LegiStorm

Summary:

Changing technology presents opportunities and challenges for U.S. law enforcement. Some technological advances have arguably opened a treasure trove of information for investigators and analysts; others have presented unique hurdles. While some feel that law enforcement now has more information available to them than ever before, others contend that law enforcement is “going dark” as their investigative capabilities are outpaced by the speed of technological change. These hurdles for law enforcement include strong, end-to-end (or what law enforcement has sometimes called “warrant-proof”) encryption; provider limits on data retention; bounds on companies’ technological capabilities to provide specific data points to law enforcement; tools facilitating anonymity online; and a landscape of mixed wireless, cellular, and other networks through which individuals and information are constantly passing. As such, law enforcement cannot access certain information they otherwise may be authorized to obtain. Much of the current debate surrounds how strong encryption contributes to the going dark issue, and thus it is the focus of this report. The tension between law enforcement capabilities and technological change has received congressional attention for several decades. For instance, in the 1990s the “crypto wars” pitted the government against technology companies, and this tension was highlighted by proposals to build in back doors to certain encrypted communications devices as well as to restrict the export of strong encryption code. In addition, Congress passed the Communications Assistance for Law Enforcement Act (CALEA; P.L. 103-414) in 1994 to help law enforcement maintain their ability to execute authorized electronic surveillance as telecommunications providers turned to digital and wireless technology. The going dark debate originally focused on data in motion, or law enforcement’s ability to intercept real-time communications. However, more recent technology changes have impacted law enforcement capabilities to access not only communications but stored content, or data at rest. As such, a central element of the debate now involves determining what types of information law enforcement is able to access and under what circumstances. Cell phones have advanced from being purely cellular telecommunications devices into mobile computers that happen to have phone capabilities; concurrently, the scope of data produced by and saved on these devices has morphed. In addition to voice communications, this range of data can include call detail records, Global Positioning System (GPS) location points, data stored on the devices (including emails and photos), and data stored in the “cloud.” Some of these data can be obtained directly from telecommunications providers or individuals, and some may be obtained without going through such a middle man. The Administration has taken steps to urge the technology community to develop a means to assist law enforcement in accessing encrypted data and has taken steps to bolster law enforcement capabilities. In addition, policymakers have been evaluating whether legislation may be a necessary or appropriate element in the current debate on going dark—particularly on the encryption aspect. A range of legislative options exist that could impact law enforcement capabilities or resources. Legislation could also place certain requirements on technology companies or individuals utilizing certain communications systems and devices. In debating these options, policymakers may consider a number of questions, including the following:  How effective might mandating law enforcement access to products or services manufactured, sold, or otherwise used in the United States be, given the borderless nature of modern communications? Is it possible to create a system with sufficiently narrow and protected access points that these points can only be entered by authorized entities and not exploited by others?  What is the appropriate balance for personal privacy and data security with public safety and national security?  What precedents might be set for U.S. companies operating both domestically and internationally if the United States mandates the ability for law enforcement to access encrypted data and communications?