Encryption is not the enemy

The fearmongering after last week's attacks in Paris does nothing to improve security and helps the terrorists' cause

Encryption is not the enemy

The terrorist attacks in Paris last week left people angry and fearful. But rather than listen to the age-old advice to never make decisions when you're mad, too many American politicians and security officials have rushed to propose measures that further erode individual freedoms and, yes, security.

In place of reasoned proposals that might actually improve security, knee-jerk reactions have centered on two areas: increasing government surveillance powers and banning encryption because terrorists use it to communicate.

It will shock no one that politicians were quick to exploit the tragedy to their possible advantage. From Jeb Bush calling for a restoration of NSA collection of Americans' phone calls to Marco Rubio trying to score points against Ted Cruz for voting to "weaken the U.S. intelligence programs ... leaving America vulnerable," the posturing was shameless -- and deceitful.

The USA Freedom Act passed this summer by Congress was very modest reform that merely narrowed the scope of government's mass, untargeted collection of domestic phone records. Emails and international calls are still fair game. Phone companies hold onto that phone data, so the government can still make specific requests. Oh, and the new arrangement hasn't even taken effect. Also, the courts issued a stay to enable the NSA to carry on with business as usual, past the planned Nov. 29 end date. How does any of that constitute a "weakening of U.S. intelligence programs"?

Chief spook John Brennan also inveighed against "policy and legal actions [that] make our ability collectively internationally to find these terrorists much more challenging." He certainly didn't have France in mind when he made this disingenuous accusation. The country passed a sweeping surveillance law this summer that greatly expanded government's surveillance powers.

Still, to hear certain pundits tell it, the greatest threat to America is Edward Snowden's leaks about government surveillance and the public's ensuing calls for privacy protections. Or, as fair and balanced Fox News contributor Dana Perino said on Twitter about Snowden: "F**k him to you know where and back."

The notion that Snowden is somehow to blame for security failures is preposterous -- unless you also believe that prior to his revelations, terrorists were ignorant that government was monitoring their communications. As The Intercept's Glenn Greenwald says, "Any terrorist capable of tying his own shoe -- let alone carrying out a significant attack -- has known for decades that speaking on open telephone and Internet lines was to be avoided due to U.S. surveillance." The extent of U.S. government surveillance came as a shock only to law-abiding citizens caught up in its dragnet.

A more honest assessment of the security situation in Paris came from a French counterterrorism expert and former defense official, who told the New York Times "our intelligence is actually pretty good, but our ability to act on it is limited by the sheer numbers." The problem, in other words, was not a lack of data -- France and Belgium already had many of the terrorists involved in the attacks under surveillance -- but a failure to follow up on all the information that security forces already had. 

As The Verge noted, "We've known since the 9/11 Commission submitted its report that the government's inability to foil the largest and most sophisticated terrorist attack in history was based on its failure to share and analyze information, not because it was unable to scoop up everything that happens on the Internet in real time." 

After the 2013 Boston Marathon bombing, the biggest terrorist attack on U.S. soil since 9/11, the CIA and FBI were accused of failing to connect the dots; there was no dearth of information about the bombers. Even former NSA employees have said the deluge of data drowns analysts in too much information.

"If the administration's intelligence directors are demanding access to even more data than their agencies know what to do with, that points to a failure of leadership rather than a fault of intelligence," ZDNet writes.

Snowden (who didn't depart the NSA with classified files until a month after the Boston bombing) is merely a useful patsy for subsequent failures of leadership -- almost as popular as everyone's other favorite scapegoat: encryption.

Last week's strikes unleashed a renewed attack on the technology, with John McCain promising "we're going to have legislation," and Dianne Feinstein calling it a "big problem" if tech firms "create a product that allows evil monsters to communicate in this way." Former CIA deputy director Mike Morell proclaimed, "We don't know for sure yet, but I think what we're going to learn is that these guys were communicating via these encrypted apps."

Way to stir up the FUD, particularly as a U.S. official told Reuters that the mode of communication the terrorists used remains unknown. It also ignores the fact that even with encryption, metadata can tip off security agencies about threats. "It's up to our intelligence agencies to adapt, by focusing on what encryption can't stop -- like tracking who the bad guys are talking to, when, and where -- instead of breaking the security of everyone who uses the Internet," says Ross Schulman, senior policy counsel at New America's Open Technology Institute.

With billions of people using encryption on iPhones and messaging apps like WhatsApp, it's no surprise that terrorists are using it too. But banning encryption is not likely to deter the latter, only to make the rest of us more vulnerable. As TechCrunch notes:

Terrorists can (and do) build their own securely encrypted communication tools. Terrorists can switch to newer (or older) technologies to circumvent enforcement laws or enforced perforations. They can use plain old obfuscation to code their communications within noisy digital platforms ... folding their chatter into general background digital noise (of which there is no shortage). And terrorists can meet in person, using a network of trusted couriers to facilitate these meetings, as Al Qaeda is known to have done.

The same arguments against the folly of banning encryption or mandating backdoors apply now as strongly as before last week's attacks. "Nothing could disrupt Western society more than banning the very technology that safeguards its citizen's financial transactions and personal information," writes InfoWorld's Serdar Yegulalp. Our economy -- with its online banking, e-commerce, and R&D -- would not survive without strong encryption.

Technology leaders, in particular Apple CEO Tim Cook, have spoken out strongly against the idea of backdoors. "If you halt or weaken encryption, the people that you hurt are not the folks that want to do bad things. It's the good people," Cook stressed. "Everybody wants to crack down on terrorists. Everybody wants to be secure. The question is how. Opening a backdoor can have very dire consequences."

The Obama administration has announced it will not force technology companies to breach the security of their products, but will the currently charged political atmosphere succeed in changing that? Robert Litt, general counsel for the Office of the Director of National Intelligence, predicted in an August email obtained by the Washington Post that the pro-encryption tide "could turn in the event of a terrorist attack or criminal event where strong encryption can be shown to have hindered law enforcement."

Or we could resist the rush to blame scapegoats and expect better of our elected representatives and security officials. Writing in 2006 about other terrorist attacks, security expert Bruce Schneier had words that still hold true today:

Our politicians help the terrorists every time they use fear as a campaign tactic.... The surest defense against terrorism is to refuse to be terrorized. Our job is to recognize that terrorism is just one of the risks we face, and not a particularly common one at that. And our job is to fight those politicians who use fear as an excuse to take away our liberties and promote security theater that wastes money and doesn't make us any safer.

To comment on this article and other InfoWorld content, visit InfoWorld's LinkedIn page, Facebook page and Twitter stream.
From CIO: 8 Free Online Courses to Grow Your Tech Skills
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.