The War on Encryption
‘We’re off; We’re starting’
This SMS message signalled the start of a series of coordinated terrorist attacks against the people of Paris.
That night in November, seven terrorists claimed 130 innocent lives in an act of abject barbarism that shocked the world. This brutality was swiftly followed by a heated media discussion seeking to identify the intelligence failures that allowed this attack to occur.
Many, including CIA Director John Brennan, were quick to blame Edward Snowden for the broad adoption of encryption following information he leaked about mass surveillance programs, which has supposedly led to an intelligence dark age. More generally, it was encryption itself that was blamed.
This blame is misguided, and could lead to legislative weakening of encryption.
The SMS message the Paris attacker sent was unencrypted. It was recovered from a cell phone used by one of the attackers, which was found in the trash outside the Bataclan concert hall. The cell phone was completely unencrypted. In addition to the SMS message, detailed maps of the concert hall were found on the device. Law enforcement were able to trace the phone’s movements, and to extract the location of a suspected terrorist safe house in Belgium. This safe house was then raided, and evidence was recovered suggesting that the ISIL networks involved in the Paris attacks were communicating through unencrypted means.
None of their phones were encrypted.
An attack on Belgium, foiled ten months before the Paris attacks, involving the same ISIL networks, was also planned without using encryption. This does not suggest that terrorist groups such as ISIL do not use encryption; they most certainly do, and will continue to. However, the current intelligence apparatus was able to foil the attack in Belgium, and certainly could have foiled the attack in Paris.
Despite this, the Paris attacks, and those like them, are consistently used to denounce encryption as something practised only by terrorists.
This is then used to justify including backdoors in encryption. Such claims are often made without any grounding in fact, as those made in the wake of the Paris attacks show.
Even if the legislature eventually heeds such claims, backdoors will not affect terrorist activities at all. Such laws will only affect applications like WhatsApp or iMessage, and not the home-brewed, open source tools terrorist groups are more inclined to use. The usage of these tools could never practically be controlled by law.
Encryption protects our privacy, our anonymity, our opinions, our finances, and, increasingly, our lives. Encryption is key to a free and secure society, and attempts to weaken it could be extremely damaging.
Nonetheless, shortly after the attacks, Brennan claimed that ‘There are a lot of technological capabilities that are available right now that make it exceptionally difficult both technically as well as legally for intelligence security services to have insight that they need to uncover [the plot].’
This reflects a common sentiment throughout the global intelligence and legislative community. And in a limited sense, Brennan’s statement is certainly true; when used properly, encryption will render information stored or in transit unreadable to those without authorisation.
What is deeply troubling is what statements like Brennan’s are then used to justify.
Proposed legislation in the UK would require any implementation of encryption to include a backdoor accessible to the UK intelligence services, or to face a ban in the UK. David Cameron, seeking to deny potential terrorists a ‘safe space’ to communicate, argues, ‘Do we want to allow a means of communication between people, which even in extremis, with a signed warrant from the home secretary personally, that we cannot read?’
The difference between backdoors and court-ordered decryption is that backdoors, being secret in nature, would have to be handled without transparency, in the same way as mass surveillance programs. Therefore there is no way to ensure that such backdoors are not used arbitrarily, and are administered on a targeted basis.
As for the threat from bad actors, in the words of security expert and Harvard fellow Bruce Schneier, ‘Either we build encryption systems to keep everyone secure, or we build them to leave everybody vulnerable.’
The United Nations’ Office of the High Commissioner stated in a report on encryption that ‘States should not restrict encryption and anonymity, which facilitate and often enable the rights to freedom of opinion and expression.’ The inclusion of government-accessible backdoors in encryption is tantamount to restricting encryption, by weakening it against both the government and bad actors.
According to the UN report, court-ordered decryption ‘may only be permissible when it results from transparent and publicly accessible laws applied solely on a targeted, case-by-case basis to individuals.’
National security interests are better served by strong ubiquitous encryption. Writing in the Washington Post, Former Director of National Intelligence and NSA Director Mike McConnell wrote that ‘Chinese economic espionage is so severe that stopping that is more important than being able to read the communications of a criminal.’ He later notes that, ‘Strategically, the interests of U.S. businesses are essential to protecting U.S. national security interests.’
There is no justification for weakening encryption in the name of national security. Not only would such a scheme damage the security of ordinary citizens, it would not impact the activity of terrorist groups, and, if anything, it would endanger national security.
McConnell sums it up best: ‘Technology will advance, and you can’t stop it. Learn how to deal with it.’
This article first appeared in The Poor Print.