The issue on the table: government mandated backdoors for encrypted communications. This issue has been simmering for a while, but I had largely assumed it would never come to boil: the arguments against backdoors seemed too strong. But a recent statement by the President suggested that his policy on this issue may be shifting, potentially favoring backdoors, which would make the details of this debate much more relevant. The broad strokes are familiar: mandatory backdoors facilitate law enforcement, but weaken privacy and security. Yet encryption has always occupied a bit of a grey area in the perennial privacy vs. security debate, so I thought I’d explore encryption through the less explored lens of the Second Amendment, another hot-button topic right now.
To start, I think it is important to have at least a rudimentary understanding of encryption. Put simply, encryption is talking in code. While “talking in code” may be simple, like replacing each letter with the next letter in the alphabet, (so “drugs” becomes “esvht”), encryption refers specifically to “talking in code” that requires a “key.” This “key” is just an extremely long number used to scramble your message with some fancy math, but the takeaway is that the key is required to encrypt/decrypt the message. No matter who sees your encoded message, without the key, they won’t be able to understand it. (They can try guessing your key, but there are a lot of potential keys.) The public debate around encryption largely asks who all should get a key. “End-to-end” encryption means only you and the person you are talking to get keys; the “backdoors” sought by the government are that the intermediary (e.g. Apple) also maintain a key, available on demand.
Encryption gets much more complicated, but at its heart, it is just math. And perhaps more fundamentally, encrypted speech is still speech. As such, the First Amendment arguments for a private right to use end-to-end encryption are very strong, so much so that I’d say the issue isn’t up for debate. First Amendment doctrines like vagueness and overbreadth are extremely strong, and would be extremely difficult to overcome. So the government’s options seem pretty limited: they can’t legislate new laws of mathematics, and they can’t pass a law that says “talk so we understand you.” Encryption looks poised to win, no?
But the question really isn’t if you can use encryption: you can. The question is will you use encryption? Most people don’t encrypt unilaterally, so the settings of major apps like iMessage will govern how the vast majority of people treat their communications. Even though open-source end-to-end encryption programs are freely available, people simply don’t use them. So the discussion shouldn’t focus on your right to use end-to-end encryption, but on the right of companies to sell end-to-end encryption. Because you may have a right to use it, but that doesn’t mean Apple can sell it to you.
A quick point about CALEA: although frequently brought up in these discussions, CALEA does not currently authorize requiring mandatory backdoors. The relevant section reads: “[a] telecommunications carrier shall not be responsible for decrypting, or ensuring the government’s ability to decrypt, any communication encrypted by a subscriber or customer, unless the encryption was provided by the carrier and the carrier possesses the information necessary to decrypt the communication.” The legislative history also confirms that CALEA was not intended to prevent implementation of end-to-end encryption.
Which brings me to . . .
The Second Amendment? Really?
Yes . . . potentially. Whether the Second Amendment applies to encryption has never been directly addressed, but there are strong arguments to support its inclusion in the right to “keep and bear arms.” The Supreme Court in District of Columbia v. Heller cited definitions of “arms” that included “armour of defence” and “any thing that a man wears for his defence,” (they were old dictionaries), suggesting at a minimum that the Second Amendment extends to defensive technologies; the US government historically classified high-grade encryption software as a munition, and still imposes export restrictions and arms dealer status for sufficiently powerful software; and the two primary Second Amendment justifications – self-defense and the militia as a check on the federal government – are both furthered by a private right to encryption. (And as a bonus, several founding fathers, most notably Thomas Jefferson, were ardent cryptographers.)
And perhaps most importantly, the Second Amendment progresses with the times, and thus does not extend exclusively to muskets and other 18th century “arms.” While typically applied to handguns and other modern firearms, encryption too could be considered among the most important “arms” of the modern age. Communications security is of the utmost importance in military and national security networks, and would undoubtedly be fundamental to any “well regulated militia.” Even for the lay user, encryption is among our primary defenses against identity theft, cyberattacks, and other malicious activities online. While a home intruder is the much more viscerally frightening hypothetical, statistically speaking, the most likely intruders to your home will be through your computers.
A Right to Buy?
But whether the Second Amendment applies to encryption is only half of the battle; after all, I’ve already said that the First Amendment argument protecting the use of encryption is very strong. But where the Second Amendment may prove more useful is in the sale of encryption technologies, an issue more familiar in the Second Amendment context.
I trust we are all familiar with the operative language of the Second Amendment: the right to “keep and bear arms.” Lawyerly types may notice that “keep and bear” doesn’t necessarily include “buy and sell.” Could the government ban the purchase or sale of all guns, leaving the possession (“keeping and bearing”) decriminalized? No. The standard framework for assessing these questions is twofold: (1) assess whether the law burdens core Second Amendment protections, and (2) apply the appropriate level of scrutiny: “strict scrutiny” for core protections, “intermediate scrutiny” for less core protections. Being able to purchase guns is generally considered pretty core to the Second Amendment; holding otherwise would be an end-run around the Second Amendment.
Looking at the cases regulating the sale of weapons, the most common are for the sale of assault weapons and large magazines. While often couched in the two-part inquiry listed above, the analysis tends to blur together, claiming that these types of weapons fall under a “dangerous or unusual” exception articulated in Heller, or that they have “no legitimate use as self-defense weapons” (recalling the Supreme Court’s identification of “self-defense in the home” as the primary purpose of the Second Amendment). This is effectively arguing that these weapons are not part of the core protections of the Second Amendment, and therefore warrant only intermediate scrutiny (i.e. are reasonably fitted to a substantial government interest). Alternatively, restrictions imposed on handguns, widely accepted as core to the Second Amendment, have nonetheless been satisfied for things like serial number tracking, as courts have found that these restrictions satisfy strict scrutiny (i.e. are narrowly tailored to meet a compelling government interest.)
While these laws regulate firearms at the sale level, they could equally be imposed at the possession level, so it is unclear if they identify any sale-specific principles. The same can be said for restrictions on the sale to minors and felons, both of which can also be constitutionally restricted from possessing guns. The only restrictions relating purely to the sale of guns are procedural details, like city zoning ordinances and registration requirements. While this may suggest that a right to possess infers a right to buy, no court has gone this far, preferring a case-by-case approach. And none of these issues has been addressed by the Supreme Court.
As such, applying this framework to encryption is uncertain. You could theoretically hold that the Second Amendment protects some encryption technologies, but not end-to-end encryption, much like you have a right to buy a handgun, but not more dangerous weapons. While claiming that end-to-end encryption is “dangerous or unusual,” or has “no legitimate use for self-defense” are both dubious arguments, they aren’t unthinkable. It may also be that encryption generally is core to the Second Amendment, but that the government has satisfied strict scrutiny, and that imposing mandatory backdoors is narrowly tailored to meet a compelling government interest (akin to serial number requirements for handguns).
Ultimately, however, I think the strongest argument against mandatory backdoors is purely practical. Even if the standard is intermediate scrutiny, restricting access to end-to-end encryption can’t be said to be a “reasonable fit” for facilitating law enforcement, because savvy criminals will always have access to strong end-to-end encryption through other legal means. As I said from the beginning, the right to use encryption is still strong. This policy would therefore only assist in catching dumb criminals, something that hopefully wouldn’t be particularly challenging anyways. But caught in its wake would be the privacy and security of the majority of innocent internet users across the country. This overinclusivity makes surviving any level of scrutiny above rational basis unlikely.
Yet the ease of obtaining end-to-end encryption in spite of mandatory backdoors may also work against any individualized challenges at the sale level, as the connection between purchasing and using encryption wouldn’t be as strong as it is for firearms. Restricting the right to buy a gun is closely tied with the right to possess a gun, because buying a gun is the only legal way to get one. But with encryption, anyone can download Tor, or look up the source code for OpenPGP, or even just rely on basic cryptographic principles to write their own code. Without this strong tie between possession and purchasing, maybe purchasing encryption wouldn’t be viewed as particularly important, weakening challenges on those grounds. It might be bad policy, but that doesn’t make it unconstitutional.
The Keyboard is Mightier than the Sword
As I mentioned from the outset, encryption has always occupied a strange place in our laws, largely because it exists somewhere between pure speech and “information weapons.” While not as impactful as a computer virus, encryption is at once an abstract idea (clearly First Amendment protected) while also being able to cause real-world consequences that might warrant greater restriction. This fusion of historically separate ideas has fundamentally challenged our understanding of the First Amendment, leading to bizarre legal outcomes: for high-power encryption, publishing source code in a book is fully protected speech; publishing it on a CD-ROM is not. The rationale is simple, but worrisome: publishing source code in a machine-readable format makes it too easy to use.
Yet this allision of speech that is expressive into speech that is harmful nicely mirrors the Constitutional progression from the First to the Second Amendment, and maybe encryption fits in that intersection. Considering the amount of doublethink currently employed for regulating encryption, providing a Second Amendment right to “keep and bear” certain cyber-arms would simplify the framework significantly. While many cyber-arms would certainly be sufficiently “dangerous or unusual” to warrant exclusion, providing a Second Amendment right to purely defensive technologies like encryption would be a logical progression in a digital age.
Rather ironically, however, I don’t think privacy or cybersecurity will be the determinative factor in this debate. (I’d argue that the extent to which backdoors actually compromise cybersecurity is exaggerated.) Rather, I think the most important consideration is the significant backlash mandatory backdoors would receive internationally, as foreign nations are increasingly unwilling to purchase technologies that are susceptible to US surveillance. The fallout from the Snowden disclosures has already led to a greater reliance on non-US tech by foreign nations, stemming in part from a fear of secret backdoors. Making those backdoors explicit would just confirm their fears, and the economic repercussions simply cannot make up for any utility the policy may have. As such, I suspect the strongest force against mandatory backdoors is not the Constitution, but the unified voice of the US tech sector.
But I do think that the encryption debate is foreshadowing much harder discussions that are soon to come. As information becomes increasingly valuable and increasingly dangerous, our policies around the free flow of information are likely to become increasingly strict. Balancing the real concerns these new forms of information present with our historic freedom of information will prove to be uniquely challenging. But I’ll save those discussions for another day.
Until next time.