1. Backdoors Won’t Combat Home-Brewed Encryption.
Forcing US companies and makers of encryption software to install backdoors and hand over encryption keys to the government would not solve the problem of terrorist suspects using products that are made in countries not controlled by US laws.
“There’s no way of preventing a terrorist from installing a Russian [encryption] app or a Brasilian app,” notes Nate Cardozo, staff attorney for the Electronic Frontier Foundation. “The US or UK government could mandate [backdoors], but Open Whisper Systems is not going to put in a backdoor in their product period and neither is PGP. So as soon as a terrorist is sophisticated enough to know how to install that, any backdoor is going to be defeated.”
Such backdoors also will be useless if terrorist suspects create their own encryption apps. According to the security firm Recorded Future, after the Snowden leaks, its analysts “observed an increased pace of innovation, specifically new competing jihadist platforms and three major new encryption tools from three different organizations—GIMF, Al-Fajr Technical Committee, and ISIS.” Encryption backdoors and keys also don’t help when terrorists stop using digital communications entirely. A 2011 AP story indicated that al-Qaida had long ago
ditched cell phones and internet-connected computers in favor of walkie talkies and couriers.
News reports about the Paris attacks have indicated that some of the perpetrators lived in the same town in Belgium—which would have made it very easy to coordinate their attack in person, without the need for digital communication.
2. Other Ways to Get Information. The arguments for backdoors and forced decryption often fail to note the many other methods law enforcement and intelligence agencies can use to get the information they need. To bypass and undermine encryption, intelligence agencies can hack the computers and mobile phones of known targets to either obtain their private encryption keys or obtain email and text communications before they’re encrypted and after they’re decrypted on the target’s computer.
In the case of seized devices that are locked with a password or encryption key, these devices have a number of security holes that give authorities
different options for gaining access, as WIRED previously reported. A story this week pointed to vulnerabilities in BitLocker that would make it fairly easy to
bypass the Windows encryption tool. And the leaks of Edward Snowden show that the NSA and British intelligence agencies have a constantly evolving set of tools and methods for obtaining information from hard-to-reach systems.
“We’re still living in an absolute Golden Age of surveillance,” says Cardozo. “And there is always a way of getting the data that is needed for intelligence purposes.”
3. Encryption Doesn’t Obscure Metadata. Encryption doesn’t prevent surveillance agencies from intercepting metadata and knowing who is communicating with whom. Metadata can reveal phone numbers and IP addresses that are communicating with one another, the date and time of communication and even in some cases the location of the people communicating. Such data can be scooped up in mass quantities through signals intelligence or by tapping undersea cables. Metadata can be extremely powerful in establishing connections, identities and locating people.
“[CIA] Director Brennan gleefully told us earlier this year that they kill people based on metadata,” Cardozo says. “Metadata is enough for them to target drone strikes. And that’s pretty much the most serious thing we could possibly do with surveillance.”
Some metadata is encrypted—for example, the IP addresses of people who use Tor. But recent stories have shown that this protection is not foolproof.
Authorities have exploited vulnerabilities in Tor to identify and locate suspects.
“Tor can make the ‘where’ a little more difficult, but doesn’t make it impossible [to locate someone],” Cardozo says. “And Tor is a lot harder [for suspects]to use than your average encrypted messaging tool.”
4. Backdoors Make Everyone Vulnerable. As security experts have long pointed out, backdoors and encryption keys held by a service provider or law enforcement agencies don’t just make terrorists and criminals open to surveillance from Western authorities with authorization—they make everyone vulnerable to the same type of surveillance from unauthorized entities, such as everyday hackers and spy agencies from Russia, China, and other countries. This means federal lawmakers on Capitol Hill and other government workers who use commercial encryption would be vulnerable as well.
The National Security Council, in a draft paper about encryption backdoors obtained by the
Post earlier this year, noted the societal tradeoffs in forcing companies to install backdoors in their products. “Overall, the benefits to privacy, civil liberties and cybersecurity gained from encryption outweigh the broader risks that would have been created by weakening encryption,” the paper stated.
If all of these aren’t reason enough to question the attacks on encryption, there is another reason. Over and over again, analysis of terrorist attacks after the fact has shown that the problem in tracking the perpetrators in advance was usually not that authorities didn’t have the technical means to identify suspects and monitor their communications. Often the problem was that they had failed to focus on the right individuals or share information in a timely manner with the proper intelligence partners. Turkish authorities have already revealed that they had
contacted French authorities twice to warn them about one of the attackers, but that French authorities never got back to them until after the massacre in Paris on Friday.
Officials in France indicated that they had
thwarted at least six other attack plots in recent months, but that the sheer number of suspects makes it difficult to track everyone. French intelligence maintains a database of suspected individuals that currently has more than 11,000 names on it, but tracking individuals and analyzing data in a timely manner to uncover who poses the greatest threat is more than the security services can manage, experts there have said. It’s a familiar refrain that seems to come up after every terrorist attack.
“If Snowden has taught us anything, it’s that the intel agencies are drowning in data,” Cardozo says. “They have this ‘collect it all mentality’ and that has led to a ridiculous amount of data in their possession. It’s not about having enough data; it’s a matter of not knowing what to do with the data they already have. That’s been true since before 9/11, and it’s even more true now.”