Opportunists call for weakening encryption in wake of Paris attack
Creating coding 'backdoors' to help law enforcement stop terrorists is fraught with complexities
By Bob Sullivan, ThirdCertainty
It’s natural to look for a scapegoat after something terrible happens.
Some are now arguing that if only we could have read encrypted communications, perhaps the Paris terrorist attacks could have been stopped. … Wrong.
Read every story you see about Paris carefully and look for evidence that encryption played a role. You won’t find it.
There’s a reason The Patriot Act was passed only a few weeks after 9/11—and it wasn’t because Congress finally was able to act quickly and efficiently on something. The speed came because many elements of the Patriot Act already had been written, and forces with an agenda were sitting in wait for a disaster so they could push that agenda. That is wrong.
So here we are, once again, faced with political opportunism after an unthinkable human tragedy, and we must remain strong in the face of it. There is no simple answer to terrorism, and we should all know this by now.
Beware knee-jerk reactions
And so there must be no simple discussion about the use of encryption in the Western world. The debate requires careful analysis, and we owe it to everyone who ever died for a free society to consider this thoughtfully.
The basics are this: Only recently, computing power has become inexpensive enough that ordinary citizens can scramble messages so effectively that even governments with near-infinite resources cannot crack them. Such secret-keeping powers scare government officials, and for good reason. They can, theoretically, allow criminals and terrorists to communicate with a cloak of invisibility.
Not surprisingly, several government officials have called for a method that would allow law enforcement to crack these codes. There are many schemes for this, but they all boil down to something akin to creating a master key that would be generated by encryption-making firms and given to government officials, who would use the key only after a judge granted permission. This is sometimes referred to as creating “backdoors” for law enforcement.
Governments already can listen in on telephone conversations after obtaining the proper court order. What’s the difference with a master encryption key?
Sadly, it’s not so simple.
For starters, U.S. firms that sell products using encryption would create backdoors, if forced by law. But products created outside the United States? They’d create backdoors only if their governments required it. You see where I’m going. There will be no global master key law that all corporations adhere to.
By now I’m sure you’ve realized that such laws would only work to the extent that they are obeyed. Plenty of companies would create rogue encryption products, now that the market for them would explode. And, of course, terrorists are hard at work creating their own encryption schemes.
There’s also the problem of existing products, created before such a law. These have no backdoors and could still be used. You might think of this as the genie out of the bottle problem, which is real. It’s very, very hard to undo a technological advance.
Dangers of dismantling encryption
Meanwhile, creation of backdoors would make us all less safe. Would you trust governments to store and protect such a master key? Managing defense of such a universal secret-killer is the stuff of movie plots. No, the master key would most likely get out, or the backdoor would be hacked. That would mean illegal actors would still have encryption that worked, but the rest of us would not. We would be fighting with one hand behind our backs.
In the end, it’s a familiar argument: disabling encryption would only stop people from using it legally. Criminals and terrorists would still use it illegally.
Is there some creative technological solution that might help law enforcement find terrorists without destroying the entire concept of encryption? Perhaps, and I’d be all ears. I haven’t heard it yet.
Only a few weeks after 9/11, a software engineer who told me he was working for the FBI contacted me and told me he was helping create a piece of software called Magic Lantern. It was a type of computer virus, a Trojan horse key logger, that could be remotely installed on a target’s computer and steal pass phrases used to open up encrypted documents.
The programmer was uncomfortable with the work and wanted to expose it. I wrote the story for msnbc.com, and after denying the existence of Magic Lantern for a while, the FBI ultimately conceded using this strategy. While we could debate the merits of Magic Lantern, at least it constituted a targeted investigation—something far, far removed from rendering all encryption ineffective.
For a far more detailed examination of these issues, you should read Kim Zetter at Wired, as I always do. Then make up your own mind.
Don’t let a politician or a law enforcement official with an agenda make it for you. Most of all, don’t allow someone who capitalizes on tragedy mere hours after the first blood is spilled—an act so crass it disqualifies any argument such a person makes—to influence your thinking.
More on encryption:
Encryption must be strong, used properly to reliably protect data
Anthem breach shows need for wider encryption of sensitive data
‘Let’s Encrypt’ seeks to foster trust in web traffic