The overarching question imparting urgency to this exploration is: Can U.S.-Russian contention in cyberspace cause the two nuclear superpowers to stumble into war? In considering this question we were constantly reminded of recent comments by a prominent U.S. arms control expert: At least as dangerous as the risk of an actual cyberattack, he observed, is cyber operations’ “blurring of the line between peace and war.” Or, as Nye wrote, “in the cyber realm, the difference between a weapon and a non-weapon may come down to a single line of code, or simply the intent of a computer program’s user.”
There is a recurring (and contentious) debate over the extent to which the developers of consumer technologies that feature encryption should be required to ensure that law enforcement is able to access the contents of encrypted devices and communications pursuant to a warrant. On one side of this debate, law enforcement agencies point to the significant risks “warrant-proof encryption” may pose to the investigation of serious criminal activities. On the other side, civil liberties and technology policy groups argue that undermining consumer encryption threatens privacy, cybersecurity, and human rights – particularly amongst vulnerable people. However, this debate is being conducted largely in the absence of publicly-available data on how often various actors in the criminal justice system encounter encrypted devices, how they respond when an encrypted device is encountered, and the impact of these interactions on public safety and individual rights. Empirical research that answers these questions would substantially contribute to encryption governance.
Boustead's paper provides guidance to researchers who seek to collect data on encrypted devices, and policymakers considering whether and how to mandate reporting of data directly from agencies. Boustead begins by motivating this analysis with a discussion of the legal and policy issues that could be informed by additional data on encounters with encrypted devices in the criminal justice system, and a description of the (sparse) data currently available on this topic. She then explores potential issues that may arise when attempting to collect additional data, considering these issues from both research design and political feasibility perspectives. Finally, she develops options and best practices for the collection of these data in light of these issues.