The Key to Lawful Access: An Analysis of the Alternatives Offered in the Encryption Debate

pdf icon - download pdf

William Mack


This thesis examines the encryption debate in which law enforcement and the U.S. Intelligence Community (IC) face a lawful access challenge, smartphones and messaging applications inaccessible because of encryption, even when court-issued search warrants and wiretap orders have been approved by a judge.[1] Computer scientists, cryptographers, technology companies, and privacy advocates have all written extensively on the need for strong encryption while warning that any mandate that allows for lawful access by the government leaves important data vulnerable to exploitation by adversaries, criminals, and corrupt officials. Many have proposed alternative options for law enforcement and the IC on which to rely. These alternatives are analyzed in this paper for their viability as policy options in place of mandated lawful access.

Government agencies have sounded an alarm for years that terrorists, child pornographers, and other criminals are benefitting from encryption. The San Bernardino attacks in 2015, where a married couple shot and killed 11 people, brought the encryption debate into the spotlight.[2] Only two years prior, the Snowden disclosures sparked mass surveillance concerns causing a breach of the public’s trust in corporations and the government to protect Americans’ personal information. The result has been default encryption as a de facto commercial standard; impenetrable security protocols are incorporated into applications and devices, designed to keep all, even the developers and manufacturers, from being able to access encrypted data.

End-to-end encryption makes data passed between users of mobile messaging applications unreadable by anyone intercepting it, including the application makers. Law enforcement thus cannot access these communications despite having a wiretap order. Statistics compiled by the Administrative Office of the United States Courts indicates that law enforcement encounters with encrypted data in motion that could not be deciphered more than doubled between 2018 and 2019.[3]

In addition, law enforcement is encountering data at rest on mobile devices, like an iPhone used by one of the San Bernardino shooters, which is also inaccessible. This issue affects all levels of law enforcement including local, state, and federal agencies. Devices that may hold a plethora of important evidence like contact lists, photos, and journals are impenetrable because device and operating systems feature default settings that only decrypt a device’s data when the correct passcode is entered. This feature leaves evidence unrecoverable and intelligence uncollected.

Law enforcement identified this issue long before San Bernardino, while encryption was much less widespread. Various solutions were proposed, including a device called the Clipper Chip that would have given law enforcement the ability to intercept and read encrypted communications. Privacy advocates vocally opposed this capability, sparking the “Crypto Wars” of the 1990s.[4] This chip was eventually found to be defective but it laid the foundation for today’s ongoing debate.[5] Now, law enforcement calls for lawful access without offering a specific technical solution itself, preferring to consign that to the individual technology companies, each with their own platforms.[6] The most relevant legislation related to the encryption debate is the Communications Assistance for Law Enforcement Act (CALEA), which requires telecommunications carriers be able to decrypt or facilitate the decryption of data that has been encrypted by a carrier’s customers unless the carrier encrypted the data and can thus decrypt it itself.[7] CALEA ensures that law enforcement agencies can intercept communications in an evolving technological environment, but the Act does not apply to many of the types of companies today that provide messaging applications that use end-to-end encryption.[8] Congress expanded CALEA in 2004 to include some internet communications services, but not the applications using end-to-end encryption that have become popular in recent years.[9] No legislation currently addresses lawful access for encrypted smartphones.

The literature on the encryption debate often asserts that the government should seek other options for obtaining the information it needs instead of mandating lawful access. Lawful hacking is one such option, when law enforcement and intelligence agencies exploit vulnerabilities to defeat encryption and access data in a readable format. Literature on the subject argues that lawful hacking is an adequate balance between the two sides of the encryption debate. However, when analyzed in the context of case studies of counterterrorism and criminal investigation, it falls short because of its unreliability in accessing data and its infeasibility in implementing the method across U.S. police agencies.

Other alternatives also fall short. Metadata, or data about data, also fails to replace lawful access adequately since it does not reveal the important content of communications, specifically, valuable evidence in criminal investigations and actionable intelligence in counterterrorism pursuits. Compelling users to disclose passcodes of devices permitting access is unusable in instances where users are not present to unlock a device. In addition, the courts have not settled on the implications for civil rights. Accessing backup data in the cloud is also inadequate as it is easily avoided by nefarious actors and must often be affirmatively engaged to back up devices fully. While all these alternatives are in use today by law enforcement, they not meet the needs of public safety and homeland security agencies, even if viewed in unison.

This thesis analyzes these alternatives using several case studies to illustrate both the importance of accessing often-encrypted data, and the frustrations that come when important evidence cannot be accessed. These case studies include an Islamic State of Iraq and Syria (ISIS) recruiter who used an encrypted messaging application to communicate with plotters, a subject that received child pornography via the internet, and a member of the Saudi Arabian military who attacked sailors at a Florida naval base and whose phone was encrypted. The case studies presented in this thesis aid in analyzing the viability of alternatives to lawful access.

This thesis finds that the need for lawful access for law enforcement and intelligence agencies is legitimate. Alternatives presented by experts involved in the debate on encryption are unable to meet that need. Without further action, this debate will continue and law enforcement and intelligence agencies w

[1] “The Lawful Access Challenge,” Federal Bureau of Investigation, accessed August 6, 2020,

[2] Zusha Elinson and Dan Frosch, “San Bernardino Shooting: How the Carnage Unfolded; Witnesses Recount Horror, Suspense as Bursts of Gunfire Interrupted Office Party,” Wall Street Journal, December 4, 2015, sec. U.S.

[3] “Wiretap Report 2018,” Administrative Office of the United States Courts, last updated December 31, 2018,; “Wiretap Report 2019,” Administrative Office of the United States Courts, last updated December 31, 2019,

[4] Richard A. Spinello, Cyberethics: Morality and Law in Cyberspace, 6th ed. (Burlington, MA: Jones & Bartlett Learning, 2017), 219–21.

[5] Kristin M. Finklea, Encryption and the ‘Going Dark’ Debate, CRS Report No. R44481 (Washington, DC: Congressional Research Service, 2017), 14,

[6] Christopher Wray, “Finding a Way Forward on Lawful Access,” Federal Bureau of Investigation, October 4, 2019,

[7] James A. Lewis, Denise E. Zheng, and William A. Carter, The Effect of Encryption on Lawful Access to Communications and Data (Washington, DC: Center for Strategic and International Studies, 2017), 36,; Legal Information Institute, “Title 47 U.S. Code § 1002—Assistance Capability Requirements.”

[8] Lewis, Zheng, and Carter, 36.

[9] “OMB Approves CALEA Compliance Monitoring Report for Providers of Facilities-Based Broadband Internet Access and Interconnected VOIP Service; Reports Are Due February 12, 2007,” Federal Communications Commission, December 14, 2006,

No Comments

Post a Comment