Intense debate for over two decades has focused on the proper balance between privacy, security, and law enforcement access to the personal and confidential data and communications of individuals and entities stored on electronic devices with strong encryption. New authentication, storage, and encryption technologies on PCs, smartphones, and other computing devices can make it impossible for law enforcement to access encrypted data, even with a valid search warrant. The government asserts that this situation is undermining national security and has suggested that the software on computing devices should have a “backdoor” that would enable law enforcement access to encrypted data. Critics charge that these backdoors would provide a means for hackers to compromise the devices and steal sensitive and private data. If backdoors are built in for law enforcement, they will be available to everyone. Blunt backdoor instruments represent uncontrolled cybersecurity threats. This panel describes the current state of the encryption debate and the positions of the various stakeholders. It outlines existing federal, state, and global encryption requirements, and identifies the available technology options for the protection of personal and confidential communications, including encryption. Panelists examine approaches for how law enforcement can fulfill its broad responsibilities to conduct investigations under civil and criminal laws, and identify gaps if strong encryption is used. The panel assesses U.S. and global “lawful access” laws and technology proposals to strike a proper balance between the use of strong encryption and the need to protect the public interest and national security.
Joint Sponsor: ABA Science and Technology Law Section
Co-Sponsors: ABA Center for Public Interest Law, ABA Criminal Justice Section
Resources
- The ABA Cybersecurity Handbook: A Resource for Attorneys, Law Firms, and Business Professionals, Third Edition
Limited Time: 20% off with ABACYBER20 - Keys Under Doormats Security Report | The MIT Press
- Bugs in our Pockets: The Risks of Client-Side Scanning | arXiv
- Listening In: Cybersecurity in an Insecure Age | Professor Susan Landau
- Rethinking Encryption | Lawfare Blog
- New Perspectives on the Future of Encryption | Lawfare Blog
- Moving the Encryption Policy Conversation Forward | Encryption Working Group of the Carnegie Endowment for International Peace
- Privacy on the Line: The Politics of Wiretapping and Encryption | The MIT Press
- How the Netherlands Is Taming Big Tech | The New York Times
- CRSJ Chair Chat with Susan Landau on Encryption
- ISO/IEC 10116:2017, Information technology — Security techniques — Modes of operation for an n-bit block cipher
- ISO/IEC 15408-1:2022, Information security, cybersecurity and privacy protection — Evaluation criteria for IT security — Part 1: Introduction and general model
- ISO/IEC 15408-2:2022, Information security, cybersecurity and privacy protection — Evaluation criteria for IT security — Part 2: Security functional components
- ISO/IEC 15408-3:2022, Information security, cybersecurity and privacy protection — Evaluation criteria for IT security — Part 3: Security assurance components
- ISO/IEC 15408-4:2022, Information security, cybersecurity and privacy protection — Evaluation criteria for IT security — Part 4: Framework for the specification of evaluation methods and activities
- ISO/IEC 15408-5:2022, Information security, cybersecurity and privacy protection — Evaluation criteria for IT security — Part 5: Pre-defined packages of security requirements
- ISO/IEC 11770-1:2010, Information technology -- Security techniques -- Key management -- Part 1: Framework
- ISO/IEC PWI 17603, Confidential computing
- ISO/IEC 18033-3:2010, Information security — Security techniques — Encryption algorithms — Part 3: Block ciphers
- ISO/IEC 18045:2022, Information security, cybersecurity and privacy protection — Evaluation criteria for IT security — Methodology for IT security evaluation
- ISO/IEC 18367, Information technology — Security techniques — Cryptographic algorithms and security mechanisms conformance testing
- ISO/IEC 19790, Information technology – Security techniques – Security requirements for cryptographic modules
- ISO/IEC 19896 (all parts), IT security techniques — Competence requirements for information security testers and evaluators
- ISO/IEC 20540, Information technology — Security techniques — Testing cryptographic modules in their operational environment
- ISO/IEC 20543, Information technology — Security techniques — Test and analysis methods for random bit generators within ISO/IEC 19790 and ISO/IEC 15408
- ISO/IEC 20648, TLS specifications for storage systems
- ISO/IEC 24759, Information technology – Security techniques – Test requirements for cryptographic modules
- ISO/IEC 27040, Information technology – Security techniques – Storage security
- ANSI INCITS 462-2010: Information Technology - Fibre Channel - Backbone - 5 (FC-BB-5)
- NIST Federal Information Processing Standards (FIPS) Publications 140-3 (FIPS PUBS 140-3), Security Requirements for Cryptographic Modules
- NIST Federal Information Processing Standards (FIPS) Publications 180-4 (FIPS PUBS 180-4), Secure Hash Standard (SHS)
- NIST Federal Information Processing Standards (FIPS) Publications 197 (FIPS PUBS 197), Advanced Encryption Standards (AES)
- NIST Special Publication (SP) 800-38A, Recommendation for Block Cipher Modes of Operation
- NIST Special Publication (SP) 800-38C, Recommendation for Block Cipher Modes of Operation: the CCM Mode for Authentication and Confidentiality
- NIST Special Publication (SP) 800-38D, Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC
- NIST Special Publication (SP) 800-38E, Recommendation for Block Cipher Modes of Operation: the XTS-AES Mode for Confidentiality on Storage Devices
- NIST Special Publication (SP) 800-57 Part 1-3, Recommendation for Key Management
- NIST Special Publication (SP) 800-88, Guidelines for Media Sanitization
- NIST Special Publication (SP) 800-107, Recommendation for Applications Using Approved Hash Algorithms
- NIST Special Publication (SP) 800-111, Guide to Storage Encryption Technologies for End User Devices
- NIST Special Publication (SP) 800-131A, Transitioning the Use of Cryptographic Algorithms and Key Lengths
- NIST Special Publication (SP) 800-132, Recommendation for Password-Based Key Derivation Part 1: Storage Applications
- NIST Special Publication (SP) 800-140, Derived Test Requirements (DTR): CMVP Validation Authority Updates to ISO/IEC 24759
- NIST Special Publication (SP) 800-140A, CMVP Documentation Requirements: CMVP Validation Authority Updates to ISO/IEC 24759
- NIST Special Publication (SP) 800-140B, CMVP Security Policy Requirements: CMVP Validation Authority Updates to ISO/IEC 24759 and ISO/IEC 19790 Annex B
- NIST Special Publication (SP) 800-140C, CMVP Approved Security Functions: CMVP Validation Authority Updates to ISO/IEC 24759
- NIST Special Publication (SP) 800-140D, CMVP Approved Sensitive Parameter Generation and Establishment Methods: CMVP Validation Authority Updates to ISO/IEC 24759
- NIST Special Publication (SP) 800-140E, CMVP Approved Authentication Mechanisms: CMVP Validation Authority Requirements for ISO/IEC 19790 Annex E and ISO/IEC 24579 Section 6.17
- NIST Special Publication (SP) 800-140F, CMVP Approved Non-Invasive Attack Mitigation Test Metrics: CMVP Validation Authority Updates to ISO/IEC 24759
- NIST Special Publication (SP) 800-190, Application Container Security Guide
- NIST Special Publication (SP) 800-208, Recommendation for Stateful Hash-Based Signature Schemes
- IEEE 1619-2018, IEEE Standard for Cryptographic Protection of Data on Block-Oriented Storage Devices
- IEEE 1619.1-2018, IEEE Standard for Authenticated Encryption with Length Expansion for Storage Devices
- IEEE 1619.2-2021, IEEE Standard for Wide-Block Encryption for Shared Storage Media
- IEEE 2883-2022, IEEE Standard for Sanitizing Storage
- IETF RFC 1334, PPP Challenge Handshake Authentication Protocol (CHAP)
- IETF RFC 2246, The TLS Protocol Version 1.0
- IETF RFC 2404, The Use of HMAC-SHA-1-96 within ESP and AH
- IETF RFC 2406, IP Encapsulating Security Payload (ESP)
- IETF RFC 2451, The ESP CBC-Mode Cipher Algorithms
- IETF RFC 3686, Using Advanced Encryption Standard (AES) Counter Mode
- IETF RFC 3821, Fibre Channel Over TCP/IP (FCIP)
- IETF RFC 3723, Securing Block Storage Protocols over IP
- IETF RFC 4171, Internet Storage Name Service (iSNS)
- IETF RFC 4346, The Transport Layer Security (TLS) Protocol Version 1.1
- IETF RFC 5246, The Transport Layer Security (TLS) Protocol Version 1.2
- IETF RFC 7143, Internet Small Computer System Interface (iSCSI) Protocol (Consolidated)
- IETF RFC 7144, Internet Small Computer System Interface (iSCSI) SCSI Features Update
- IETF RFC 7146, Securing Block Storage Protocols over IP: RFC 3723 Requirements Update for IPsec v3
- OASIS Key Management Interoperability Protocol Specification Version 2.1
- OASIS Key Management Interoperability Protocol Profiles Version 2.1
- Storage Networking Industry Association (SNIA), Storage Security: Fibre Channel Security, Draft
- Storage Networking Industry Association (SNIA), Storage Security: Sanitization
- National Security Agency (NSA) Cyber Security Directorate (CSD), Commercial Solutions for Classified (CSfC) Data-at-Rest (DAR) Capability Packages (CP), V5.0
- NVM Express Inc NVM Express™ Base Specification, Revision 2.0b, January 2022
- PCI-SIG PCIe Base Specification
- DMTF, Secure Protocol and Data Model (SPDM), Version 1.2
- Part 1: Zero Privacy Post-Dobbs? How the Threat Landscape Has Changed
- Part 3: Zero Sum Game? Developing a Winning Approach to Privacy and Security in an Age of Zero Trust
This webinar is part two of a three-part webinar series – Privacy in an Age of Zero Trust – presented by the American Bar Association (ABA) Civil Rights and Social Justice (CRSJ) and Science & Technology Law (SciTech) Sections that boldly explores digital threats to the right to privacy. This innovative and cross-disciplinary series brings together thought leaders, highlights best practices, and identifies next steps in an area where change is the only constant.
