Cybersecurity & Tech Surveillance & Privacy

William Barr Says One New and Important Thing That Changes the Policy Debate on Exceptional Access

Herb Lin
Tuesday, July 23, 2019, 4:41 PM

Attorney General William Barr gave a speech on encryption at the International Conference on Cyber Security at Fordham University on July 23 that went over the usual law enforcement arguments for exceptional access.

Published by The Lawfare Institute
in Cooperation With

Attorney General William Barr gave a speech on encryption at the International Conference on Cyber Security at Fordham University on July 23 that went over the usual law enforcement arguments for exceptional access.

Nothing new in those arguments, though he did offer new examples to bolster the Justice Department’s case for exceptional access. But his speech included the following, which I ask the reader to read twice, first without paying attention to the words in italics and then while paying attention to them:

All systems fall short of optimality and have some residual risk of vulnerability—a point which the tech community acknowledges when they propose that law enforcement can satisfy its requirements by exploiting vulnerabilities in their products. The real question is whether the residual risk of vulnerability resulting from incorporating a lawful access mechanism is materially greater than those already in the unmodified product. [The Department does not believe this can be demonstrated.]

[Moreover], even if there was, in theory, a [slight] risk differential, its significance should not be judged solely by the extent to which it falls short of theoretical optimality. Particularly with respect to encryption marketed to consumers, the significance of the risk should be assessed based on its practical effect on consumer cybersecurity, as well as its relation to the net risks that offering the product poses for society .... Here, some argue that, to achieve [at best] a [slight incremental] improvement in security, it is worth imposing a [massive] cost on society in the form of degraded safety. This is untenable. [If the choice is between a world where we can achieve a 99 percent assurance against cyber threats to consumers, while still providing law enforcement 80 percent of the access it might seek; or a world, on the other hand, where we have boosted our cybersecurity to 99.5 percent but at a cost reducing law enforcements [sic] access to zero percentthe choice for society is clear.]

Barr’s words are remarkable. As far as I can tell, this is the first time that the U.S. Department of Justice has acknowledged that the U.S. government is willing to ask the public to accept a lower level of cybersecurity and a higher degree of risk as the price for exceptional access. The words in italics express the department’s judgment about the magnitude of that risk and the societal benefits that would ensue from accepting it. And most of the privacy and technical community would disagree about that judgment. But regardless of where one applies adjectives like “slight,” “significant,” or “massive,” this is where the argument should be.

In this sense, Barr’s words are a huge leap forward in the policy debate on exceptional access.

Dr. Herb Lin is senior research scholar for cyber policy and security at the Center for International Security and Cooperation and Hank J. Holland Fellow in Cyber Policy and Security at the Hoover Institution, both at Stanford University. His research interests relate broadly to policy-related dimensions of cybersecurity and cyberspace, and he is particularly interested in and knowledgeable about the use of offensive operations in cyberspace, especially as instruments of national policy. In addition to his positions at Stanford University, he is Chief Scientist, Emeritus for the Computer Science and Telecommunications Board, National Research Council (NRC) of the National Academies, where he served from 1990 through 2014 as study director of major projects on public policy and information technology, and Adjunct Senior Research Scholar and Senior Fellow in Cybersecurity (not in residence) at the Saltzman Institute for War and Peace Studies in the School for International and Public Affairs at Columbia University. Prior to his NRC service, he was a professional staff member and staff scientist for the House Armed Services Committee (1986-1990), where his portfolio included defense policy and arms control issues. He received his doctorate in physics from MIT.

Subscribe to Lawfare