Ever since Apple and Google made their operating systems encrypted by default in 2014, the feds have complained that the move will make it harder for them to root out terrorist activity. Access to sensitive data, they argue, will "go dark."
A report out of Harvard earlier this week pushes back on that assertion and argues that fears are overblown. Encryption does not mean the Web goes "dark" for investigators. Instead, it creates "pockets of dimness" while opening up other avenues for spying, they conclude.
"Despite all the noise, few of the headline-grabbing and anxiety-provoking (for government, at least) moves by device and operating system makers from 2014 have materialized into real-world default encryption that is beyond the reach of government actors," the study says.
The Berklett Cybersecurity Project of the Berkman Center for Internet & Society at Harvard University pulled together a group of security and policy experts from academia, civil society, and the U.S. intelligence community to examine the issue. While they acknowledge that encryption presents challenges for the FBI, Defense Department, and others, it's not the end of surveillance as we know it.
"We question whether the 'going dark' metaphor accurately describes the state of affairs," the report says. "Are we really headed to a future in which our ability to effectively surveil criminals and bad actors is impossible? We think not."
Why is that? For one, it's not good business, they say. "Companies typically wish to have unencumbered access to user data—with privacy assured through either restricting dissemination of identifiable customer information outside the boundaries of the company (and of governments, should they lawfully request the data)," the report says. "Implementing end-to-end encryption by default for all, or even most, user data streams would conflict with the advertising model and presumably curtail revenues."
Meanwhile, software fragmentation—particularly on Android—can be a hindrance to encryption adoption. "In order for end-to-end encryption to work properly, both a sender's and receiver's messaging apps must be able to support it, and not all do," the report says. "If the ecosystem is fragmented, encryption is that much less likely to become all encompassing."
The feds also need to look ahead. Phones aren't the only things connected to the Internet. A vast new world of gadgets are coming online—aka the Internet of Things—and they are ripe for spying.
"The audio and video sensors on IoT devices will open up numerous avenues for government actors to demand access to real-time and recorded communicationsm," the report suggests, pointing to things like smart TVs, Internet-connected toys, and voice-controlled applications.
Finally, the report points to everyone's favorite security buzzword: metadata.
"Metadata is not encrypted, and the vast majority is likely to remain so. This is data that needs to stay unencrypted in order for the systems to operate: location data from cell phones and other devices, telephone calling records, header information in email, and so on," it says. "This information provides an enormous amount of surveillance data that was unavailable before these systems became widespread."