The essence of information privacy is control over disclosure. Whoever is responsible for the information is supposed to be able to decide who sees it. If a society values privacy, it needs to ensure that there are reasonable protections possible against disclosure to those not authorized by the information’s owner.

In the online world, an essential technical component for this assurance is encryption. If the encryption that is deployed permits disclosure to those who were not authorized by the information’s owner, there should be serious concern about the degree of privacy that is meaningfully possible. Potentially competing with an owner’s need for privacy are the legitimate investigation needs of law enforcement. Hence the current debate engendered by calls for “extraordinary access”—that is, the requirement for a backdoor to encrypted data.

When those making such calls are powerful government officials, effective opposition to them takes skill, credibility and gumption. In that regard, publication of “Keys Under Doormats: Mandating insecurity by requiring government access to all data and communications” was an especially noteworthy event, both for its content and for its remarkable list of authors—all fifteen of them, representing three generations of senior security technical expertise, who offered careful explanations of the unavoidable technical and operational problems that are produced by any attempt to embed secondary, “exceptional” access to encrypted content.

In recognition of their singular effort and accomplishment, the authors were recently honored with the 2015 J.D. Falk Award from the Messaging Malware Mobile Anti-Abuse Working Group (M³AAWG). The award is given “recognizing a particularly meritorious project undertaken by a dedicated individual or group reflecting the spirit of volunteerism and community building.” It should be noted that the M³AAWG membership was enthusiastic about this award to the authors, in spite of the fact that pervasive encryption makes the work of M³AAWG members more difficult—encryption blocks some anti-abuse techniques.

The award event resulted in production of three videos discussing the content of the paper, the process of producing it, and its role in the public policy debate over exceptional access:

• “Keys Under Doormats 2015 Falk Award: How and Why the Report was Developed”, with Josh Benaloh and clips of seven other authors, including a brief introduction of the award by M³AAWG Chair Michael Adkins and the award presentation by me, Dave Crocke
• ”Keys Under Doormats: Tutorial on Content and Issues”, with Josh Benaloh and a brief overview of current M³AAWG Pervasive Monitoring SIG work by SIG Chair Janet Jones
• ”Keys Under Doormats: A Conversation on the Report’s Significance and Impact”, with Josh Benaloh and me, Dave Crocker

The essential concerns raised by the report’s authors are listed in its Executive Summary, noting that exceptional access would:

• Force a U-turn from the best practices now being deployed to make the Internet more secure
• Substantially increase system complexity and thereby increase risk
• Create concentrated targets that could attract bad actors

The report was initially instrumental in altering public discussion about governmental exceptional access and in the plans for pursuing it. However some officials continue to press vigorously for this capability, although they do not detail the specifics they are seeking, and they do not address the basic technical and jurisdictional problems with such a capability. On the technical side, the assessment by the report’s fifteen experts is that the technical community simply does not know how to provide exceptional access in a manner that is sufficiently reliable and constrained.

Some government officials dismiss the aggregate expertise embodied in the report’s authors and instead say that technicians merely need to try harder. Given the many and continuing major breeches of government and private online systems and the documentation of unconstrained access already obtained through various persistent monitoring programs, such casual dismissal of the authors’ assessment is cavalier and does them—and us all—a serious disservice.