Encryption

The Crypto Wars Are Not About Terrorism, They're About Power

Make no mistake: the War on Crypto is not primarily about "terrorism" or "fighting crime" or "public safety" at all.

|

tyler_r

The FBI may have been able to unlock San Bernardino shooter Syed Rizwan Farook's work-related iPhone without conscripting Apple as an unwilling hacker, but that has not slowed down the government's broader war on encrypted technologies one bit. It didn't take long for another tragic terrorist attack, this one in Belgium, to provide fresh rhetorical ammunition to the stubborn officials in a quixotic battle against mathematical techniques that keep us safe online. 

As is typical these days, early reports that the Brussels attackers used encrypted technologies tended to be both alarmist and inaccurate. But the extent to which terrorists employ secure technologies (or not) is irrelevant: governments will seize upon whatever emotional excuse that they can in a crusade to augment their authority. 

In the wake of the Brussels attack, we saw the same "encryption panic cycle" that was first typified after terrorist attacks in Paris last year and later with the San Bernardino investigation. In both instances, parties who have always opposed strong security techniques quickly speculated that encryption was to blame long before facts were established, ensuring the conversation was framed in a beneficial way for their policy goals.

For example, in the wake of the Paris attacks, longtime encryption opponent Rep. Adam Schiff (D-California) wasted little time in preemptively calling upon Congress to require a "backdoor" for government access to encrypted technologies. There was just one problem—most, if not all, of the terrorist's planning was done with no encryption at all, relying instead on the tried and true burner-phone method. This does not appear to have prompted any new restraint from the Congressman, however. After the Brussels bombings occured, Schiff stated that while "we do not know yet what role, if any, encrypted communications played in these attacks … we can be sure that terrorists will continue to use what they perceive to be the most secure means to plot their attacks."

Then there's Schiff's sister in encryption-antipathy, Sen. Diane Feinstein (D-California). Feinstein at least had the decency to wait a few days before exploiting the Paris attacks to further her anti-encryption agenda. But she does not seem to have learned any lessons about jumping to conclusions after terrorist incidents, either. On the day of the Brussels attacks, Feinstein leapt into action to urge the intelligence community to "use all the tools at [their] disposal to fight back"—presumably, by compromising security techniques for government access, as her recent bill proposes.

Unfortunately, Schiff and Feinstein only happen to be some of the noisiest warriors against our online security in Congress. These attitudes are troublingly common among our elected officials. 

In fact, it is still unclear exactly whether or how the Brussels attackers used encryption to carry out their vicious plans. We may not have a better picture until the investigations conclude several months from now.

We do know that ISIS operatives have trained new recruits to use TrueCrypt, a discontinued on-the-fly encryption program, but we do not know how extensively this program is being used. In the case of the Paris attacks, the final report found no direct evidence that encryption was employed, though French police did note that they were unable to find any of the attackers' email communications. Police speculate that this is because the terrorists used encryption, but it is also possible that they simply did not use email. In any event, the "did-they-or-didn't-they" dance with encryption in many ways misses the big picture.

As a report from Harvard's Berkman Center for Internet & Society argues, it is incredibly difficult for even the most competent hacker to completely "go dark." The structure of the Internet is such that even people who use encryption programs leak reams of metadata that should prove illuminating in criminal investigations. The authors should know—some of the report's signatories include leading cryptographers who agonize over just these vulnerabilities.

And it's important to keep the scope of the problem in context. When I dug into the Administrative Office of the U.S. Courts' data on the total number of wiretaps that involved any encryption at all, I was surprised by how limited this problem appears to be. From 2001 to 2014, only 147 of the total 32,539 reported wiretaps encountered any issues with encryption. That's 0.45 percent.

On top of that, most of those encrypted technologies were able to be deciphered anyway. A measly 15, or 0.046 percent of the total, were both encrypted and uncracked.

Furthermore, the vast majority of these wiretaps have nothing to do with terrorism or even violent crime at all. The American Civil Liberties Union (ACLU) issued FIOA requests to find out more information about the government's cases against device manufacturers such as Apple and Google involving locked phones. They found 73 instances where the government attempted to apply the All Writs Act of 1789 to force a company to unlock a device like they did in the San Bernardino case. Of the 41 cases in which a crime can be identified, 19 involve drug charges, nine involve sexual offenses, six involve fraud, and another four involve assorted charges like carjacking and gambling. Only one case—the infamous San Bernardino incident—involves the kind of terrorist activity that law enforcement officials often invoke to demonize encryption.

But the biggest problem with the government's line of reasoning on encryption is that it is self-defeating. Government meddling in secure encryption techniques will not prevent terrorists from developing their own encryption programs, but it will backfire by making innocent parties less secure. The mathematics at the heart of encryption techniques will continue to exist no matter how harshly it is criminalized. "Banning" these security techniques for innocent people will expose them to dramatic vulnerabilities online, as is evidenced by the recent FREAK, LOGJAM, and Heartbleed vulnerabilities that resulted from U.S. government encryption restrictions in the 1990s. Nor will building a so-called "backdoor" exclusively for law-enforcement access work, either: the bad guys can use backdoors, too. There is simply no away around this technical reality. 

Make no mistake: the War on Crypto is not primarily about "terrorism" or "fighting crime" or "public safety" at all. Rather, these emotional hot-buttons are merely a cover to justify expansions in government power that law enforcement officials have long coveted, as leaked emails from top intelligence lawyer Robert S. Litt show. Unfortunately for the rest of us, this naked desire for unattainable power trumps the very real dangers of purposefully crippling our security online.

It's hard to anticipate how this seemingly non-negotiable tension will end as new developments in the arms race between secure technologies and government shenanigans escalate in both pace and volume. Last week, the popular messaging service WhatsApp made waves by announcing that it would enable end-to-end encryption for its over 400 million users. That same week, Sens. Feinstein and Richard Burr (R-North Carolina) unveiled a draft bill to force companies to decrypt data on demand—a measure which would effectively criminalize WhatsApp's end-to-end encryption. If we truly value online security and personal privacy online, it looks like we're going to have to fight for it.