Why Encryption is the Right Choice

As the founder of a privacy-focused messaging service, people often ask if I am comfortable with the widespread use of encryption. Couldn’t encrypted messages be used by terrorists?

Many communication services are beginning to use end-to-end encryption which prevents them from reading the messages they deliver. [1] This encryption also prevents government security agencies from monitoring conversations as they are transmitted over the internet.

We certainly want to be able to prevent terrorists from organizing attacks on our society, so should we enact regulation requiring that all messages must be able to decrypted? I believe we should not enact that sort of regulation for the following reasons:

  • It would create a flawed foundation for the technology our society depends on.
  • It would remove the main recourse by which we can protect our 4th amendment rights.
  • The benefits it would provide in the fight against terrorism are not substantial enough to justify the costs.

A flawed foundation for technology

If we enact regulation that requires government access to all messages sent over communication services, it would force the operators of those services to add backdoors to their products that bypass the protections of encryption. As has been widely discussed, these backdoors make the services vulnerable to unauthorized access. [2] There is no way to add a backdoor that can only be used by the government.

Unauthorized access to data is a major problem today. Frequent cyber attacks result in the theft of personal information effecting millions of people. These attacks disrupt people’s lives and have large economic costs. [3] While cyber attacks will never be completely stopped, the backdoors created by regulation would prevent us from fighting them effectively because all cyber security would be required to have a built-in way to bypass it. This would create a technical foundation for our society that is fundamentally insecure.

The costs of cyber attacks are serious today but in the future they will be much higher because technology is rapidly proliferating into every aspect of our lives. Our personal lives are increasingly carried out using our smartphones, exposing the state of our relationships. Our biological details are increasingly tracked by new forms of health monitoring, exposing the state of our bodies. Our day-to-day activities are increasingly observed by devices located throughout our environment (i.e. the Internet of Things), exposing our day-to-day routines. In all these cases the consequences of regulations that limit cyber security would become much higher in the future than they are today.

Regulations that limit the use of encryption would also restrict innovation by cutting off entire categories of potential services. For example, the healthcare industry may be improved by introducing new types of services that operate entirely on encrypted data but we will never know if regulation excludes the possibility of offering that sort of service.

Protecting 4th amendment rights

The phrase “government monitoring” used to invoke an image of FBI agents in a van recording specific phone calls. That changed when Edward Snowden published documents revealing that the technology is now in place to monitor every conversation transmitted across our entire society and search through the results. [4] These documents revealed mass searches by the United States government that violated the 4th amendment’s protection against unreasonable searches and seizures. [5] This is a major failure of the oversight that keeps our government within the legal boundaries we have established for it. If regulation is enacted that limits the use of encryption it would remove the main recourse by which individuals have acted to protect their 4th amendment rights against these violations by the government.

Limited benefits of regulation

If we require our communication services to make all conversations available for monitoring, terrorist organizations can simply deploy their own encryption software. Encryption software is free and widely available. [6] Terrorist organizations could easily use it if they wanted to do so. Terrorist attacks are carried out by people who have been extensively trained. [7] This training could easily be extended to include encryption software.

Continuing to allow the use of encryption will not eliminate the ability of security agencies to monoitor the communications of specific individuals. Security agencies can use cyber force (aka hacking) to gain access to terrorist’s phones and then monitor them directly. Unlike mass monitoring, targeted use of cyber force by the government is legal. [8]

As mentioned before, cyber violence will never completely cease to exist any more than physical violence will. We should not limit the ways we can defend ourselves against it any more than we should limit the ways we can defend ourselves against physical violence.

The most unique benefit of requiring government access to all our communications would be to facilitate mass monitoring, which would violate the constitution. Meanwhile, encryption will be used by terrorists whether we regulate it or not. Fighting terrorism is a difficult ongoing process. However, communication services are too important to our society for us to build them in a fundamentally flawed way because of that fight. We have to create a foundation for our society that we can depend on as technology evolves around us.

Footnotes

[1] Examples of end-to-end message encryption are Signal, and the secret chat feature in Telegram. My service, Burn Note, does not use end-to-end encryption because it is for sending sensitive information to people who do not have a secure account.

[2] The problem with backdoors has been pointed out repeatedly, notably by Apple CEO Tim Cook, but also see articles like this, and this.

[3] A survey of data breaches indicates that over 1 billion personal records were stolen in 2014. Another survey indicates they will cost the U.S. economy $1.5 trillion by 2019.

[4] A lot of data was leaked by Edward Snowden. For a good overview see the Washington Post’s timeline of what was revealed. See this Wired piece for a description of one of the data centers involved in mass monitoring.

[5] An audit the NSA carried out themselves revealed thousands of documented privacy violations. The ACLU filed a lawsuit detailing legal violations by the NSA. In a separate case, a federal judge ruled that the NSA’s mass monitoring was almost certainly unconsitutional.

It is easy to see how mass monitoring violates the constitution. This is the 4th amendment:

The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches an seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.

At the very least, the “particularly describing” language is violated by mass monitoring.

[6] There are many free solutions for using end-to-end encryption with Gmail and other email services. For example Google end-to-end, Mailvelope, Virtru, Enigmail, and the original: GPG. End-to-end encryption apps like Signal and ChatSecure can be built from free source code for Android phones.

[7] The trend in many recent terrorist attacks is that disaffected individuals travel to places where terrorist organizations are active, get radicalized and trained by those organizations, then return to the country they came from to carry out an attack. This interview with a Belgian counter-terrorist official gives a good overview of the typical patterns of terrorists today. For specific examples see Umar Farouk Abdulmutallab, aka “the underwear bomber”, or Najibullah Zazi. The Boston Marathon bombers learned how to make bombs from Al Qaeda training materials distributed online.

[8] One of the core concepts of modern public law is that the state has a monopoly on the legitimate use of force. According to this concept, all legitimate use of force has a legal basis (e.g. military, police, self defense, etc). This concept carries over cleanly to the digital era.