Privacy

Top Cops Pick the Midst of an International Spying Scandal To Demand Encryption Curbs

Regulating privacy protections would put the public at greater risk than criminals.

|

You would think that the midst of yet another international scandal over governments spying on people who annoy them would be an inopportune time to call for curbs on tools that protect privacy, but that underestimates the compulsion that drives authoritarians. The world keeps offering evidence that encrypting communications is important, especially as a shield against the powers that be, but petty officials can't help but find such barriers frustrating to their eavesdropping impulses, even when they already have plenty of tools at their disposal for investigations legitimate and otherwise.

"As our two agencies work to protect citizens on both sides of the Atlantic, we have come to conclude that the single most problematic barrier to doing so stems from unregulated encryption," write Cyrus R. Vance, Jr., district attorney of New York County, and Catherine De Bolle, executive director of Europol, the law enforcement agency of the European Union. "To be clear, we both support strong encryption, just not unregulated encryption. No sector — in this case, the tech industry — should be allowed to dictate the rules of access to digital data for all of society, with limited regard to the wider impact those rules might have."

Despite the two officials engaging in popular tech-bashing, it's obvious that companies don't "dictate the rules of access to digital data for all of society." Through their actions and the tools they adopt, people communicating with one another have the greatest input into the security of their data. Vance and De Bolle would replace those multitudes of individual choices with one rule-maker: government. That letting government mandate some sort of access to private communications has a down side is apparent from the reactions of people who understand the technology and point out that you can't punch holes in privacy protections and be sure they'll only be used by good guys against bad guys.

"No matter what you call it, a backdoor is a backdoor," the Internet Society's Jeff Wilbur and Ryan Polk pointed out last year. "Any method that gives a third-party access to encrypted data creates a major vulnerability that weakens the security of law-abiding citizens and the Internet at large."

"Backdoors to encryption are like chinks in an otherwise impenetrable chain — once you've opened up a vulnerability, you cannot choose who can exploit it," agrees Adam Hadley of the UN-sponsored Tech Against Terrorism project in a letter written as a rebuttal to Vance and De Bolle.

Vance and De Bolle aren't specific in what they want in terms of regulation for encryption, but they demand access for government agencies—which means weakened privacy protections. They are specific in the list of horribles they cite as threats protected by encryption: child sex trafficking, organized crime, ransomware, and terrorists are all supposedly the main beneficiaries of encryption. Left off that list, though, are the activists, journalists, and thorns-in-the-side recently found to be targeted by many governments through the use of a single package of commercially available spy software.

"NSO Group's spyware has been used to facilitate human rights violations around the world on a massive scale, according to a major investigation into the leak of 50,000 phone numbers of potential surveillance targets," Amnesty International noted on July 18. "These include heads of state, activists and journalists, including Jamal Khashoggi's family."

"Amid the varied cast of people whose numbers appear on a list of individuals selected by NSO Group's client governments, one name stands out as particularly ironic," reports The Guardian. "Pavel Durov, the enigmatic Russian-born tech billionaire who has built his reputation on creating an unhackable messaging app, finds his own number on the list."

Apologists for the surveillance state will object that the United States government isn't like its authoritarian counterparts in Azerbaijan or Saudi Arabia, which used the spyware to monitor political opponents. But sometimes, there's good reason to fear the state in supposedly free countries.

"The FBI entraps hapless people all the time, arrests them, charges them with domestic terrorism offenses or other serious felonies, claims victory in the 'war on domestic terrorism,' and then asks Congress for more money to entrap more people," writes John Kiriakou, a former CIA officer and whistleblower, about U.S. torture. "This is the same FBI that tried to force Martin Luther King to commit suicide. This is the same FBI that illegally spied on U.S. citizens who were opposed to the Vietnam War. It's the same FBI that had an agent illegally impersonate an Associated Press reporter and illegally infect a 15-year-old's computer with malicious software."

As officialdom turns against not just those who expose misdeeds, but also those who support out-of-power political factions, we have all the more reason to keep our communications private. What we say may be less important than how creatively it can be interpreted by government officials determined to make an arrest, and there's no reason to make their jobs any easier.

Not that intercepting emails, text messages, and phone calls is universally impossible for government investigators willing to put in the effort. In addition to NSO, companies including Grayshift and Cellebrite specialize in helping governments bypass or crack encrypted communication. Success isn't guaranteed, but few things are. Vance and De Bolle even concede the existence of these capabilities.

"Where tools are available to unlock encrypted devices, however, they are often expensive," they write. "For agencies with fewer resources, funding expensive decryption techniques is impossible."

So, Vance and De Bolle's big complaint seems to be that conducting criminal investigations involves time and expense. If only catching bad guys didn't take such a bite out of weekends and budgets!

Of course, "regulated" encryption sounds like exactly the sort of compromised technology that real criminals and terrorists want to avoid. Earlier this year, law enforcement in a dozen countries stung criminal organizations with a network of encrypted phones created by the agencies themselves. It was a significant policing coup, but demand for the phones, and for devices offered by an earlier actual underground service, demonstrate that criminals and terrorists aren't interested in communications services that offer access to cops. They'll seek alternatives that remain unregulated even if that's illegal.

"Terrorists are highly mobile online and would be quick to migrate to services unwilling to cooperate with law enforcement," writes Tech Against Terrorism's Hadley.

The ultimate targets of regulated encryption, then, will be regular people using commonly available technology to share messages that annoy powerful people. Vance and De Bolle talk a lot about curbing privacy protections for criminals and terrorists, but the regulations they demand would increase risk less for bad actors than for you and me.