Attorney General William Barr gave a speech on encryption at the International Conference on Cyber Security at Fordham University on July 23 that went over the usual law enforcement arguments for exceptional access.
Nothing new in those arguments, though he did offer new examples to bolster the Justice Department’s case for exceptional access. But his speech included the following, which I ask the reader to read twice, first without paying attention to the words in italics and then while paying attention to them:
All systems fall short of optimality and have some residual risk of vulnerability—a point which the tech community acknowledges when they propose that law enforcement can satisfy its requirements by exploiting vulnerabilities in their products. The real question is whether the residual risk of vulnerability resulting from incorporating a lawful access mechanism is materially greater than those already in the unmodified product. [The Department does not believe this can be demonstrated.]
[Moreover], even if there was, in theory, a [slight] risk differential, its significance should not be judged solely by the extent to which it falls short of theoretical optimality. Particularly with respect to encryption marketed to consumers, the significance of the risk should be assessed based on its practical effect on consumer cybersecurity, as well as its relation to the net risks that offering the product poses for society .... Here, some argue that, to achieve [at best] a [slight incremental] improvement in security, it is worth imposing a [massive] cost on society in the form of degraded safety. This is untenable. [If the choice is between a world where we can achieve a 99 percent assurance against cyber threats to consumers, while still providing law enforcement 80 percent of the access it might seek; or a world, on the other hand, where we have boosted our cybersecurity to 99.5 percent but at a cost reducing law enforcements [sic] access to zero percent—the choice for society is clear.]
Barr’s words are remarkable. As far as I can tell, this is the first time that the U.S. Department of Justice has acknowledged that the U.S. government is willing to ask the public to accept a lower level of cybersecurity and a higher degree of risk as the price for exceptional access. The words in italics express the department’s judgment about the magnitude of that risk and the societal benefits that would ensue from accepting it. And most of the privacy and technical community would disagree about that judgment. But regardless of where one applies adjectives like “slight,” “significant,” or “massive,” this is where the argument should be.
In this sense, Barr’s words are a huge leap forward in the policy debate on exceptional access.