Paris. San Bernardino. And now Brussels. The string of recent terror attacks over the past few months have been an appalling display of the worst that humanity has to offer. Unfortunately, before the dust has even settled, some Congressional representatives are already alluding to the possibility that encryption may have been involved in this tragic event. That should come as no surprise, however. The same rumors, assumptions, and general misinformation in the hours and days after Paris and San Bernardino are practically an expected routine at this point. Even months later, details regarding the murderous rampage in Paris are still being misrepresented by both the media and politicians.
Nevertheless, the fact remains that no evidence has surfaced to suggest encryption played any part in yesterday’s bombing. In fact, there are already reports that Belgian authorities were at least partly aware of the potential for an attack and that “the authorities were already on high alert and hunting intensively for suspects.” Whether encryption was used by the attackers or not, initial guesses seem to point to human, not signals, intelligence failures as the real culprits.
In the United States, the encryption debate continues to rage. The policy landscape is rife with discontent over how best to proceed: there are legislative proposals currently in play in the House of Representatives (ENCRYPT Act, McCaul-Warner Commission), a Senate bill yet to be released (Burr-Feinstein), a Congressional working group announced this past Monday, and a temporary cessation of hostilities in the Apple vs FBI legal dispute following the revelation that law enforcement may no longer require the tech company’s assistance in accessing the data on Syed Farook’s iPhone. There appears to be no shortage of fronts in the Second Crypto War. And the battlefield is now global, with various countries proposing their own “solutions” to the encryption “problem.”
Take France, for instance. Back in January, despite still reeling from the terrorist attacks in Paris, the government rejected a proposal that would have required backdoors be installed in encrypted systems—a proposal branded as “vulnerability by design.” This came despite pontifications from CIA director John Brennan who, in the aftermath of the Paris attacks, predicted that “that the governments of France and elsewhere were likely to warm to intrusive signals intelligence in the days and weeks ahead.” It is a commendable nod to the French commitment to online privacy and security; even in the wake of such a horrific incident, they chose to embrace strong online security, despite fear mongering and empty, politically-charged rhetoric from American officials across the Atlantic. Yet even as the French have resisted calls to weaken encryption, politicians north of the channel have taken the opposite approach.
In the United Kingdom, the tenor from politicians is far more concerning as parliament considers a death knell for encryption: The Draft Investigatory Powers Bill. That legislation, despite hollow and misinformed assurances to the contrary, would do significant harm to encryption used in the UK. Unfortunately, last week the bill, appropriately colloquialized as the “Snooper’s Charter,” passed in the House of Commons by an overwhelming majority: 281 to 15. Before presuming that vote reflects the opinion of our neighbors across the Pond, a survey released just before the vote explains some striking contours of the British public’s perspective on the government’s efforts in this space.
Half of the internet users polled in the UK believe prime minister David Cameron and the government’s actions to weaken encryption are an infringement of UK citizens’ rights, with 74% saying they believe in the fundamental right to privacy online.
The survey shows that the UK public believes weak encryption is bad for business, with only one in 10 thinking that weakened encryption will not make investment in the UK less attractive, 40% saying reputational damage caused by the Investigatory Powers Bill will be bad for UK businesses, and nearly half believing that weakened encryption will force some UK businesses to move aboard.
Three in five of the survey respondents think making personal data easier for government officials to access will also make it easier for criminals to access that data, and only 43% agree that weakening encryption protections will help law enforcement catch cyber criminals and protect the country.
Though the politics and provisions of the bill would require an entirely separate blog post to dissect and analyze, the proposal would essentially compel companies like Facebook and Apple to provide the means to provide UK authorities with the decrypted communications of their users, despite a February joint committee report that argues the bill “needs to be fundamentally rethought and rebuilt.” That would essentially outlaw secure end-to-end encryption. A recent tweet from Edward Snowden drilled into the heart of what this legislation really means: “… [The Draft Investigatory Powers Bill] legitimizes mass surveillance. It is the most intrusive and least accountable surveillance regime in the West.”
In fact, the countries of the European Union have, by and large, been long time advocates of the right of individuals to access and use encryption protocols. As a 2013 research paper in the Northwestern Journal of Technology and Intellectual Property points out:
The European Union has been a long-time advocate of free domestic use of strong cryptography. In the 1990s, the Clinton Administration pursued several international initiatives aimed at encouraging—or even mandating—key escrow. The EU, through the European Commission, took a stance against those proposals. The Commission “stresse[d] the economic and societal importance of cryptography,” and noted that “[k]ey escrow or key recovery raise a number of practical and complex questions that policy makers would need to solve, in particular issues of privacy, vulnerability, effectiveness and costs.” Hence, European support for the free use of encryption and opposition to mandatory key escrow proved critical to the continued development of strong cryptography.
Contrast that perspective with China’s approach to this issue, which involves heavy regulation, licensing, and government-approved oversight of encryption products. The Chinese government actually has a regulatory body, the National Commission on Encryption Code Regulations (NCECR), which regulates the availability of encryption products on a pre-approval basis.
Furthermore, individuals and firms in China can only use cryptography products approved by the NCECR. This also applies to foreign individuals and firms operating in China, who must report details of their encryption systems to, and receive approval to use those products from, the NCECR.
The issue of keeping encryption strong and free from onerous government mandates is a global issue. That is why the Niskanen Center, along with almost 200 other organizations, companies, and individuals from dozens of other countries, recently signed on to SecureTheInternet.org in an effort to promote the principles that governments should NOT:
- ban or otherwise limit user access to encryption in any form or otherwise prohibit the implementation or use of encryption by grade or type;
- mandate the design or implementation of “backdoors” or vulnerabilities into tools, technologies, or services;
- require that tools, technologies, or services are designed or developed to allow for third-party access to unencrypted data or encryption keys;
- seek to weaken or undermine encryption standards or intentionally influence the establishment of encryption standards except to promote a higher level of information security. No government should mandate insecure encryption algorithms, standards, tools, or technologies; and
- either by private or public agreement, compel or pressure an entity to engage in activity that is inconsistent with the above tenets.
Only by adhering to these tenets can governments of the world truly protect the civil liberties, economic interests, and online safety and security of their citizens.
It is more imperative than ever that the United States show itself to be a true global leader on encryption. Rather than prevaricating around this issue, American policymakers should be unequivocal in their support for strong online security mechanisms. Such a stance will go much further in keeping individual citizens safe and secure online. America has long been a leader in the Internet landscape and disruptive technological innovation. We should not relinquish that mantle of responsibility for the allure of pursuing an illusory sense of “perfect” security—indeed, the stronger the encryption we have available, the more secure we are individually, as well as a collective nation. By supporting legislation and policy prescriptions that would weaken the security of the average American’s online data, we imperil the sanctity of our civil liberties, our economic vitality, and our national security.