On Saturday night, the city of London experienced yet another tragic attack, apparently carried out in the name of terror. The city’s second major attack in two months, and England’s third – the terrible bombing in Manchester just two weeks ago, has already led to numerous statements of solidarity and support from (most) leaders around the world.
Unfortunately, during that time, Theresa May, British Prime Minister, also said this:
That’s right, among the many things we can expect in the near future is another battle over government surveillance powers. In that battle, it’s a virtual guarantee that the British or U.S. government will resume it’s call to require technology companies be able to decrypt any data or communications within their ecosystem, purportedly in the name of fighting terrorism.
Whether it starts now, or as a result of a tragedy yet to come, the new war on encryption is about to begin.
The War on Encryption
Following a terrorist attack, it’s almost inevitable that we hear from government officials about the need to improve the ability of law enforcement and intelligence agencies to monitor and track potential terrorists. Almost inevitably, the result is a proposed law or regulation expanding the ability of the government to surveil its citizens, including but not limited to a weakening of encryption protocols.
Regardless when it starts, it seems all but inevitable that it will occur in the immediate aftermath of a terrorist attack of some kind. Here are 5 things you’ll find in the new attacks on encryption:
1) The Powers and Authority Sought Have Previously Been Requested – and Rejected – as a Massive Overreach
There’s a reason why new surveillance laws are always passed in the aftermath or near aftermath of a terrorist attack – that’s when people tend to demand action from their representatives, and usually don’t much care what form that action takes. There are too many “perfect” examples already, which should terrify anyone who is a strong supporter of representative democracy, including 9/11, the July 7, 2006 suicide bombing in London, the Charlie Hebdo attack, and the Paris Bataclan attack.
Think back to how our elected leaders responded to those attacks. Usually, mixed in with statements of condemnation of the attacks and condolences to the victims, you can find statements about how we need stronger measures to prevent such attacks. However, when you look back on the actual responses to those events, you’ll find the measures being enacted following the events consist of a veritable security and surveillance “wish list” that governments had been seeking prior to the events.
Before 9/11, the NSA and FBI spent years attempting to get legislative authorization for the sweeping surveillance powers they were given by the Patriot Act. The attempts to force technology companies to offer a backdoor into encrypted communications began WAY before the Bataclan or San Bernadino attacks.
Sadly, times immediately after a crisis are ripe for taking advantage of our fearful state, and governments use these opportunities to accomplish what they’re unable to do in normal times. Fully aware that they’ve been given significant latitude to improve security, that latitude is routinely abused to expand the power of the surveillance and security state as much as possible. Instead of passing security laws and rules to address the problem, they take the approach that they should expand power as much as possible while they can – basically the definition of “overreach.”
If the authority wasn’t appropriate in calmer times, when cooler heads prevailed, then it’s definitely wrong now.
2) The Proposed Expansion of Powers Will the Specific Events They’re Allegedly Responding To
Another argument you’ll hear a lot in the days following an attack is: “If only we’d known what they were saying to each other, the attack would have been prevented.” Ignoring how ignorant of the realities of electronic communication that statement may be, it’s patently dumb on its face. Terrorism happened before encrypted communications, and if terrorists didn’t have access to WhatsApp, they’d still find a way to communicate.
Despite there being no evidence that the recent attacks in London and Manchester were connected in any way, or that the attackers used encrypted communications to plan and conduct their attack, government and law enforcement representatives will demand access to technology or software that implements any kind of encryption, purportedly as a basis for preventing the next attack.
Despite knowing all of this, intelligence and law enforcement agencies will call for a weakening of encryption. Sadly, it’s unlikely that many of them will actually be directly asked how weakening encryption would have prevented the attack. Even if they are asked, I’d be shocked if the boilerplate response they’ll give is challenged in any way. That’s the media environment we live in today.
3) The People Requesting Expanded Surveillance Powers Won’t Say Why Previous Powers Were Insufficient
One question I regularly ask myself about all these new security measures that are tossed around following an attack is why the expanded security measures obtained after the last attack didn’t prevent this one. In fact, it almost seems like new security measures are proposed with such haste, so immediately after an attack, in order to prevent a proper investigation into previous security failures.
When the Patriot Act was passed, granting the powers to the NSA that would eventually be interpreted to allow the NSA to spy on… well… EVERYONE, did you know that one of the biggest failures was actually communication between the intelligence agencies? That’s right, a full investigation revealed that the powers granted to US intelligence and law enforcement agencies – that would be regularly and routinely abused in the subsequent years – would not have done anything to prevent the 9/11 attacks.
The failure of the French government to fully investigate the Bataclan attacks before blaming the ability of the attackers to communicate using end-to-end encryption in their communications was either a senseless power-grab, fear-mongering, or ignorance. Regardless, demanding new surveillance and security powers based on a recent attack without even fully investigating the attack leads us to adopt ill-considered expansions of security power without even knowing if those powers will help.
Or, more importantly, whether the unintended (or, in some cases, intended) consequences sounds something like…
4) The Proposals Weakening Encryption Will Make Law Abiding Citizens Less Safe
The problem with all of the new security measures that get proposed in the wake of major terrorist attacks is that, inevitably, they involve one of two things: 1) dramatically limiting free speech – and giving the government the authority to determine what speech to limit, or 2) mandating that the government has access to encrypted information. The problems with the first are myriad, but not the subject of this post. The problems with the second, while philosophically less important – maybe – than the first, have much more dramatic real-world implications.
There’s a pervasive belief among those who favor requiring encryption backdoors (and anyone who says that anything that’s encrypted should be able to be decrypted by the company that makes it IS requiring a backdoor, no matter what they say) that somehow these backdoors can be made so that only the good guys get in. That’s not how doors work. Any effort to weaken encryption, whether it’s mandatory backdoors allowing technology companies to decrypt communication, or laws prohibiting the use of end-to-end encryption, there is no way to ensure that those tools remain only in the hands of the company and “good guy” law enforcement – as the recent use of hacked NSA surveillance tools has shown. (Not as though it was only used for proper purposes before then, either!)
In today’s world, where both personal and commercial connections rely on the internet and electronic communication, strong encryption is necessary. By requiring that all encrypted communication have a backdoor, these provisions not only allow law enforcement to observe communications between suspected terrorists. They would also allow unscrupulous government agents to spy on their ex-wives, or allow a hacker to intercept your communications with your bank.
There’s no way to ensure that a backdoor will only be used by the good guys, and only when they need it. Forcing the creation of those backdoors puts us all at risk.
5) The Expanded Surveillance and Encryption Backdoors Won’t Stop the Terrorists
The worst part about expanding these powers is that even the governments requesting them seem to acknowledge they probably won’t help.
Lost amid this whole discussion seems to be one thing that I don’t understand: why do people think that allowing government to access secure communication will stop terrorists from wanting to terrorize? The idea that there is some communication that the government cannot access is not new, contrary to what many people in government seem to think. Terrorists communicated with each other prior to WhatsApp introducing end-to-end encryption, and they’ll do so afterwards.
First, it’s not as though the encryption available on Apple computers and phones or secure messaging services like WhatsApp and Signal is the only way to encrypt communication. If companies based or doing business in the U.S. and Europe are forced to weaken their security, you don’t think companies either a) flying under the radar or b) NOT based or doing business in those places will suddenly stop creating ways to encrypt communications?
On the other hand, weakened encryption will make everyone – but most especially law abiding citizens – less safe in their daily transactions. As we rely more and more on the internet for our banking, our health care, and our regular interaction, we need to ensure that rogue actors, whether they’re hackers, a hostile foreign government, or employees of our own government acting with improper motive, cannot gain access to information that is rightfully and properly kept secret.
In the end…
Fighting terrorism is a deadly serious endeavor, and we entrust our intelligence and law enforcement agencies with a lot of tools to do so. We do that while operating under the belief – false belief at times – that those tools and powers are only used in a proper, lawful manner. However, given the potential for those tools and powers to be misused, and the damage such misuse could cause, none of those powers should be provided in haste – which is what happens after many terrorist attacks.
The government needs to have the ability to keep its people safe, but using the threat of terrorism to expand those abilities, particularly given all that we don’t even really know about terrorism itself, is extremely dangerous.
About the Author
Brian Focht is a civil litigation attorney and technology enthusiast. In addition to being the author of The Cyber Advocate, he is also the producer and host of the Legal Technology Review podcast, and co-founder of B&R Concepts, a small business technology consulting company.