Google Exec: Encryption Debate Lacks Evidence, On Both Sides

Apr 20, 2016
Originally published on April 20, 2016 1:27 pm

Like so much on Capitol Hill, the encryption debate is charged with feelings. Law enforcement asserts criminals are "going dark." Privacy advocates say, that's not true; we are in a "Golden Age of Surveillance." What's missing, according to a leading voice on security inside Google, is evidence.

"People are acting a lot from fear, on both sides of the debate, frankly," says Adrian Ludwig, who is in charge of security for Android, the most popular operating system in the world.

It's time for a conversation that is not based on "random stories," but rather "information," Ludwig says. And, he says, Google's Android unit is committed to contributing.

At a congressional hearing Tuesday, lawmakers took on encryption — the scrambling of digital data that makes it illegible without a key. The standoff between Apple and the FBI over the locked iPhone of one of the San Bernardino shooters has catapulted encryption technology into the public limelight.

According to Indiana State Police Capt. Charles Cohen, Apple's move to fully encrypt the iPhone, so that no one but the user could unlock it, has harmed police investigations, but hasn't really helped stop crimes.

"Essentially, what happened in this instance is Apple solved a problem that does not exist," Cohen told lawmakers at the hearing.

One way to measure the real-world value of encryption — beyond the protections it can offer journalists or activists against an unfriendly government, for instance — is to see what happens when someone loses a phone, suggests Ludwig.

Google moved to make full-disk encryption the default setting for Android devices last year, the company explains in its new Android Security annual report. Google's report also says 17.8 million people globally used Android Device Manager to locate their device in 2015, which is Google's version of Apple's Find my iPhone.

It is "significantly less common" for people to lock and wipe their phone remotely, the report says, which "may indicate that in general, devices are simply lost and users are able to recover them."

"It's absolutely the case that right now, users regularly lose devices, and it's absolutely the case that somebody probably finds them," Ludwig says. "Whether the data is accessed on them — I don't think we know. So the conservative thing to do, from a platform standpoint, is to do everything you can to protect that data."

It's the "conservative" thing to do, as in: the move that makes it least likely for thieves to get in.

That means we don't know the extent to which thieves are trying to get in. It could be that Android phones keep getting lost in back pockets; or that pickpockets with cyber-skills are everywhere, grabbing not just your luxury phone but all the bank account, health and personal information inside that digital wallet.

Ludwig says tech companies rallying around encryption have some homework to do about what the tangible, real-life costs are — not in theory but in practice.

And law enforcement clearly wants private companies to release more information. In a report on encryption published in November, the Manhattan District Attorney Cyrus Vance strikes a cautionary tone, and he notes that Apple and Google have failed to answer his questions about the purpose of encryption.

Similarly, law enforcement agencies have not released data-driven evidence about why it's essential to access smartphone data, as opposed to using traditional investigative methods.

Ludwig poses answerable questions: "After a user requests to find a lost device, what happens to that device? Do we see the device continue to be used into the future by that same user? Then they probably recovered it. Does that device disappear? Then that device fell into a lake, became inoperable. Do we see the device no longer being used but some information on it used somewhere else? That might be evidence that someone has broken into it, extracted the information and is starting to use it."

Google plans to undertake this research. Ludwig is not guaranteeing the company will release juicy findings. But, he's says, he is committed to looking.

Copyright 2016 NPR. To see more, visit http://www.npr.org/.