In his
recent post on The Strategist, Anthony Bergin makes many good points about the use of encryption by non-state actors like Daesh, the related challenges to intelligence collection, and the importance of balancing civil liberties and national security in times of heightened threat. While Anthony’s recommendation that agencies focus on human intelligence is welcome (and in line with the
government’s national security statement), what was missing was a clarion call—one in support of strong commercial encryption.
The horror recently unleashed on Paris has prompted questions about what it means if the terrorists had used encryption to shield their plotting and communication from law enforcement and security agencies in Europe.
Intelligence heads and
lawmakers in the US were quick to
claim that encryption technologies were
thwarting security efforts and that ‘backdoors’ into devices and software are needed. Regardless of whether the Paris attackers used encryption, the suggestion of banning or weakening commercial encryption represents a patently wrong-headed approach to bolstering security.
The encryption debate isn’t a new one. The so-called 'Crypto Wars' have
roots back to 1976 when the discovery of 'public key cryptography’ gave individuals and businesses an option to secure their communications, challenging the domestic monopoly on encryption that the US government had maintained until that point. In the early 1990s, a battle unfolded as the US government
lobbied telcos to submit to the ‘Clipper Chip’, technology that ‘relied on a system of “key escrow,” in which a copy of each chip’s unique encryption key would be stored by the government.’ Concerns over deleterious security, privacy and economic consequences saw strong encryption win out after a few years of back and forth. Export controls on encryption were liberalised throughout the Clinton administration, and by 2005, the public’s legal access to encryption was thought to be assured and the Crypto Wars were declared over (at least,
by some).
There were various attempts to water down encryption over the intervening years until Snowden’s 2013 disclosure of the
NSA’s Bullrun program prompted companies like Apple and Google to begin to package privacy with their products and services. Those firms now offer
full-disk encryption, meaning that the data and communications stored on their hardware or software is unable to be decrypted by anyone except the user, rendering access warrants impotent. Privacy and security by way of encryption
became a selling point and a strategy to win customers in a hotly contested market.
Beyond the big tech companies, the last few years have seen a proliferation of mobile applications that enable encrypted communication. In March, then-Communications Minister Malcolm Turnbull
name-checked a handful of apps that could be used to subvert the government’s data retention regime: ‘Whatsapp or Wickr or Threema or Signal, you know, Telegram, there’s a gazillion of them.’ A few weeks earlier, Turnbull had spoken of the
inherent insecurity of text messaging—‘messages are not encrypted in transit… [or] on the telco's server’—and happily copped to using encryption services himself, including Wickr, WhatsApp and ‘a number of others… because they're superior over-the-top messaging platforms… You know, millions of people do, hundreds of millions of people use over-the-top applications.’ Encryption is mainstream.
Beyond securing our personal communications, encryption is fundamental to the protection of our online privacy, banking, passwords and corporate assets. In this way, it’s a central contributor to the health of the global economy and business competition. Security and systems experts, cryptographers, digital privacy advocates and tech leaders have all said that
weakening encryption is a bad idea and that there’s no way to build a backdoor for government use that won’t also be exploited by terrorists, malicious hackers, tech-savvy criminals, foreign spies and industrial competitors, among others. A few months back, a draft US National Security Council paper
determined that ‘the benefits to privacy, civil liberties and cybersecurity gained from encryption outweigh the broader risks that would have been created by weakening encryption’. Mandating that US tech giants introduce backdoors will only
push consumers and criminals alike toward products developed in other countries or toward home-brewed encryption. Encryption begets the security and trust that lies at the heart of the internet.
Law enforcement should have the necessary powers and tools to detect and prevent attacks, but weakening or banning cryptography won’t make the masses more secure. Instead, we need to think
around encryption. Intelligence agencies should focus on hacking the phones and computers of surveillance targets to exfiltrate private encryption keys, and on breaking into devices to target communications
before encryption and after decryption. Greater public–private collaboration and problem solving is needed between the highest levels of the US government and tech firms like Apple, Google, Microsoft and Facebook: government needs a deeper understanding of the technology and the consequences of tweaking it, while private players need to understand the huge operational challenges faced by those charged with keeping us safe. The Australian government should make strong representations in Washington to this end.
We don’t yet have an answer as to the extent to which the Paris terrorists employed encryption. It’s important to remember, however, that many of those who carried out the attacks were
on the radar of intelligence services in both Belgium and France, where some were on the high-security watch list
La Fiche S—along with more than 10,000 others. It has been reported that Turkish authorities contacted their French counterparts
twice in the last year to flag one of the 13/9 assailants, Omar Ismail Mostefai, as a terrorist threat; it was only in the aftermath of the attacks that French authorities allegedly replied requesting information about Mostefai. That the attacks occurred seems less likely due to an inability to unlock encrypted communications data than due to a failure of coordination, follow-up, targeting and action.
The encryption debate is incorrectly characterised as being about security versus liberty. It's actually about security versus vulnerability, and always has been.