can't supply everything that content does, and IoT doesn't give as much as content. Therefore the report is incorrect. But consider our report's conclusions:

The debate over encryption raises difficult questions about security and privacy. From the national security perspective, we must consider whether providing access to encrypted communications to help prevent terrorism and investigate crime would also increase our vulnerability to cyber espionage and other threats, and whether nations that do not embrace the rule of law would be able to exploit the same access. At the same time, from a civil liberties perspective, we must consider whether preventing the government from gaining access to communications under circumstances that meet Fourth Amendment and statutory standards strike the right balance between privacy and security, particularly when terrorists and criminals seek to use encryption to evade government surveillance.

In examining these questions, our group focused on the trajectory of surveillance and technology. We concluded that the "going dark" metaphor does not fully describe the future of the government's capacity to access the communications of suspected terrorists and criminals. The increased availability of encryption technologies certainly impedes government surveillance under certain circumstances, and in this sense, the government is losing some surveillance opportunities. However, we concluded that the combination of technological developments and market forces is likely to fill some of these gaps and, more broadly, to ensure that the government will gain new opportunities to gather critical information from surveillance.

Looking forward, the prevalence of network sensors and the Internet of Things raises new and difficult questions about privacy over the long term. This means we should be thinking now about the responsibilities of companies building new technologies, and about new operational procedures and rules to help the law enforcement and intelligence communities navigate the thicket of issues that will surely accompany these trends.

I see agreement between ODNI and the Harvard report—not disagreement. Consider the ODNI letter's first point, "The report suggests that the Government need not be concerned about the spread of encryption, since a great deal of information remains, and will continue to remain, unencrypted." Well, we do not say that the Government "need not be concerned about the spread of encryption"; we say, "The increased availability of encryption technologies certainly impedes government surveillance under certain circumstances, and in this sense, the government is losing some surveillance opportunities." We also say that much information will not be encrypted and that, "the combination of technological developments and market forces is likely to fill some of these gaps"—note that we say "some," not all.

From this I take away that ODNI and the report agree that some investigations will be impeded. Our report says, "Nevertheless, we question whether the 'going dark' metaphor accurately describes the state of affairs. Are we really headed to a future in which our ability to effectively surveil criminals and bad actors is impossible? We think not, but that statement is rather a far cry from saying we suggest the government "need not be concerned." So regarding ODNI's disagreement on our first "finding," my finding is that our report says the opposite. We largely agree, and where we "disagree," it is because ODNI has misstated our finding.

The ODNI letter and our report also agree that metadata is extremely valuable in conducting investigations, and that it can sometimes mitigate the loss of content. While the ODNI letter says, "[metadata] does not replace the definitive value of content," frequently metadata does exactly that. For example, former NSA General Counsel Stewart Baker has reported, "Metadata absolutely tells you everything about somebody's life. If you have enough metadata you don't really need content... [It's] sort of embarrassing how predictable we are as human beings." It would again appear that ODNI and the authors of "Don't Panic" agree about how valuable metadata can be, and that its use can mitigate the loss of content.

And ODNI and the report's authors also agree that IoT data will provide important intelligence in future. In February Director of National Intelligence James Clapper said that ODNI is developing ways to exploit data from the Internet of Things.

In saying that "the report makes three findings that we think are incorrect," it is not clear to which findings ODNI is actually responding. Could it be the report's admittedly provocative title (which was perhaps not the wisest choice)? Or maybe the ODNI letter is responding to a particular question—does loss of ability to access content sometimes create problems for investigators?—rather than the report's actual content. Either way, a response whose explanations of disagreements seem to point to agreements, does not seem like much of a disagreement at all.

In the end, the ODNI's response to our report leaves me somewhat confused. The reality is that the only strong disagreement seems to be with an exaggerated view of one finding. It almost appears as if ODNI is using the Harvard report as an opportunity to say, "Widespread use of encryption will make our work life more difficult." Of course it will. Widespread use of encryption will also help prevent some of the cybersecurity exploits and attacks we have been experiencing over the last decade. The ODNI letter ignored that issue.

Requiring that communications architectures be designed to make content accessible to law enforcement under court order creates serious security risks that, in my opinion—and those of numerous others—outweigh the value provided by such access. We've seen that with the delays in changing the cryptographic export controls in the 1990s and with CALEA. I discussed this concern in my addendum to the "Don't Panic" report, and in my testimony for the House Judiciary Committee in March. ODNI did not discuss these broader security issues in its letter.

So my response to the ODNI letter is twofold. ODNI's letter seems to be more about a presumption of the report's content was than what was actually present. More critically, ODNI's response does not address the crucial issue in the encryption debate: is widespread use of secure—non backdoored, frontdoored, exceptional access—encryption technologies in our national-security interest? That is the important issue—and not whether widespread use of encryption will make some investigations harder. Of course it will. It's unfortunate that the ODNI letter did not provide particularly useful information; this constitutes a missed opportunity.


Susan Landau is Professor of Cyber Security and Policy in Computer Science, Tufts University. Previously, as Bridge Professor of Cyber Security and Policy at The Fletcher School and School of Engineering, Department of Computer Science, Landau established an innovative MS degree in Cybersecurity and Public Policy joint between the schools. She has been a senior staff privacy analyst at Google, distinguished engineer at Sun Microsystems, and faculty at Worcester Polytechnic Institute, University of Massachusetts Amherst, and Wesleyan University. She has served at various boards at the National Academies of Science, Engineering and Medicine and for several government agencies. She is the author or co-author of four books and numerous research papers. She has received the USENIX Lifetime Achievement Award, shared with Steven Bellovin and Matt Blaze, and the American Mathematical Society's Bertrand Russell Prize.

Subscribe to Lawfare