SAN FRANCISCO — Nearly three years after the FBI unsuccessfully sought Apple's help to hack into a phone used by one of the San Bernardino terrorists, law enforcement and companies are no closer to resolving the dispute over digital-message privacy.


Makers of the world's most popular consumer devices and the software that runs them say encryption, the coding that can keep anyone except the sender and receiver from being able to read messages sent on platforms like Apple's iMessage, is necessary to keeping consumer data private. That encryption prevents bad actors, from spying government agencies to mercenary hackers, from intercepting it, they say.

Law enforcement agrees — up to a point. When crooks and terrorists use encrypted data to keep their plans private, detectives say they should get a back door that unlocks encryption.

The FBI's beef with Apple faded after it paid an unnamed vendor to hack the San Bernardino terrorist's iPhone. But it's bubbled to the surface since then, most notably in March of last year, when British officials found a final message sent by killer Khalid Masood on the WhatsApp messaging service sent just before he began a London rampage that killed four people.

Despite its having been encrypted, officials later were able to access it through the use of what they termed both human and technical intelligence. It turned out to be a declaration that Massod was waging jihad in revenge against Western military actions in Muslim countries.

Two groups this week say they have a solution.

The EastWest Institute, a New York-based security think tank, has produced a report offering nine points that encourage governments to allow the use of strong encryption while creating a legal framework for authorized law enforcement to access the plain text of encrypted data in limited cases.

It's being presented Friday at the Munich Security Conference in Germany.

At the same time, the National Academies of Science is releasing a report on encryption that lays out the broad issues that must be addressed by businesses and lawmakers .

The EWI report calls on both sides to give and get a little. Governments should accept that strong encryption is important and stop trying to undermine it. But at the same time, companies need to allow for legitimate government requests for access to the keys that lock that information. Those requested must be limited and have to go through open judicial processes to ensure accountability

While by no means the first reports on the topic, the two coming together could signal a willingness for all sides to find a workable way forward as incidents of cyber attack and terrorism increase worldwide.

What is decided will have influence far beyond our borders because the U.S. has long served as a role model to Europe in encryption policy, said David O’Brien, a senior researcher at the Berkman Klein Center for Internet and Society at Harvard University.

At issue is how to find a balance between the competing needs for both privacy and security: Do we weaken the technology or do we make law enforcement more powerful?

“We want to have the ability to frustrate terrorists and criminals, but we also want to make sure that day-to-day our most precious data, whether it’s financial or health care or business, is protected through encryption,” said Michael Chertoff, executive chairman of The Chertoff Group, a security consulting company, and secretary of Homeland Security from 2005 to 2009.

Intelligence officials are very aware of the moving target that technology presents. Department of Homeland Security Secretary Kirstjen Nielsen spoke at a conference on terrorism prevention this week in Palo Alto, Calif.

“By its very nature what technology can make faster, better smarter can also be used by those who want to do us harm to do it faster, better, smarter,” said Nielsen.

a man and a woman looking at the camera: Kirstjen Nielsen testifies Nov. 8, 2017, before the Senate Homeland Security and Governmental Affairs Committee on her nomination to be secretary of the Department of Homeland Security.
© Michael Reynolds, EPA-EFE Kirstjen Nielsen testifies Nov. 8, 2017, before the Senate Homeland Security and Governmental Affairs Committee on her nomination to be secretary of the Department of Homeland Security.
Security versus privacy
The debate plays out in the real world every day.

Just this month Seattle spent $150,000 to take down a $3.6 million wireless mesh network in its downtown that involved dozens of surveillance cameras and 158 wireless access points. The network was built as a public safety device and to allow first responder communication during emergencies. But critics called it an apparatus for state surveillance because of its potential to track every wireless device in the area.

Installed in 2013, privacy concerns kept it from being activated while city officials tried to come up with an acceptable privacy policy. They were unable to do so and so it’s being torn out without ever having been turned out.

And still sharp in both sides' minds is the 43 day legal battle between Apple and the Department of Justice in 2016 over an order from a federal judge requiring the company to help the FBI try to get into a locked iPhone used by San Bernardino gunman Syed Rizwan Farook.

Apple refused, and the case only ended when the FBI paid a still-unknown vendor $900,000 to break into the phone.

Ironically, text messages sent between two FBI agents that were released as part of the investigation into the FBI handling of the Hillary Clinton probe appear to show the pair denigrating Apple for its refusal to unlock the phone at the same time they were taking advantage of the privacy offered by its iMessage app’s end-to-end encryption.

While the two reports aren’t expected to suddenly bring both sides to agreement , they at least create a place to start from, say observers.

“Encryption is one of those issues where there’s no perfect solution. But you’ve got to start somewhere,” said Jim Dempsey, executive director of the University Berkeley Center for Law and Technology at the University of California-Berkeley.

"It’s about choosing solutions where the upside somehow outweighs the downside,” he said.

Encryption is encryption. No back doors and no f*cking bulsh*t.