Allen 1

Caleb Allen
CST 300 Writing Lab
21 February 2017
On Encryption and the Rule of Law

The advent of data encryption has created conflict between the needs of law enforcement

and the individual’s right to privacy. While data encryption is not new, its volume and

effectiveness in modern times has rendered law enforcement officers unable to examine the data

and communications of savvy criminals. Officials of law enforcement have called for companies

to grant them access to encrypted data. This proposal has met with resistance from privacy

advocates, who argue creating an access facility would destroy encryption. The fundamental

needs of safety vs privacy must be addressed.

Overview and Current Context

Encryption has enabled e-commerce, online banking, dissident communication, digital

crime, anonymous child pornography, and data ransom. This mixed bag of developments has

created both problems and solutions for the civil society. In response to consumer pressure, many

companies have begun moving toward client side encryption. Consumers can now encrypt data

to an extraordinary level of cryptographic strength. This creates a problem for law enforcement,

who cannot access this strongly encrypted data with warrants.

People have long used some form of encryption or obfuscation to communicate secretly.

Early means of data concealment were used by the ancient Greeks:

“Another form of transposition is embodied in the first ever military cryptographic

device, the Spartan scytale [sic], dating back to the fifth century B.C. The scytale is a

wooden staff around which a strip of leather or parchment is wound…The sender writes

the message along the length of the scytale, and then unwinds the strip, which now

appears to carry a list of meaningless letters (Singh, 2000, Chapter 1, para. 19).”
 Allen 2

Julius Caesar used cryptography with letter transposition and even portions of the Bible were

enciphered by the Hebrews (Singh, 2000, Chapter 1, para. 21; Singh, 2000, Chapter 1, para. 50).

It is clear that, throughout history, methods of data encryption have been used by people to

protect themselves and their interests.

Encryption, ciphers, and codes use a methodology to hide data. For example, one method

of data concealment is to replace each letter in a message with another. One might replace each

letter in the phrase “attack at dawn” to hide the underlying message. If that phrase is transposed,

where each letter is replaced with the letter that comes two places after it in the alphabet, “attack

at dawn” can be written as “cvvcem cv fcyp.” Knowing the method, transposing one letter to

another, is not enough to decipher an enciphered message. One must also know the key, e.g. a =

c, b = d, c = e, etc., to render the phrase back into English. In cryptography, the element most vital

to ensuring secret communication is the key. “It was definitively stated in 1883 by…Auguste

Kerckhoffs von Nieuwenhof in his book La Cryptographie militaire: ‘…The security depends only

on keeping secret the key (Singh, 2000, Chapter 1, para. 24)’.”

In the modern context, encryption is prominently applied to digital communications.

With the advent of the internet, digital communications are accessible by, theoretically, the

whole world. Desire for services like e-commerce has put pressure on the computer industry to

find a way to make communication between two parties private. One solution came in the form

of public/private key encryption using high-entropy, random numbers. In this model, data are

encrypted with one of two distinct keys: the public key or the private key. Any data encrypted

with a particular public key can only be decrypted with the corresponding private key and vise

versa (Rouse, 2016). These private keys must be jealously guarded to keep communication

concealed, and they must be generated with high-entropy random numbers to keep them from
 Allen 3

being guessed by hackers. A long, truly random key can take an attacker, or investigator, an

eternity to brute force. To guess, for example, a 2048-bit encryption key it would take “a little

over 6.4 quadrillion years… the Universe itself would grow dark before you even got close.

(“Check Our Numbers:,” n.d.).”

Stake Holders

Privacy Advocates. The advent of encryption technology has been hailed and applauded

by privacy advocates. As the name implies, these people see private expression, action, and

communication as a net positive for humanity. Advocates have organized into non-profit groups,

like the Electronic Frontiers Foundation, to better fight for the privacy rights of people around

the world. “EFF [Electronic Frontiers Foundation] fights…to extend your privacy rights into the

digital world (“Privacy,” n.d.).” Many of these privacy advocates believe that the United States

Constitution guarantees a right to privacy for US citizens. By extension, citizens are entitled to

privacy; encryption is a valuable vehicle for this process. Privacy has positive effects on free

people, and, in contrast, monitoring changes how people communicate and interact. “There are

dozens of psychological studies that prove that when somebody knows that they might be

watched, the behavior they engage in is vastly more conformist and compliant (Greenwald,

2014).” Private communication is the only method by which some people, outside of free

societies, can access information that oppressive regimes restrict. Privacy has real individual and

societal value and must be protected.

Law Enforcement. Law enforcement in the United States has a different perspective on

encryption technology. They wish to enforce the rule of law equally and protect law-abiding

citizens. In a civil society, the deterrent for crime is punishment. Digital encryption allows

crimes to be committed secretly and the criminals to avoid punishment under the law. Some law
 Allen 4

enforcement officials seek ways to apply the law to digital criminals. Customarily, information

on suspects can be obtained with the warrant process. Complying with warrants is the duty of US

companies, and they must comply with court ordered requests for information. To accomplish

this, some have called for technology companies to build a method for warranted decryption. As

Jeff Sessions, Attorney General of the United States, has written: “Encryption serves many

valuable and important purposes. It is also critical, however, that national security and criminal

investigators be able to overcome encryption, under lawful authority, when necessary to the

furtherance of national-security and criminal investigations (Dunn, 2017).’” Without some

means of accessing encrypted data, law enforcement will be unable to protect citizens and punish

criminals.

Ethics of Encryption

The case for access. Companies have employed strong encryption on their devices and

are unable to provide data when demanded by a judge’s warrant. United States citizens are not

entitled to absolute privacy. A judge determines when privacy must be suspended in the pursuit

of justice. Companies who do business in the United States must comply with warrants that

allow law enforcement officers to examine records and search private property. Law

enforcement officers violate citizen privacy on a regular basis.

By creating devices and services that store and communicate data in absolute secrecy,

technology companies have indemnified themselves from liability. They have, purposely, set

themselves up as neutral parties to their customers’ actions. This practice must end. When a

judge determines that a warrant is justified, technology companies throw up their hands and

claim they are helpless to assist. These companies are not helpless to assist law enforcement;

they are fully able to build warrant compliance into their software. Technology companies must
 Allen 5

make their products accessible to law enforcement because only they can. If they want to give

their users privacy, they may do so. However, if a judge rules that encrypted data must be

accessed while pursuing an investigation, it is the software and hardware creator’s responsibility

to ensure the data may be accessed.

The intentional self-indemnification by technology companies is a violation of the social

contract. As Thomas Hobbes writes in Leviathan, humanity’s natural state is one of constant war.

It is only through the authority of the Sovereign, expressed in laws, that humans can escape this

natural condition: “Where there is no common Power, there is no Law: where no Law, no

Injustice. Force, and Fraud, are in warre [sic] the two Cardinall [sic] vertues [sic] (Hobbes, 2009,

Chapter 13, para. 12).” Individuals, pursuing their own interests, cannot act fairly in a lawless

society. Those who seek to escape the reach of sovereign law are reverting to the state of nature.

The state of nature destroys the individual’s chance to succeed and encryption advocates are

pursuing chaos in the name of privacy.

The right to privacy is not an entitlement of all people, nor is it an absolute good. “But

whatsoever is the object of any mans [sic] Appetite or Desire; that is it, which he for his part

calleth [sic] Good: And the object of his Hate, and Aversion, evill [sic]… (Hobbes, 2009,

Chapter 4, para. 6).” Individuals in our society have called absolute privacy good. They have

done so not because privacy is good but because they desire privacy. They ignore the social

damage that is caused by enclaves of the state of nature. The Sovereign must have sovereignty,

and encryption seeks to unravel the Sovereign’s power.

There is nothing new here. Law enforcement officers can search the mail, can tap phone

lines, can search private residences, and can search the body of citizens. There is also precedent

for changing new technology to accommodate the warrant process: “Congress in the 1990s
 Allen 6

passed the Communications Assistance for Law Enforcement Act…This act required

telecommunications companies to configure their systems in a way that would enable them to

effectively respond to court orders (Cordero & Zwillinger, 2015).” Warrants are how law

enforcement officers do their job and encryption subverts the judicial process.

Companies can create a secure means of access for law enforcement. “Apple could [sic]

design a completely [sic] secure facility to manage unlocking individual devices (Gibson,

2016).” This could be accomplished with a master decryption key or through a decryption key

database. Some companies have achieved this by encrypting data twice, once with the user’s

private key, and second with a “recovery” key that can be used for decryption (“What is the

difference between”, n.d). Some specific implementations may be better than others but what law

enforcement needs is demonstrably possible. Some organizations have created systems that are

intentionally designed to circumvent warrant procedures. While the encrypted data can be

provided, the data is rendered useless by the encryption process. Most companies are not

encrypting specifically to defeat law enforcement but the result is the same. Technology

companies were fully aware of the needs of law enforcement when they chose to employ

encryption technology. Compliance with warrants was ignored. Technology companies can and

ought to create a means of access.

In sum, compliance with the law is the responsibility of all citizens and companies in the

civil society. Laws are an embodiment of the will of the people, the Sovereign, and the social

contract. Circumvention of the law compromises the ability of individuals to seek their own

interests. Many implementations of encryption technology have not been designed to

accommodate lawful warrants. Technology companies can develop products that comply with
 Allen 7

the warrant process. Because compliance is possible, and lawful, technology companies must

build access methods into their products.

The case for the status quo. Law enforcement should respect the right to privacy of US

citizens and respect the right of companies to employ strong encryption technology. Privacy in

general, and encryption in particular, promote great happiness in the civil society. The proposal

of a means of law enforcement access seems, superficially, reasonable. However, specific

implementations of this policy have key flaws. Encryption, as a result of this proposal, would be

compromised and everyone would suffer.

Encryption is an absolute technology. Data may either be accessible by intended

recipients only, or they may not. The best encryption techniques are based on the concept of

“trust no one (Rapport, 2010).” Following this concept, engineers have created a technology that

can obfuscate information to all but the intended recipients. They have done this with open

source solutions. The most extraordinary feature of encryption technology is that it can secure

data even when the methodology is publicly and openly known. This feature is key to the

effectiveness and ubiquity of encryption. Law enforcement proposes to replace “trust no one”

security with “trust no one, except us” security. The proposed alterations break the effectiveness

of encryption technology.

Access protocols are problematic in many ways. Take, for instance, public and private

key encryption technology. There are two ways to give law enforcement officials access to data

encrypted in this manner: 1) engineers might create a “master key” that could decrypt all data, or

2) engineers could encrypt data twice and store this second key in a database for on-demand

access.
 Allen 8

Option one would require a static key. If such a key were created intruders would need

only crack law enforcement’s key to access all data. Even if this process required great effort, the

reward would be total access. This option makes everyone vulnerable to attack by a single, lucky

hacker. There are other implementation problems as well. Law enforcement would need to

provide their key to developers in some manner, or create large teams to accommodate requests

by individual companies. The former would require this “master key” to be provided as needed,

and, thus, expose it to many people outside of law enforcement. The latter would slow down

development significantly and create an undue burden on small technology companies. Option

one would severely compromise general data security and hamper the ability of technology

companies to innovate and compete.

Option two would require a central database and would require devices to send their

secondary keys back to the database itself. Even if such a database were compartmentalized into

many, smaller databases, individual threat surfaces would expand from a single key pair to that

key pair and a central database. Current public/private key implementations require an attacker to

derive a single key for a single target. Option two, in contrast, directs attackers to specific points

of failure wherein lay access to treasure troves of sensitive information.

Encryption technology is uncompromising because it must be. Data must be hidden in

plain sight and inaccessible to hackers. A “back door” that allows access to law enforcement

would also act as an entry point for intruders. Companies and government agencies from Yahoo

to the Department of Homeland Security have lost entrusted data to data breaches (Goel &

Perlroth, 2016; Lichtblau, 2016). This shows that data, left with companies and public agencies,

are not necessarily safe. Even security companies like RSA have been hacked (Richmond, 2011).

If companies as security conscious as RSA can be compromised, how can anyone be trusted with
 Allen 9

the keys to all encrypted data? Law enforcement agencies have shown they are unable to keep

such data confidential as well; this is demonstrated by the breach of the Department of

Homeland Security. Citizens cannot switch from “trust no one” security to “trust no one, except

us” security, because law enforcement agencies have shown they are not worthy of that trust.

Central to this debate is the question: what societal work does privacy accomplish?

Phrased another way: what good does privacy do? Julie E. Cohen of Georgetown University Law

Center writes “[p]rivacy is shorthand for breathing room to engage in the processes of boundary

management that enable and constitute self-development (Cohen, 2012).” People need a place

free of scrutiny, a safe place to be oneself and only oneself. Privacy promotes good in the

individual and, through the individual, to the rest of society.

The morality of privacy can be seen in the works of John Stuart Mill. He argues in his

essay Utilitarianism, that society must judge actions based on their results, and not merely their

intent. Which results, then, should a society aspire for? “The creed which accepts as the

foundation of morals, Utility, or the Greatest Happiness Principle, holds that actions are right in

proportion as they tend to promote happiness, wrong as they tend to produce the reverse of

happiness (Mill, 2004, Chapter 2, para. 2).” Society must judge an action by what the results

would be. Would an act create more happiness then suffering? If so, it is moral. Law

enforcement has the best of intentions but their methodology is flawed. Furthermore, law

enforcement officials have proposed an expedient approach, but “…he [Mill] said ’Individual

liberty is the ultimate value, and expediency…cannot justify intervention against individual

liberty (Szelényi, 2009).’” Opponents to encryption would increase the suffering of the masses to

ease the pain of a few.

 Allen 10

Encryption is a vehicle for privacy, which is an obscuring of thoughts and actions from

scrutiny. It allows people to speak, store, and act in safe obscurity. There are also more tangible

examples of the good encryption does. One example is in e-commerce, where encrypted

communications allow for safe financial transactions. If a master key could give access to these

transactions, economic harm could result. Encryption also protects people living in oppressive

regimes. Those who live in a society that seeks to control the information available its members

are able to, through encryption technology, access the free store of human information.

Missionaries operating in countries with oppressive regimes may also, through encrypted

channels, communicate safely with backers living in free societies. It is easy to speculate about

the negative things people do with anonymity, but encryption greatly promotes the general

happiness of humanity. Law enforcement’s proposal would compromise all the good that

encryption does in the world.

Evaluation of the Arguments. The pressure on law enforcement officials is tremendous.

Law breakers are operating in the shadows and doing terrible things. The “back door” proposal

would make it easier for law enforcement to stop terrorists, human traffickers, pedophiles, and a

whole host of other heinous criminals. It seems nearly certain that granting law enforcement

access to encrypted data would save lives. Balanced against their tangible goals lay the

intangible virtues of privacy. Without encryption, many good things in society would be

compromised; not least of these would be the welfare of people living under oppressive regimes,

e-commerce, and privacy. Both courses of action are reasonable.

The Student’s Position

Law enforcement’s request to legislate access to encrypted data should be rejected. This

debate hinges on the absolute nature of encryption. There is debate over whether law
 Allen 11

enforcement could gain access safely, but there is no proposal that does not compromise the

strength of modern encryption. While saving lives and children is a tremendous good for society,

so, too, is citizen privacy and the internet economy. A “back door entrance” to encrypted data

has the real potential to break encryption for everybody, and it is unclear what benefit would be

derived in its place.

Law enforcement officials point to specific crimes currently taking place behind the

curtain of encryption. However, is the use of encrypted data the cause of criminal activity, or the

effect? In other words, are criminals committing crimes over encrypted channels because they

have encryption, or because they are criminals? Terrorists use encrypted communications to

coordinate activity, but payphones and code words accomplish the same task. What drives this

activity is the desires of the criminals themselves. Compromising the integrity of encryption

systems would not deter the motivated bad actor from their activities.

The encryption genie is well and truly out of the bottle. Powerful encryption is open

source and available to everyone. Custom applications on phones, based on currently available

technology, would deter law enforcement as surely as the status quo does. It seems that even

were law enforcement’s proposal accepted, they could not use it to catch encryption savvy

criminals. The social contract demands that companies comply with the warrant process and they

most assuredly ought to do so. However, this proposal asks technology companies to

compromise a pillar of the secure internet. The risks of this proposal are much greater than the

potential rewards.

Law enforcement has the right to access private information pursuant to a judge’s

warrant. While they have the right to enter private property pursuant to an investigation, they do

not have the right to a copy of every door key in existence. Officers must find ways around
 Allen 12

barriers. There is evidence that they have successfully circumvented certain encryption

restrictions in recent years (Wuerthele, 2016). Therefore, let companies comply with warrants by

providing the encrypted data itself and let law enforcement seek strategies for decrypting the

information they need.

Concessions. These issues are of great societal importance. People will die if law

enforcement’s proposal is denied. Even though criminals would adapt, some would be careless

and subsequently stopped by law enforcement. It would be remarkably satisfying to punish those

who harm children. The “back door” proposal has the potential to stop many of these abusers.

However, there seems to be no middle ground on these proposals. In such an instance, one must

err on the side of individual liberty.

Conclusions. Encryption enables much good in the world; it is, simultaneously,

responsible for some degree of bad. Law enforcement must do its job and enforce the social

contract and the will of the Sovereign. It seems clear, however, that giving access to law

enforcement would compromise and thus destroy the utility of encryption. The good in the world

facilitated by encryption must take precedence unless and until a safe compromise can be

developed.
 Allen 13

References

Check Our Numbers: The Math Behind Estimations to Break a 2048-bit Certificate. (n.d.).

DigiCert. Retrieved from https://www.digicert.com/TimeTravel/math.htm

Cohen, J. E. (2012, November 5). What Privacy Is For. Harvard Law Review, Vol. 126.

Retrieved from https://ssrn.com/abstract=2175406

Cordero, C. & Zwillinger, M. (2015, April). Should Law Enforcement Have the Ability to

Access Encrypted Communications? The Wall Street Journal. Retrieved from

http://www.wsj.com/articles/should-law-enforcement-have-the-ability-to-access-

encrypted-communications-1429499474

Dunn, J. (2017, January 27). Trump’s attorney-general choice wants to ‘overcome encryption’.

Naked Security. Retrieved from https://nakedsecurity.sophos.com/2017/01/27/trumps-

attorney-general-choice-wants-to-overcome-encryption/

Gibson, S. (2016, March 12). The “Encryption” Debate. Gibson Research Corporation.

Retrieved from https://steve.grc.com/2016/03/12/the-encryption-debate/

Goel, V. & Perlroth, N. (2016, December 14). Yahoo Says 1 Billion User Accounts Were

Hacked. The New York Times. Retrieved from

https://www.nytimes.com/2016/12/14/technology/yahoo-hack.html

Greenwald, G. (2014, October). Glenn Greenwald: Why Privacy Matters [Video file]. Retrieved

from https://www.ted.com/talks/glenn_greenwald_why_privacy_matters

Hobbes, T. (2009). Leviathan. (E. White, & D. Widger, Ed.). Salt Lake City, Utah: Project

Gutenberg. Retrieved from https://www.gutenberg.org/files/3207/3207-h/3207-h.htm

(Original work published 1651)

 Allen 14

Lichtblau, E. (2016, February 8). Hackers Get Employee Records at Justice and Homeland

Security Depts. The New York Times. Retrieved from

https://www.nytimes.com/2016/02/09/us/hackers-access-employee-records-at-justice-

and-homeland-security-depts.html

Mill, J. S. (2004). Utilitarianism. (J. Barkley & G. Alley, Ed.). Salt Lake City, Utah: Project

Gutenberg. Retrieved from https://www.gutenberg.org/files/11224/11224-h/11224-h.htm

(Original work published 1879)

Privacy. (n.d.). Electronic Frontiers Foundation. Retrieved from

https://www.eff.org/issues/privacy

Rapport, M. (2010, October 20). Trust No One-A New Security Model for Today's New Threat

Landscape. Credit Union Times. Retrieved from

http://www.cutimes.com/2010/10/20/trust-no-onea-new-security-model-for-todays-new-

threat-landscape

Richmond, R. (2011, April 2). The RSA Hack: How They Did it. The New York Times. Retrieved

from https://bits.blogs.nytimes.com/2011/04/02/the-rsa-hack-how-they-did-it/?_r=0

Rouse, M. (2016). Asymmetric Cryptography (Public Key Cryptography). Tech Target.

Retrieved from http://searchsecurity.techtarget.com/definition/asymmetric-cryptography

Singh, S. (2000). The Code Book : the science of secrecy from ancient Egypt to quantum

cryptography. [Adobe Digital Editions version]. Retrieved from

https://sfpl.overdrive.com/media/520262

Szelényi, I. (2009). Mill: Utilitarianism and Liberty [Video File]. Retrieved from

http://oyc.yale.edu/sociology/socy-151/lecture-7
 Allen 15

What is the difference between "Login OTPs" and "Recovery OTPs"? (n.d). Lastpass. Retrieved

from https://lastpass.com/support.php?cmd=showfaq&id=4616

Wuerthele, M. (2016, August 1). FBI director calls for restart of smartphone encryption debate.

Apple Insider. Retrieved from http://appleinsider.com/articles/16/08/01/fbi-director-calls-

for-restart-of-smartphone-encryption-debate