The debate over encryption is often framed as a simple trade-off: your privacy for your safety. It’s a compelling, if dangerously misleading, narrative. Law enforcement agencies around the world speak of “going dark,” a chilling term for the investigative black hole created when criminals and terrorists use encrypted messaging apps like Signal or WhatsApp, their communications shielded from prying eyes. They argue that without a “golden key” to unlock this data, they are fighting with one hand tied behind their backs against the gravest of threats, from child sexual abuse material (CSAM) distribution rings to coordinated terrorist attacks. For years, this has been the central argument in a conflict that has come to be known as the “Crypto Wars 2.0.” But in a moment of staggering candor, a man who once stood at the pinnacle of American law enforcement has declared that the proposed cure is far deadlier than the disease.

“Encryption helps keep people safe,” stated James A. Baker, former General Counsel of the US Federal Bureau of Investigation, during a panel discussion for Global Encryption Day. “Encryption is vital to law enforcement to protect society.” This wasn’t a slip of the tongue. It was a calculated, forceful declaration from an insider who understands the operational challenges of the FBI but also grasps the catastrophic technical realities of what is being asked. Baker’s position illuminates a profound paradox: in their quest to access the communications of the few, governments risk demolishing the digital fortress that protects the many—including the critical infrastructure, financial systems, and public institutions that law enforcement is sworn to protect. He argues that the focus on breaking encryption is a strategic misstep, one that ignores the immense protective power of the technology and would, ironically, make the job of protecting society infinitely harder.

The Ghost in the Machine: A New Push for an Old, Failed Idea

The latest and most insidious proposal to resolve the “going dark” problem is a technology known as client-side scanning (CSS). Instead of breaking the encryption itself while data is in transit, CSS would scan the content of your messages—your photos, texts, and files—directly on your own device before it gets encrypted and sent. Proponents, particularly within the European Union through its controversial “Chat Control” proposal, sell this as a targeted, privacy-preserving solution. They claim it’s like having a specialized digital sniffer dog on your phone that only barks when it detects known illegal material, like CSAM. Everything else remains private. But to technologists, security experts, and now even former intelligence officials like Baker, this isn’t a sniffer dog; it’s a state-mandated ghost in the machine, a fundamental subversion of personal electronics that functions exactly like spyware.

The Technical Fallacy of a “Good Guys Only” Backdoor

The core problem with client-side scanning is that it deliberately and permanently compromises the security of every single device it’s installed on. To understand why, one must discard the fantasy of a magical key that only the “good guys” can use. In the world of cybersecurity, a vulnerability is a vulnerability, regardless of its intended purpose. Once a system is built to allow a third party to secretly scan, access, and report on a user’s private data, it creates a structural weakness that can and will be exploited. Matthew Green, a cryptographer and professor at Johns Hopkins University, has famously described such systems as creating a “backdoor to your house with a sign on it that says, ‘backdoor.'” While you might hope only the police use it, you’ve also given a map to every burglar in town.

How Client-Side Scanning Fails

Think of it this way: for CSS to work, your phone needs a constantly updated list of “bad” content to scan for, and a mechanism to report a match to a central authority without your knowledge. This creates multiple, catastrophic points of failure. What if a hostile government, like Russia or China, hacks the central server and adds new items to the “bad” list? They could instantly turn the system into a tool for global surveillance, flagging messages from journalists, dissidents, or corporate rivals. What if a sophisticated criminal organization finds a bug in the scanning software itself? They could exploit it to steal your banking information, personal photos, or trade secrets. The very system designed to stop criminals would become their most powerful weapon. As Baker bluntly put it, client-side scanning is “a fundamentally bad idea. It won’t help law enforcement to protect the people they want to protect, but it will expose them to more threats.”

A Lesson from History: The Clipper Chip Fiasco

This isn’t a new debate. The first Crypto Wars of the 1990s saw the US government attempt to mandate the “Clipper Chip,” a hardware-based encryption system that came with a built-in backdoor for law enforcement. The tech community and civil libertarians revolted, arguing—correctly, as it turned out—that it would stifle innovation, undermine American competitiveness in the nascent software industry, and create an irresistible target for foreign intelligence agencies. The proposal was ultimately defeated, paving the way for the secure e-commerce, online banking, and private communications we rely on today. The push for client-side scanning is merely the Clipper Chip in a new, more sophisticated disguise, but the fundamental principle remains the same: you cannot build a secure system by deliberately breaking it.

The Global Economic and Security Stakes

The implications of weakening encryption extend far beyond individual privacy. The modern global economy is built on a foundation of digital trust, and that trust is underwritten by strong encryption. Every time you make an online purchase, check your bank balance, or access your medical records, you are relying on encryption to protect that data from theft and manipulation. A 2022 report from Cybersecurity Ventures projected that the global cost of cybercrime would reach a staggering $10.5 trillion annually by 2025. Strong, end-to-end encryption is one of the most effective bulwarks against this tidal wave of digital crime.

If governments in the US, UK, or EU mandate a weakened standard of encryption, they are not only putting their own citizens at risk. They are handing a gift to hostile state actors and international crime syndicates. It would create a chaotic, fragmented digital world where data is secure in some countries but vulnerable in others, crippling international business. Furthermore, it would set a dangerous precedent, giving authoritarian regimes the perfect justification to demand similar access to their own citizens’ data, effectively exporting a tool of surveillance and oppression. A backdoor mandated in Brussels for hunting criminals could be repurposed in Beijing to hunt pro-democracy activists. The Pandora’s Box, once opened, cannot be closed.

Finding a Better Way: Policing in the Post-Encryption Era

James Baker’s argument is not that law enforcement should give up. It is a call for them to adapt and innovate, rather than demanding the digital equivalent of a nuclear option that would create immense collateral damage. He acknowledges the immense pressure on investigators to solve heinous crimes, but insists that gutting the world’s digital immune system is not the answer. “If we, as law enforcement, think we need to protect society,” he urged, “we need to factor that in and find a different way.” So, what does a “different way” look like? It involves leaning into traditional, proven police work, amplified by modern, legal, and targeted technological methods that don’t require breaking encryption for everyone.

The Power of Metadata and Endpoint Exploitation

While end-to-end encryption protects the content of a message, it doesn’t always hide the metadata—who is talking to whom, when, for how long, and from what location. This information, which service providers often retain, can be a goldmine for investigators, allowing them to map criminal networks, establish patterns of life, and identify key conspirators without ever reading a single message. A warrant for metadata is a far less intrusive and more constitutionally sound approach than a mandate to scan the private content of every citizen.

Furthermore, even if a communication channel is secure, the devices at either end—the “endpoints”—often are not. Skilled investigators can and do exploit security vulnerabilities in a suspect’s phone or computer, or gain physical access to a device, to retrieve data before it’s encrypted or after it’s been decrypted. While this is a targeted and resource-intensive method requiring a warrant, it is the digital equivalent of a traditional house search. It focuses on the specific suspect, not the entire population, and respects the fundamental principle that security should be the default for everyone.

The Human Element Remains Key

Ultimately, technology is only one piece of the puzzle. Good, old-fashioned police work—developing confidential informants, going undercover, analyzing financial records, and conducting physical surveillance—remains indispensable. These methods have been the bedrock of successful investigations for over a century and continue to be effective in the digital age. By focusing their vast resources on these proven techniques, rather than waging a futile and destructive war on mathematics and cryptography, law enforcement can more effectively target criminals without forcing hundreds of millions of innocent people to sacrifice their digital security.

James Baker’s transformation from FBI counsel to encryption advocate is a powerful testament to the complexity of this issue. It is a recognition that true security is not achieved by creating a world of digital glass houses. It is built by empowering citizens, businesses, and governments with the strongest possible tools to defend themselves against an ever-growing array of digital threats. The lock on your phone and the encryption on your messages are not obstacles to a safe society; they are a fundamental part of its foundation. Weakening them in the name of security is a paradox that would solve nothing and risk everything.

Source: https://www.techradar.com