Encryption Technologies Central to Debate About Online Free Speech, Say CDT-Charles Koch Event Panelists

December 13, 2020 – In the kick-off session to a weeklong series about “The Future of Speech Online,” the past, present and future of cryptography was front and center.

Can users enjoy the protections of end-to-end encryption and also be able to “get” bad actors? The problem, according to Erica Portnoy, senior staff technologist at the Electric Frontier Foundation, is that our society can’t have both.

Portney, one of the speakers in Monday’s session of the series sponsored by the Center for Democracy and Technology and the Charles Koch Institute, said that as a developer, she saw a marked difference in how the term “end-to-end encryption” was used in the field versus in the policy arena.

The use of the term in the policy arena has created conflict, she said. As a technical term, end-to-end encryption referrs to the process of turning a message into a secret message by its original sender to be decoded only by the final recipient. The “ends” here are the two devices—the sender’s device and the receiver’s device—and the encryption ensures that no can intercept or leak information in the conversation because the only people with the code to decrypt the message are the two parties conversing.

But end-to-end encryption is rendered null when people want the protections encryption can provide while also wanting to scan messages for potential threats. The latter, called client-side scanning, refers to when someone, usually the provider of the messaging platform, scans the messages before they’re encrypted to check for contraband materials.

If it is determined that the message has this illicit content, the app may refuse to send the message, notify the recipient, or forward it to a third party, perhaps without the user’s knowledge.

While the messaging system would still technically remain intact since there was no interception of an encrypted message, client-side scanning challenges user privacy and system security.

Portnoy said that she preferred the term “secure messaging” to refer to the situation where only the sender and her intended recipient could read messages or otherwise analyze their contents.

Other perspectives stressed the possibility of collaboration between encryption researchers and law enforcement

Not all agreed that the conflict between security and privacy was irreconcilable. Klon Kitchen, director of the Center for Technology Policy at the Heritage Foundation, said he liked the way Michael Hayden, former director of the National Security Agency, framed the issue. We can’t allow ourselves to think about this as a choice between security and speech.

Kitchen emphasized that America needs both encryption and security moving forward, and that there needs to be a level of good faith and prudence between the government and the security research community.

He also stressed that “in a modern world, securing nations means securing networks,” and as nations, we cannot operate independently of each other.

Nick Sullivan, head of research at Cloudflare, Inc. addressed the difficulty of creating systems and policies that work for all parties—consumers, industry groups, and the government. He cited the rapid deployment of https as an example of getting mass adoption of encrypted systems.

From a consumer perspective, with so many interfaces that seem to have nothing in common about policy implementation, it can be difficult to know how to navigate these issues, not to mention difficult to audit the platform’s policies, said Sullivan.

When asked what he felt the key points the public should know were, he said it makes the most sense to increase the incentive for groups developing secure technologies. He also suggested bringing the community together to standardize and pick one way to do a security feature, similar to how Signal is used in both WhatsApp and iMessage.

Hannah Quay-de la Vallee, senior technologist at the Center for Democracy & Technology, moderated this session.