The ongoing debate over U.S. encryption policy — pitting law enforcement officials against technology companies — is missing an important voice, say cybersecurity policy experts: the State Department.
U.S. officials recognize that the encryption issue is an international one, with ramifications not just for the sales or legal duties of U.S companies abroad, but for the prospects of continuing U.S. leadership on global human rights.
But as the encryption debate has raged, the Obama administration has declined to take a decisive stance for or against what critics call “backdoors” — creating a legal requirement on the purveyors of encryption tools to provide surveillance capabilities against their own customers when ordered by a court.
That ambiguity has hamstrung the State Department, and by extension, handicapped U.S. global leadership on balancing the life-saving benefits of encryption for dissidents or others facing state persecution, against its use by child pornographers, drug dealers and terrorists.
“It is hard for the State Department to promote a coherent, consistent view of encryption policy because it does not exist at home,” said Adam Segal, director of digital and cyberspace policy at the Council on Foreign Relations. “During the FBI-Apple stand off, for example, statements of support for encryption from the FBI, NSA and White House differed with shades of meaning.”
James Lewis, senior vice president at the Center for Strategic and International Studies, was more blunt. “State doesn’t have much of a role because the administration doesn’t have an international strategy for encryption – it’s a laissez-faire approach,” he said.
A ‘global solution’
During a roundtable discussion hosted by the National Academies of Sciences, Engineering and Medicine, or NASEM, former NSA Deputy Director John “Chris” Inglis said that a “global solution” would be necessary to regulate encryption.
In front of a crowded room of technologists, company executives and policy experts, Inglis explained that because criminals can use encryption tools engineered by companies outside the U.S. government’s jurisdiction, the U.S. would need to reach international agreements to stop malefactors from “going dark” — using encryption to avoid lawful surveillance.
Inglis didn’t respond to a request for an interview through his current employer, D.C.-based venture capital investment firm Paladin Capital Group.
The State Department also did not respond to multiple requests for comment from FedScoop about efforts to coordinate encryption policy abroad.
But leaked documents reveal that U.S. officials recognize the need to build consensus with allies. A National Security Council memo obtained by the Washington Post detailing policy options on encryption makes clear that any option — but perhaps most emphatically a strong, public rejection of new encryption laws — would require consensus among U.S. allies.
If the president were to broadly support strong encryption in commercial products and reject law enforcement demands for surveillance capabilities, the leaked NSC memo suggests it would have been necessary to convince allies to make similar public statements against backdoor solutions. Additionally, the president would call on industry to “resist efforts” by foreign regimes to compel access.
The State Department, according to AccessNow Senior Legislative Manager Nathan White, would likely have led those efforts detailed by the NSC memo.
And it’s easy to see how the department’s equities are implicated in the debate.
Patrick Ball, director of research at the San Francisco, California-based Human Rights Data Analysis Group, said international journalists and human rights advocates supported by the State Department are among those that would suffer from any U.S. policy that weakens encryption technologies. He spoke at NASEM’s roundtable event alongside Inglis.
As someone who works closely with human rights organizations around the globe, Ball explained that in oppressive regimes — where digital surveillance is a tool used to identify and imprison dissidents — commercially available, sometimes American-made, encrypted communications services are literally a matter of life and death.
In a follow up interview with FedScoop, Ball said that the State Department has supported the use of encryption tools used by “LGBT activists in eastern Europe and central and southern Africa, democracy activists in Ethiopia and Turkey, and journalists in Egypt and Nicaragua.” Some of these activists use encryption software built with funding and support from the U.S. government, he said.
In 2013, the State Department and USAID awarded $25 million to civil society groups working to advance “Internet Freedom” policy initiatives. A State Department spokesperson then told the Wall Street Journal earlier this year that an “unspecified portion” of that $25 million was being used to develop secure communications tools.
“The FBI’s demand for access to all the world’s data undermines these activists — as it undermines the security of activists in the U.S., and indeed, all electronic security,” said Ball.
By “waffling” on the encryption issue, the White House was making it impossible for American diplomats to take a stance abroad, he said.
“I’m guessing that they [the State Department] don’t want to contradict the White House, and while the White House is waffling, the State Department will too.”
But Ball said the White House position — which he referred to as more “ambivalent …. than ambiguous” — was “less important than the general uncertainty worldwide about whether governments are going to make it illegal for [anyone] in civil society to keep secrets from them.”
China setting the standard?
Without U.S. leadership, the policy running globally is likely to be made, not by other democracies, but by potential U.S. adversaries like Russia and China, experts say.
The Chinese government, for example, is proposing requirements on American tech companies that will make their customers’ data accessible to surveillance without needing encryption backdoors — by employing specially tailored and targeted market regulation and legislation, according to Lewis.
In late June, China’s parliament, the National People’s Congress, held a second reading of a new cybersecurity law — taking it another step toward passage. This legislation would impose strict data localization requirements, beyond current stipulations, like those that have long overshadowed the country’s publishing industry.
[Read More: Democrats plan to fight data localization laws]
Data localization in China would require foreign tech companies to migrate Chinese user data to equipment located within the country.
Beijing, Lewis explained, could easily “squeeze certain American companies out of the market” if they won’t comply with local security laws.
China, Lewis summarized, is showing that a digital skeleton key is far from the only tool that can be used to access private — sometimes encrypted — user data held by international businesses.
In Russia, a new counterterrorism law enacted last week requires companies providing encrypted communications services to furnish a copy of the digital key to Moscow’s state security service, the FSB. All communications and telecom providers must keep copies of communications for six months and retain metadata for three years.
With all this activity it’s not surprising that, as Lewis said, the topic of encryption comes up in nearly all international forums focused on security, based on conversations he has had with government officials. It is something that concerns leaders in India, Britain and France, he said.
U.S companies are concerned, too — and this is another area where a hamstrung State Department is unable to project U.S. leadership.
James A. Baker, the FBI’s general counsel to the Department of Justice, and also a speaker at NASEM, told FedScoop that he “hears concerns all the time” from private U.S. companies regarding how the U.S. government’s approach to encryption could impact their business outside the country.
Business associations have loudly complained about Beijing’s proposed new rules, and AccessNow’s White said the State Department should take a stand on the question because of the agency’s foundational responsibility to protect U.S. companies, abroad, and the Nation’s economic interests.
But White also agreed with Ball, that the principle international issue at stake is continued U.S. leadership on human rights.
In many countries outside the U.S., civil society groups “need to use strong encryption to protect their data, from membership and contact lists, to their internal planning and documentation, and always, information about the donors who make their work possible. If their data falls into the hands of their local police, their members may be arrested, tortured and disappeared,” said Ball.
He called on the administration to “unequivocally and strongly endorse the importance of global civil society as the fundamental guarantee of democracy and bulwark against extremism of all kinds. That means the ability to develop and use strong encryption without back doors.”
“The only way civil society can maintain the capacity to hold governments accountable is to be able to maintain secure communications,” Ball added.
Shaun Waterman contributed.
To contact the reporter on this story: send an email via firstname.lastname@example.org or follow him on Twitter at @Bing_Chris. Subscribe to the Daily Scoop to get all the federal IT news you need in your inbox every morning at fdscp.com/sign-me-on