Late last week, reports emerged that, once again, senior United States government officials are contemplating seeking legislation that would ban ordinary citizens from using encryption that the government cannot easily crack, reviving the battle between the government – which believes that encryption hampers its efforts to monitor the communications of terrorists and criminals – and technology firms that wish to offer the best security to their users. The new proposal would impact every user of Whatsapp and other tools that offer end-to-end encryption – that is, that allow users to carry on conversations that are encrypted in such a fashion that the chat-service provider itself cannot decrypt them.
Throughout my career, I have opposed laws that prohibit citizens from encrypting their data and communications as they see fit. Here are ten reasons that I raised in a 2015 article as to why I stand firmly against government crippling of encryption technology – these reasons remain at least as pertinent today as they did four years ago:
1. There is no evidence that allowing law-abiding private citizens to use encryption actually helps terrorists achieve their aims. (If there is such evidence, let the government present it to the public.) At least as far as the public has been told, we have not experienced terrorist attacks that would have been preventable had the government been able to more easily break the encryption of standard messaging tools. In fact, it seems that many communications between terrorists are carried out without any encryption. As was seen clearly after the Paris attacks in 2015, governmental failure to monitor terrorist communications is arising primarily from other deficiencies – such as not quickly enough identifying the right people to monitor – rather than from the inability of law enforcement and intelligence agencies to decrypt encrypted communications.
2. There are more effective actions to take against terrorists that should come first. Before we ask Americans to surrender privacy in order to gain security, the government should demonstrate that in has acted with competence in all other areas of the war against terror and exhausted other means. As I noted in 2015, when we hear our Commander-in-Chief telling us how ISIS is “contained” days before the organization kills over a hundred people in the heart of Paris, when we barely hear anything from the government when an American student is murdered by a terrorist in the West Bank, when we hear that the Turkish government tried to warn France twice about one of the suspects involved in the Paris killings but that the French did not respond until after the attacks, etc. we have to wonder if there are other much more significant actions that the government could (and should) be taking to combat terrorists before it deems it necessary to strip us of our rights.
3. The government has a poor record when it comes to protecting sensitive information. Before it demands access to our data, the government should prove that it will properly protect any information that it collects. Various incidents give us reason for serious concern in this regard: From the Chelsea-Manning-WikiLeaks incident that revealed that basic information-security strategies were not being applied in various parts of the government, to the hack of the Office of Personnel Management in which the government was not only breached, but in which it initially underreported the amount of data stolen, to the Edward Snowden leak of data from the NSA, to the theft of intelligence agency cyberweapons, to the use of an insecure (and possibly hacked) private email server by the former Secretary of State for to communicate highly-sensitive information, we have good reason to believe that even if the government did not intended to misuse our data, it might inadvertently allow others to do so – after all, who says that the government will properly protect its decryption keys? As Paul Calatayud, now Chief Security Officer for the Americas at Palo Alto Networks, expressed in a Snowden-reminiscent fashion, “what if a contractor working for a government decides to steal these keys and perhaps flee to Russia?”
4. Weakening encryption will increase crime. There is no way to weaken encryption so that the government can crack it without also allowing criminals to do the same. To quote Apple‘s CEO, Tim Cook, “You can’t have a backdoor that’s only for the good guys.” As mentioned above, the government does not have a great record of protecting its own data – will criminals be able to steal the government’s decryption keys and decrypt online banking sessions and other sensitive activities? Could government access allow people to steal private photos and communications between spouses? As David Meltzer, CTO at Tripwire, noted, “the same backdoor you create for the government inevitably creates the potential for misuse, abuse, and being exploited by others.”
5. There are plenty of foreign made encryption applications.If the USA outlaws strong end-to-end encryption, terrorists wishing to use strong encryption will simply use foreign-made applications – either those already available today or one or more of the many that would certainly appear as the result of a US ban. The only people who will lose out will be law-abiding Americans. As Willy Leichter, Vice President at Virsec, put it, “If a US-based service can’t provide end-to-end encryption, then dozens more will pop up outside the country that are equally effective.”
6. Terrorists can easily craft their own encryption applications. Many strong encryption algorithms are not secret; even if the United States could get every government around the world to mandate that all makers of commercially viable encryption applications include backdoors for government use, terrorists – even those with small budgets – could easily commission the writing of uncrippled software. To quote Laurence Pitt, Global Security Strategy Director at Juniper Networks, “making encryption illegal will prevent the average person from using it – but for anyone who’s already involved in illegal activities, it’s going to make no difference. The issue of recreating powerful encryption tools when they cannot be legally acquired has been an ignored “elephant in the room” for quite some time – when I was at NYU in the 1990s, it was illegal to export certain powerful encryption technology overseas, and, more than once, I heard a professor warn members of my class not to transport out of the USA code that we were utilizing. But our class consisted primarily of foreign students who were going to eventually return home – many to countries less than friendly with the USA – who, after studying encryption algorithms and code it in an American university, could easily recreate them once they were back home.
7. Metadata already provides enough information. In most cases, encryption does not stop authorities from obtaining sufficient information about a communication to properly monitor those involved. Metadata – such as the IP addresses or phone numbers of parties communicating – can be used to determine who is communicating with whom, when they are doing so, and from where they are doing so. Armed with that information, authorities can get proper warrants that they need to conduct surveillance, etc.
8. Terrorists can hide data in pictures and videos even without encryption. Even if the government somehow did manage to cripple all end-to-end encryption technology including in custom-developed apps, terrorists could still hide their secret communications within pictures and videos using a method known as steganography. For more on steganography – and for a chance to win an Amazon gift card if you can find the data that I hid in a photo years ago in order to demonstrate the power of steganography – please see this article: How To Send Messages That Even The NSA, CIA, and FBI Cannot Read.
9. Crippling American software harms Americans businesses. Foreign companies scared that their data may be obtained by the US government – or by other parties (including potentially criminals) exploiting the vulnerabilities introduced at the demand of the government – will turn to foreign technology providers at the expense of American businesses.
10. It is against the American tradition. The Founding Fathers of this great nation ratified the Bill of Rights at a time that our nascent country was under serious risk of attack – we had just emerged from one war fought on our own soil against a mighty empire and would soon fight another battle on our own turf against the same powerful foe. Yet, despite any danger involved, the people whose vision created America still felt that Americans had fundamental rights to privacy. It is hard to imagine that they would have wanted future generations of Americans, living in far greater security and during far more peaceful times that they did, to abandon such values in the name of security. To quote Dan Tuchler, CMO of SecurityFirst, “An authoritarian government will always seek to exert control by monitoring its citizens, using the reasoning that safety of citizens is more important than any erosion of their rights. The United States has a long history of mottos such as “Live Free or Die” emphasizing the common conviction that the balance should always lean towards freedom of speech.”
In short – when it comes to outlawing encryption for the sake of reducing crime and combating terror, at present, the cons dramatically outweigh the pros. I have no doubt that, as Pravin Kothari, the Founder and CEO of CipherCloud, put it “Legislators’ hearts are in the right place when it comes to protecting national security, but these particular pieces of legislation are an “overreaction” to recent events without evaluating the pros and cons.”