‘U Can’t Touch This’: the inviolability of encryption
4 Dec 2015|

2291139919_cd960c5aa0_zIn his recent post on The Strategist, Anthony Bergin makes many good points about the use of encryption by non-state actors like Daesh, the related challenges to intelligence collection, and the importance of balancing civil liberties and national security in times of heightened threat. While Anthony’s recommendation that agencies focus on human intelligence is welcome (and in line with the government’s national security statement), what was missing was a clarion call—one in support of strong commercial encryption.

The horror recently unleashed on Paris has prompted questions about what it means if the terrorists had used encryption to shield their plotting and communication from law enforcement and security agencies in Europe. Intelligence heads and lawmakers in the US were quick to claim that encryption technologies were thwarting security efforts and that ‘backdoors’ into devices and software are needed. Regardless of whether the Paris attackers used encryption, the suggestion of banning or weakening commercial encryption represents a patently wrong-headed approach to bolstering security.

The encryption debate isn’t a new one. The so-called ‘Crypto Wars’ have roots back to 1976 when the discovery of ‘public key cryptography’ gave individuals and businesses an option to secure their communications, challenging the domestic monopoly on encryption that the US government had maintained until that point. In the early 1990s, a battle unfolded as the US government lobbied telcos to submit to the ‘Clipper Chip’, technology that ‘relied on a system of “key escrow,” in which a copy of each chip’s unique encryption key would be stored by the government.’ Concerns over deleterious security, privacy and economic consequences saw strong encryption win out after a few years of back and forth. Export controls on encryption were liberalised throughout the Clinton administration, and by 2005, the public’s legal access to encryption was thought to be assured and the Crypto Wars were declared over (at least, by some).

There were various attempts to water down encryption over the intervening years until Snowden’s 2013 disclosure of the NSA’s Bullrun program prompted companies like Apple and Google to begin to package privacy with their products and services. Those firms now offer full-disk encryption, meaning that the data and communications stored on their hardware or software is unable to be decrypted by anyone except the user, rendering access warrants impotent. Privacy and security by way of encryption became a selling point and a strategy to win customers in a hotly contested market.

Beyond the big tech companies, the last few years have seen a proliferation of mobile applications that enable encrypted communication. In March, then-Communications Minister Malcolm Turnbull name-checked a handful of apps that could be used to subvert the government’s data retention regime: ‘Whatsapp or Wickr or Threema or Signal, you know, Telegram, there’s a gazillion of them.’ A few weeks earlier, Turnbull had spoken of the inherent insecurity of text messaging—‘messages are not encrypted in transit… [or] on the telco’s server’—and happily copped to using encryption services himself, including Wickr, WhatsApp and ‘a number of others… because they’re superior over-the-top messaging platforms… You know, millions of people do, hundreds of millions of people use over-the-top applications.’ Encryption is mainstream.

Beyond securing our personal communications, encryption is fundamental to the protection of our online privacy, banking, passwords and corporate assets. In this way, it’s a central contributor to the health of the global economy and business competition. Security and systems experts, cryptographers, digital privacy advocates and tech leaders have all said that weakening encryption is a bad idea and that there’s no way to build a backdoor for government use that won’t also be exploited by terrorists, malicious hackers, tech-savvy criminals, foreign spies and industrial competitors, among others. A few months back, a draft US National Security Council paper determined that ‘the benefits to privacy, civil liberties and cybersecurity gained from encryption outweigh the broader risks that would have been created by weakening encryption’. Mandating that US tech giants introduce backdoors will only push consumers and criminals alike toward products developed in other countries or toward home-brewed encryption. Encryption begets the security and trust that lies at the heart of the internet.

Law enforcement should have the necessary powers and tools to detect and prevent attacks, but weakening or banning cryptography won’t make the masses more secure. Instead, we need to think around encryption. Intelligence agencies should focus on hacking the phones and computers of surveillance targets to exfiltrate private encryption keys, and on breaking into devices to target communications before encryption and after decryption. Greater public–private collaboration and problem solving is needed between the highest levels of the US government and tech firms like Apple, Google, Microsoft and Facebook: government needs a deeper understanding of the technology and the consequences of tweaking it, while private players need to understand the huge operational challenges faced by those charged with keeping us safe. The Australian government should make strong representations in Washington to this end.

We don’t yet have an answer as to the extent to which the Paris terrorists employed encryption. It’s important to remember, however, that many of those who carried out the attacks were on the radar of intelligence services in both Belgium and France, where some were on the high-security watch list La Fiche Salong with more than 10,000 others. It has been reported that Turkish authorities contacted their French counterparts twice in the last year to flag one of the 13/9 assailants, Omar Ismail Mostefai, as a terrorist threat; it was only in the aftermath of the attacks that French authorities allegedly replied requesting information about Mostefai. That the attacks occurred seems less likely due to an inability to unlock encrypted communications data than due to a failure of coordination, follow-up, targeting and action.

The encryption debate is incorrectly characterised as being about security versus liberty. It’s actually about security versus vulnerability, and always has been.