The feds have had it out for encryption for decades, but in the wake of the Paris attacks, the vilification of cryptography – the use of mathematical algorithms and other practices to protect web transactions and emails, “lock up” data at rest on a hard drive, protect the privacy of certain phone calls and more – has reached a dangerous new low.
Since the tragedy, lawmakers from the House of Representatives, top law enforcement officials and media figures have all articulated the idea that the Paris attackers used “encryption” to elude detection and capture. Like a lot of narratives that come from Congress, law enforcement and media, this story is way off the mark.
For example: We know that at least some of the attackers used standard (unencrypted) SMS messaging on their mobile phones. We know at least one used his own credit card to book a hotel around the time of the attack, which hardly speaks to a great degree of technological sophistication. And we know that several of the eight were known to US and French authorities before the attack. Some of them lived in the same neighborhood. The planner published an interview in ISIS magazine Dabiq in February – after leaving and before returning again to Europe – that included his picture and talked about evading Belgian and French authorities. It’s not as if the ISIS attackers were invisible save for very strong math.
Nonetheless, the rhetoric about the dangers of encryption continues unabated, with US law enforcement’s use of the Paris attacks to return to the familiar position of criticizing encryption technology as a threat to the public. The same arguments about dangers to public safety and law enforcement that were rejected during the highly public US “crypto wars” of the 1990s, and that have dotted editorial pages in the past year, have re-emerged with a furious, fact-indifferent vengeance.
These criticisms take us down absurd roads. For example, some have noted that curtains or whispering can aid crime. Perhaps we should ban them too. Why have warrants in the first place? Wouldn’t it be safer if police could take what they needed, when they needed it? Scapegoating private communications services is a good way to avoid productive engagement with failures in human intelligence and foreign policy.
Arguments against encryption technology are often decidedly domestic. They include ominous warnings that secure communication and data storage mean that vast numbers of criminals are “going dark,” or that your imaginary neighborhood terror brigade is obscured behind ciphertext.
In the week after the Paris attacks, Manhattan District Attorney Cyrus Vance and FBI Director James Comey trod familiar ground to make a very public case that strong encryption must be stopped. The threat, Vance and Comey asserted, is grave. Others repeated these claims, which have recently rung unsuccessfully throughout US consciousness in the face of moves by Apple and others to enable security by default on their devices.
Considering the recent New York Times editorial in which the paper says of CIA Director John Brennan, “it is hard to believe anything that he says,” perhaps we should have expected the less-than-accurate nature of Vance and Comey’s words about the existential crisis that encryption poses.
The problem wasn’t “going dark,” which was, after all, irrelevant to Paris. Electronic Frontier Foundation attorney Nate Cardozo asserted on Twitter that the materials accompanying Vance’s statement didn’t cite a single case where encryption posed a problem for the local authority. And the problem wasn’t surveillance capacity.
Examinations of bulk surveillance programs since 9/11 have shown their effectiveness to be limited, with mass surveillance generating too much data for agencies to process. Debacles of intelligence in Boston and Paris – where attackers were known to authorities who failed to act – further underscore the misdirection of renewed calls.
The elephant in the room, if you are a supporter of backdoors or weakened security via disabled crypto, is that proposals to undermine encryption for the benefit of law enforcement officials are impossible to implement without making life less safe for every user of a given product or service. Independent experts note in no uncertain terms that creating vulnerabilities that are open to the FBI, NSA or local police creates opportunities that are exploitable by anyone with the means. There are, and always will be, many with the means.
At the crux of this new civil liberties contention is a familiar move: an attempt by elements of the national security apparatus to leverage fears about terrorism into greater restrictions on liberty and aggressive foreign policy. The artifacts of the post 9/11 flurry – the Patriot Act, the torture prison at Guantánamo Bay, the invasion of Iraq – are red flags dripping with innocent blood.
At the penumbra of these arguments is another issue. While scary promises about ISIS and backdoors and “going dark” come at the outset from state actors who often probably understand the facts, probably know better and still don’t care, the work of disseminating and championing restrictions to the public falls to people who often don’t know better. That’s why we see “encryption” used as a stand-in for “good security,” even when crypto is a diverse, context-specific descriptor and when there are often simple defensive measures that are much more effective. (In the widely reported and devastating 2015 hack on the Office of Personnel Management, for example, encryption was immaterial.)
This disconnect is behind the popular notion that the surveillance state works. It’s also behind the notion that mass numbers of criminals and terrorists are lurking on your local train car, evading detection because of Apple’s default settings or because of Open Whisper Systems – a group of men standing around the cryptographer’s car engine, speaking so their mouths stay open.
While there are contrarian and persuasive arguments that encryption actually prevents unexpected kinds of crime, like cell phone theft, by rendering the devices worthless to thieves, it is certainly the case that many of the systems used daily by billions of people depend on cryptographic protocols that can’t be busted by anyone with an insecure master key and a pretense. Compromising these systems by breaking their locks on behalf of a greedy state (and anyone in between) would make us less safe.
For many, “encryption” is a stand-in for the unknown, and the uncertainty surrounding the concept leaves the field open for those who seek to turn fear into power at the expense of civil liberties and security. We’re better than that, aren’t we?