Testimony before the Senate Judiciary Subcommitteeon the Constitution, Federalism and Property Rights prepared by Richard A. Epstein on behalf of the Americans for Computer Privacy.
The issues before the Subcommittee raise the inescapable tension between two sets of vital concerns, both of which deserve constitutional recognition. On the one hand lies the need of all Americans to preserve privacy and confidentiality of information essential to their personal lives and their professional businesses. No one can doubt the huge volume of sensitive information that travels across the internet-medical records, financial information, trade secrets, intellectual property. The immense value of that information will be compromised or lost if allowed to fall into the wrong hands. Yet by the same token, no one can doubt the legitimate needs of law enforcement officials at the federal, state and local levels to monitor the high tech criminal activities that threaten the security of this nation, the liberty of the citizens within it, and the security and safety of the property they own. It would be irresponsible to offer testimony before this Committee that slights the strength and validity of either interest.
Acknowledging the importance of both ends sets the stage for analyzing the current controversy: legislative proposals that mandate, often through some form of a key escrow or key recovery system, mandatory government access to private encryption of sensitive information. With weighty interests on both sides, the proper accommodation all boils down to a single set of relevant considerations. What are the costs and benefits of the various systems that step up public surveillance over private information transmitted over the internet? To see why, just consider for a moment the position of private users of the internet if they knew to a certainty that the present proposals for mandatory government access were foolproof, that is, that they always worked only as intended. Given that assumption, government law enforcement agencies would only obtain private encrypted information when able to show probable cause that the information would assist them in detecting, preventing or solving a crime. The information in question would be strictly limited to these purposes. This fail-safe system could never be misused by public authorities; and the creation of the trap door method of entry into the system would never compromise to the slightest degree the ability of strong encryption to keep its messages from fanatical terrorists, criminal elements, computer hackers, rogue governments or other undesirables who wanted to seize it for their own advantage. Finally, all the governments of the world could adopt this fail-safe system as well as the protections for individual privacy guaranteed by the Fourth Amendment. Satisfy these strict conditions, then every private firm that now strongly opposes the many variations for mandatory public access to encrypted information might testify on behalf of the proposal. They would benefit from the increased security obtained from superior law enforcement efforts, and they would experience no diminution in the security and efficacy of their private telecommunications. The world would be devoid of nettlesome trade-offs, and delicate risk calculations.
But these companies have formed a massive alliance to protest the proposals of the Clinton Administration, the Department of Justice and the Federal Bureau of Investigation to introduce any system of mandatory access into every private communication made over the internet. It is not that these companies are opposed in principle to vigorous criminal law enforcement that protects the sensitive personal information and trade secrets of their own businesses and their millions of customers. It is because they reject this optimistic scenario on both practical and theoretical grounds.
Practically, they insist that the advanced technology needed to operate a system of key recovery on a massive scale is not available; theoretically, they believe that advances in computer technology alone will never be able to overcome the inherent risks associated with the operations of this system no matter how many design safeguards the federal government seeks to build into the system. It is clear, almost as a matter of first principle, that the more complex a system of transmission of encrypted information must be, in serving multiple ends, the greater the likelihood its design will compromise its ability to achieve it stated mission-the secure transmission of sensitive information over the internet. Technical complexity does more than increase the costs of transmission: it also creates weaknesses in structure that can be exploited by the very criminal parties whose activities the government wishes to curtail by its mandatory access programs. The technical report of the Ad Hoc Group of Cryptographers and Computer Scientists, The Risks of Key Recovery, Key Escrow, and Trusted Third party Encryption (May, 1997) demonstrates this conclusion beyond any shadow of a doubt. Any trap door system increases the risk that someone else will be able to find, duplicate or manufacture the key to the encrypted information. The trap door places enormous operational trust in personal security systems that government officials must develop to handle massive amounts of data and billions of separate keys. That logistical key-control center exposes the entire system to the risk of a common-mode failure which in turn becomes the obvious target point for terrorist and criminal elements: blackmail, deception, impersonation can all be focused on a single known end. No complex administrative program advances only its stated ends. Each creates unwanted incentives that set in motion complex forces that are only imperfectly perceived when the program is first introduced. Social theorists often warn of the unintended (and counterproductive) consequences of purposive action. That warning must be heeded here. Lawful individuals and firms will be trapped by Byzantine requirements, imperfectly executed; criminal and terrorist elements will hone in on ways to evade or subvert the complex structures at hand.
What is so distressing about the current hearings is that high law enforcement officials are so inattentive to the specific objections raised against the programs of mandatory access that they refuse to acknowledge the risks their own initiative creates. The letter of Attorney General Reno, FBI director Freeh and six other high criminal law enforcement officials in the Clinton administration to members of Congress on July 18, 1997 embodies this unsound approach. The letter notes:
As we move from the plaintext world to an encrypted one, we have a critical choice to make: we can either (1) choose robust, unbreakable encryption that protects commerce and privacy but gives criminals a powerful new weapon, or (2) choose robust, unbreakable encryption that protects commerce and privacy and gives law enforcement the ability to protect public safety. (Emphasis added.)
With respect, the choices offered miss the entire point. As stated, the letter assumes that a system of perfect enforcement can be implemented; how else could it be said (1) that strong encryption without mandatory access only protects criminals but confers no additional advantage on the private individuals and firms that use it, and (2) that the system of encryption with mandatory access remains “robust and unbreakable” when every known expert in the area stresses the heightened vulnerabilities to which this system exposes its users. Any candid analysis of the tradeoffs must recognize that a system of robust, unbreakable encryption also reduces the targets for criminal and terrorist activities and thus their rate of occurrence. Any accurate overall assessment must also recognize that any key escrow system compromises, perhaps fatally, what would otherwise be a robust and unbreakable system of encryption. It is perfectly proper for the Attorney General, the Director of the FBI and their key law enforcement officials to point out the advantages of the system they champion. It is wholly improper for them to pretend that it contains no real disadvantages. The proper choice between difficult alternatives is not advanced by any communication that pretends that the relevant trade-offs simply do not exist.
The Constitutional Implications: Thus far I have stressed the practical and operational risks inherent in any system of mandatory access. I believe that this background information not only goes to the legislative wisdom of the Clinton Administration proposals but also to both its constitutionality and impact on property rights. It would be idle for any opponent to mandatory key access to claim before this Subcommittee the fatal nature of the many constitutional objections lodged against the proposed legislation. The complex nature of the legal issues mirrors the complexity of the technical problems of implementation. The most that can be claimed in the absence of authoritative determinations by our Supreme Court is that the proposed statute travels on a collision course with many of the guarantees of individual liberty found in our Constitution. I think that it is the obligation of this Committee to make its own independent assessment of these constitutional objections before deciding whether or not to recommend the passage of any legislation that contains the mandatory access provisions sought by the Clinton Administration and the Department of Justice. In so doing, I believe that it is perfectly proper for this Committee to refuse to recommend passage of the legislation if it finds these Constitutional objections severe and weighty even if it is uncertain whether the Supreme Court would be certain to strike that legislation down. It is in that spirit that I shall examine the proposed legislation against two vital Constitutional guarantees: the fourth amendment’s protection against unreasonable searches and seizures, and the fifth amendment’s protection against the taking of private property without just compensation.
Unreasonable Searches and Seizures: The Fourth Amendment reads:
The right of the people to be secure in their persons, houses, papers and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the person or things to be seized.
The jurisprudence on this clause has been vast, both in the courts and outside, but a few salient features of the clause deserve special mention. First, the coverage of the amendment extends to all the “people,” and thus is directed toward the comprehensive form of government activity contemplated by all mandatory access programs. Linguistically, the coverage of “persons, houses, papers and effects” does not capture perfectly the nuances of the information age, but it takes very little tugging to see their contemporary relevance. In particular, “papers” are protected not because they are blank, but because of the sensitive information they contain. These records and information do not lose their protection because they are stored digitally or transferred electronically, only to regain that protection when printed out in hard copy. The Supreme Court had no difficulty in deciding that telephone calls and private conversations could not be tapped and overheard without regard to the requirements of the fourth amendment, and the same logic surely applies to the electronic information involved in this area.
A similar approach should be taken to the question of whether the imposition of an mandatory access program should be regarded as a search or seizure within the meaning of the fourth amendment. The precise question has not been answered by current Supreme Court law, but its case law provides us with some clues as to the proper direction of the analysis. The constitutional protection against searches and seizures is not limited solely to the protection against government trespasses, although these are always included. Rather, the protection extends as well to a reasonable zone of privacy that also protects individuals from some nontrespassory forms of snooping. Here it is sometimes said that all individuals are entitled to a reasonable expectation of privacy, which is fine so far as it goes, but should never be construed to allow the government to dash all expectations of privacy by announcing in advance its intended program of state surveillance. The term “reasonable expectations” is meant to serve as a further barrier to government intrusions of all sought. These expectations cannot be defeated by the facile observation that so long as one knows that the government is about to snoop, then no one has any reasonable expectation of privacy. Rather the right way to look at expectations is to note that the Constitution insures the protection of a reasonable zone of privacy even against the determined efforts of government to undermine it.
With that said, the cases here do raise some difficult issues of principle that are not fully resolved under the case law. Thus far the litigated cases have all involved situations where the government has gained information at the same time that it has been taken from its owner. A recovery key system, however, does not take things from the private citizen and give them to the government. Rather it sets the stage for their easy transfer at some other time, either with or without a warrant. In dealing with the protection of individual liberties, I believe that constitutional guarantees are triggered by what the individual citizen has lost. The escrowed key was taken at the direction of the government and put into the hands of an agent of its own choosing. If the same thing were done with a second key to a safe or a front door, could it be said with a straight face that the government had not “seized” the key from its owner simply because it did not rummage through his papers? And once the key is seized, could one deny that it has compromised the integrity of that safe or house?
I take it as beyond question that the surrender of the escrow key surely compromises the integrity of its owner’s sensitive information. That surrender also makes it easier for the government to gain actual possession of that information at some later date, especially since a government official can turn the escrow key in the computer lock without the knowledge or cooperation of the individual whose information is being gathered. A key that is taken for one purpose may easily be used for another. Indeed if the information is never introduced as evidence in court, the invasion of privacy could take place free not only of judicial sanction but even of judicial knowledge. Under these circumstances it seems idle to say that the fourth amendment does not apply because government has not taken the individual’s papers or effects. I think that the protections of the fourth amendment are triggered when government action takes the key and compromises the natural defenses that ordinary owners have, just as it would be triggered if the government were authorized to place hidden microphones in every telephone, microphones that could be turned on only with the assistance of some responsible third party.
The next question is whether this seizure of the escrow key should be regarded as unreasonable under the fourth amendment. Here the government puts forward only generalized concerns with international terrorism or organized crime to justify its massive invasions. Yet it must concede that the number of actual transmissions which it is entitled to intercept constitutes only a minuscule fraction of those to which it gains potential access. The insecurity of the mandatory access program, however, ripples through each and every transaction for which the government receives its hidden key, so that the government faces a heavy burden to explain why that initial seizure should be regarded as reasonable. In this case, it can get no help from the warrant requirement, for the generalized insistence on mandatory access does not remotely demonstrate any “probable cause” of criminal activity. Nor could any warrant possibly issue for receiving such a key in the absence of any particular description of the transmissions that will be intercepted.
The entire system of preestablished key recovery reads like an indirect evasion of the individual safeguards normally afforded under the fourth amendment. The system introduces a massive system of potential surveillance. It cuts out the notice and knock provisions that must be satisfied before a warrant could be executed. It vests vast powers in third-party agents who have neither the incentive nor knowledge to contest any government intrusion. It presupposes uniform good faith by public officials and overlooks the major costs of even a tiny number of official misdeeds or mistakes. The proposed mandatory access system should be condemned therefore “as an unreasonable search and seizure.” The Senate should not give its blessing to a scheme of such dubious constitutionality. Instead it should encourage law enforcement agencies to adopt other methods of investigation and surveillance, and to enter into cooperative agreements with major firms in the internet business to expedite the request for information when the more exacting warrant requirements are met.
Fifth Amendment Takings At this point, I think that it is also appropriate to express my concerns in another area: should the government have to pay compensation to those persons whose confidential information has been compromised by leaks from government sources? The relevant text in this context is of course the fifth amendment protection against takings which reads in full:
Nor shall private property be taken for public use, without just compensation.
The command of the fifth amendment is best analyzed as though initially it raises ordinary questions of tort and property law. The government insists upon the receipt of certain keys for its own benefit. It is therefore as though the government were the bailee of these keys, for its own use. The law of bailments has long dealt with the allocation of the risk of loss when property bailed is stolen or lost. Those analogies help inform the constitutional inquiry into the law of takings.
Initially, let us suppose that some third party steals a key from the government and uses it to unlock information that causes great private loss. Everyone agrees that the third party should in principle be subject to criminal and civil sanctions, assuming that he could be apprehended. But the law is equally clear that the party who received the key – its cyberspace bailee – may frequently be found liable when apprehension of that third party is not possible. And no cases ever hold that the deliberate actions of a third party necessarily insulate the bailee from liability for its antecedent conduct: the tort law generally has routinely acknowledged that more than one party could be a proximate cause of a given plaintiff’s property damage.
Just that analysis applies here. The law of bailments often apportions the risk of liability in accordance with the pattern of benefits derived from the bailment relationship. In this case the transaction is done over the objection of the private party and without its consent: the benefit is for the public at large, and the risk is to the private party. Under those circumstances, traditional common law doctrine places the risk of loss from third party interventions squarely on the bailee (here the government) whose actions has increased the risk or hazard of the bailor’s (here the individual or firm’s) loss by its own conduct for its own advantage. The standard always holds the government liable for ordinary negligence, and for routine cases of theft or loss may impose strict liability as well. But by no stretch of the imagination does the private law confer total immunity for all misconduct on the bailee.
In looking over these various draft bills, all of them deny private parties any recourse for liability against the government on the one hand or the third party escrow agents on the other. This sheer assertion of public will does not of course make the losses disappear; and it will encourage the government officials to overuse and underprotect its own key system since the government receives total immunity from the financial (let alone social) consequences for the damaging loss of commercial and personal information that could easily take place.
It is, moreover, a fair question to ask whether the government’s effort to insulate itself from the consequences of its own actions generates potential liability under the takings clause: the government has taken the key and compromised the contents of the files: why insulate it from the loss that it concentrates on some particular individuals for the benefit of the public at large? To be sure, the government may raise a number of technical legal defenses on its own behalf. It may argue that it has not taken the information in question when the improper disclosure is directly done by a third party, and thus take refuge behind a highly restrictive reading of the takings clause. The government takes a key that operates a dam and places it in the hands of a third party. The key is stolen, the dam is opened, and a citizen’s land is flooded. Should the government be entitled to deny that it has taken property when it is clearly liable under ordinary tort law for the property interests it has compromised or destroyed? Should the government claim that the disclosure of confidential information only amounts to a tort and not a taking when no one has been able to articulate clearly the line between the two? Should the government be entitled to invoke the doctrine of sovereign immunity where its necessity for action rests not on some identified imminent peril or danger, but only on some undifferentiated concern about crime and terrorism not tied to the transaction at hand?
The losses inflicted by government action are real and palpable even if these technical defenses should persuade a court not to require compensation for the private losses of these public programs. But one central purpose of a constitution is to restrain the excessive powers of government, and that is hardly done by immunizing it from liabilities that have long been applied to private persons whose own exposure to risk should, if anything, be less than the governments. (After all, no private party can compel someone else to turn over a back door key for their personal use.) A strong case could be made that the takings clause should in principle apply to deprivations of property brought about by the loss or theft of the government key. It is far from self-evident that the Supreme Court will reject that position when the full risks of the mandatory access program are made apparent to it. It is also clear that this Committee, with its special concern with property rights generally, should scrutinize the constitutional, legal and moral power of the property claims that stand in the way of the current government initiative.
Unconstitutional conditions Thus far I have examined the desirability and constitutionality of direct government proposals to regulate the use of electronic transmissions. A more complete analysis must also take note, however, of the indirect forms of regulation available to the state. The government is an omnivorous user of electronic transmissions. It deals extensively with all sorts of private parties on a direct contractual basis. One concern is that it might seek to impose these conditions by executive order as part of its ongoing contractual relations with major suppliers of internet and electronic services.
In many cases the imposition of conditions under grants or contracts is a routine part of any transaction. Thus no one questions that the government is entitled to specify the quality and quantity of services demanded, the terms of payment, and the time and conditions of its delivery. But just as private parties may from time to time use their power to improperly advance their position in collateral markets, so too government may use its power to extend its influence into ordinary spheres. The federal government has exclusive control over the interstate highway system, and yet no one thinks that it can condition the access of drivers to that system on their willingness to abandon their fourth or fifth amendment rights in unrelated contexts. So it is that it would be wholly inappropriate for the government to stipulate that it would not do business with any firm that refuses in its unrelated transactions to adopt a system of escrowed key recovery.
This possible restriction of strong encryption not only places ordinary individuals and firms at risk, but it also threatens to undermine the appropriate division of labor between the separate and equal branches of government. The question of mandatory access to private communication or electronic transmission is too vexing and controversial to be solved by executive order. It should command the anxious attention of Congress so that any proposal goes through the full deliberative process before its possible adoption. An executive order should be discouraged not only because of its adverse consequences on individual rights, but also because of the threat it poses to the structural safeguards found in our basic constitutional structure.
Export Controls. Last I should mention a few words about the use of export controls as a device to limit the manufacture and deployment of strong encryption devices. In the short run these are likely to inhibit the proliferation of these devices, at least as long as the United States enjoys some technical advantages over the rest of the world. The impact of these restrictions, moreover, should be felt in domestic as well as foreign markets, given the reluctance of domestic producers to make different products to serve different portions of what is ultimately a global market in internet and communications services.
Yet the protection afforded by export controls promises to be short-lived at best. The efforts of the United States to get other nations to go along with its mandatory access programs have failed (ironically even in nations that have no entrenched constitutional provisions). If the United States cannot export its technology to the world, then talent will flow to those nations free of the restrictions that limit United States producers. In the long run, leadership in technology will follow freedom to innovate, so that strong encryption devices will be available throughout the world. Our own futile effort to prevent the spread of these devices will only result in the erosion of our leadership in a potentially booming field of industrial growth. The strategy will be self-defeating in the end.
Conclusion In making these observations, I want to be perfectly clear that the recognition of constitutional protections always comes at some cost. It could well be in some given situation, the adoption of the mandatory access regime proposed by the Clinton Administration could outperform a technology world in which private parties may continue to use strong encryption devices as they see fit. But the issue before this Committee, and before the nation, should not be decided with reference to a single scenario without reference to other possibilities that seem more likely. A mandatory access provision may also allow foreign terrorists or organized crime to sabotage the very communications system that the mandatory access provisions are designed to protect.
We live in a world with great potential; but it is also a world of great risks. We must do the best that we can to minimize the risks. But that requires us to consider the scenarios in which government regulation does harm as well as those in which it does good, and to make the best and most responsible decision that we can on the strength of all available information. On matters such as these it is difficult to separate the constitutional from the practical considerations, and at this stage in the inquiry, it is far from clear that we should make that separation at all. The various proposals before this Committee on mandatory key access pose far more risks than they eliminate. The proposal should therefore be rejected both for the risks that it creates for private transmissions of electronic information, and for the dangers that it poses to the constitutional protections for individual liberty that have long helped to keep this nation both free and strong.