Security Is Not Enough: Privacy in Encryption Regulation and Lawful-Surveillance Protocols

TL;DR

This paper argues that privacy encompasses more than security, emphasizing the importance of lawful-surveillance protocols and the limitations of security-focused privacy in policy and cryptography.

Contribution

It highlights the need for a broader understanding of privacy beyond security, informing policy and guiding research on lawful-surveillance protocols.

Findings

Security-focused privacy is insufficient for comprehensive privacy understanding.

Lawful-surveillance protocols aim to enable government access without compromising security.

Current normative debates extend beyond security concerns.

Abstract

This article argues that security is not enough to fully capture what is at stake in government exceptional access to encrypted data. A conception of privacy as security has little to say about ``lawful-surveillance protocols'' -- an active research agenda in cryptography that aims to enable government exceptional access without compromising systemic security. But the limitations are not contingent on the success of this agenda. The normative landscape today cannot be explained if security is all there is to privacy. And fundamental objections to Apple's abandoned client-side scanning system gesture beyond security. This article's contribution is modest: to show that there must be more to privacy than the security mold it has taken. A richer understanding is needed both to assess policy and to guide research on lawful-surveillance protocols.