In the wake of another horrifying terror attack at multiple venues in Paris, France, the atmosphere is just right for another push towards more draconian, less free, government. Wresting liberties away from citizens is child’s play. You identify a means to assert personal privacy or private property, such as encryption. Then you find a suitably emotional public fear, such as mass murder. All you now need to is claim – without presenting any evidence – that one promotes the other, and therefore, it ought to be restricted, or better yet, removed entirely from the hands of citizens, and safely deposited in the hands of government.
Emotionally overwrought people who feel unsafe are often willing to permit their governments wide-ranging powers to combat what they fear. Those governments are only too eager to grab these opportunities, and demand more powers, as they did the last time Paris was hit by terrorists. Dazed by shock, citizens and legislators flock to the ballot box like so many sheep, calling for guns to be banned or encryption to be restricted, without having the faintest idea where criminals get guns or how encryption works. Poor lambs, clamouring for protection. No wonder the political wolves are ready to pounce.
New York City’s commissioner of police, Bill Bratton, went straight for the encryption jugular. He cited James Comey, the director of the Federal Bureau of Investigation, who wants to see encryption banned. Across the pond, David Cameron, the British prime minister, also wants law enforcement to be able to break any encryption they come across. Former George W. Bush press secretary Dana Perino politely suggested Snowden’s disclosure of illegal NSA surveillance had something to do with the attack:
“Also, F Snowden. F him to you know where and back.”
Perhaps Glenn Greenwald, the journalist who broke the Snowden story, is the best person to respond to such vitriolic nonsense. Yahoo reporters ran with the ominous headline: “Paris attacks show US surveillance of Islamic State may be ‘going dark’,” adding, “Officials contend Snowden disclosures, use of sophisticated encryption and messaging apps are making terrorists harder to track.”
It warns that terrorists are “using new software such as Tor”.
Even Yahoo reporters ought to be able to use Wikipedia, where the enterprising journalist might learn that Tor was originally developed 20 years ago by the United States government to protect US intelligence communications, that the first public version was released in 2002, and that the code has been available under a free licence since 2004. “Tor has been praised for providing privacy and anonymity to vulnerable Internet users such as political activists fearing surveillance and arrest, ordinary web users seeking to circumvent censorship, and people who have been threatened with violence or abuse by stalkers,” the page reads.
Wanting to blame Tor when terrorists use it (which in this case has not been established) is as absurd as blaming cars when terrorists rent them (which in this case did happen). When someone hits someone else with a cricket bat, you don’t propose to ban cricket to solve the problem.
The Yahoo article is dangerously naïve sensationalism and shocking journalism. It also declined to disclose how, if those terrorists are so hard to track because of encryption, an alleged mastermind behind the attacks has been identified in less than 72 hours. Even the New York Times got in on the speculative action, in an article – since deleted, but archived here – that claims the Paris terrorists had been in contact with Islamic State handlers.
“The attackers are believed to have communicated using encryption technology, according to European officials who had been briefed on the investigation, but were not authorised to speak publicly,” the Times journalists wrote, not caring that unnamed sources who merely attended a briefing are hardly reliable witnesses. “It was not clear whether the encryption was part of widely used communications tools, like WhatsApp, which the authorities have a hard time monitoring, or something more elaborate. Intelligence officials have been pressing for more leeway to counter the growing use of encryption.”
What any journalist worth a job at the New York Times ought to know is that “pressing for more leeway to counter the growing use of encryption” fundamentally threatens not only the pursuit of journalism, but also the legitimate communications and transactions of everyone else. The least they can do, if they consider this merely opinion, rather than fact, is quote an expert on computer security and encryption to counter all the unnamed officials who attended briefings.
Bruce Schneier, to take one high-profile cryptographer and security specialist, argues that mass surveillance cannot, will not, and never has stopped a terrorist, as a simple matter of mathematics. Now, one might understand if people prove willing to sacrifice their liberties and grant invasive powers to government if doing so brought tremendous benefits, such as catching terrorists, but not only do these measures not deliver the advertised results, they often turn against the very citizens they are supposed to protect. Opponents of encryption are proposing to impose a great cost, for no measurable benefit.
Forbes ran an even more breathless article, speculating – again, without any evidence or even allegations to that effect – that the Paris terrorists “may have used” PlayStation 4 consoles to discuss and plan attacks. Sure. And they may have used ordinary telephones. Or satphones. Or encrypted email. Or plain-text email sent via their own mail server, instead of via Google, Apple or Microsoft. Or perhaps they met at a local coffee shop, or a friendly neighbourhood religious establishment. All of this is possible, but PlayStation 4 is the most knee-jerk sensationalism that Forbes could fabricate.
But let us suppose, for the sake of argument, that politicians and their luddite lackeys in the media got their wish, and forced software companies such as Apple, Google and Facebook to provide intelligence and police forces with access to customer data via secret backdoors into their software. It would be trivial for a terrorist with a functional IQ to select any one of a number of free and open-source tools to create their own communications platform. Using PGP or GPG to encrypt a message before sending it, so that only the intended recipient can read it, is not a complicated process. Writing an app to do so is the stuff of programming homework assignments. Finding a virtual private network that does not keep access logs and is located in a jurisdiction less hostile to privacy is also not difficult.
In fact, these services already exist, and most do not rely on Google, Microsoft, Facebook, Apple, or some other large American tech firm that can be strong-armed by the US government. The Electronic Frontier Foundation, a prominent civil liberties group, last year evaluated 39 different apps or services that claim to provide encrypted communication, finding six of them met its high standards. Armed with any one of these, terrorists can go about their online business without a care in the world, while law enforcement is flooded with a firehose of data from everyone else.
The deluge of private information on which officials will be able to snoop includes personal details such as identity, passport or social security numbers, telephone and email contacts, medical records, insurance records, evidence about sexual proclivities and preferences, correspondence about personal problems such as alcoholism, domestic abuse or post-traumatic stress, banking transactions, confidential board minutes and contract negotiations, and much more.
If retailers can predict pregnancies just by analysing the data they legally collect about customers, imagine what a government can do once when they can access the content of all your correspondence. Government officials all over the world have proven that they are willing to unlawfully access and use this kind of information. The US Director of National Intelligence, James Clapper, blatantly lied under oath, when asked by the US Congress whether the NSA collects any data at all on millions of Americans. The NSA has been caught in economic espionage against foreign companies, which is far from its supposed “national security” remit. Claims that mass surveillance programmes are necessary to thwart terrorist plots are undermined by the public record, which shows only a tiny fraction involve any such surveillance at all.
And face it, since they do not know yet how the Paris attacks were planned and coordinated, any claims made about encryption or other tools that were used are pure speculation and rank opportunism. So “trust me” isn’t exactly a good argument for giving governments the power of unrestricted access to everybody’s communications. They are a priori dishonest, and their claims should be rejected with contempt. But let’s suppose that we can trust our worthy government overlords not to abuse their power. (I know it’s hard to visualise things that have never existed and never will, but bear with me.)
The personal information of millions of people has been exposed by hackers who breached the security of government agencies, all around the world. This happens frequently to even the most sophisticated organisations in the world, like the US Office of Personnel Management, the US Internal Revenue Service, UK Revenue and Customs, various US courts, the UK Home Office, the Norwegian tax authority, the UK Ministry of Defence, the Pentagon, Stratfor, US law enforcement agencies and courts, and, indeed, the South African Police Service. (Explore some of the biggest private and government data breaches with this great interactive chart).
So, even if we could trust their honesty and integrity, we cannot trust their competence to keep our secrets to themselves. Even the US government’s own Central Intelligence Agency advisers believe the answer to thwarting the cyber-attacks that cost the economy some $400 billion every year lies in using more encryption, not less.
If government gets to access to our encrypted communications, no matter how good their reasons, then so will criminals. And with that information, they will harm us. Financial fraud by means of identity theft is rife. Extortion using sensitive private information is on the rise. And while the criminals coin it from our lack of security, they will take rather more care with their own communication, to make sure they do not get nabbed in the same way they nab their victims.
Restricting encryption or providing back doors for law enforcement will have the exact opposite of its intended effect. It will make ordinary citizens less safe, while encouraging criminals to be ever more circumspect about information and operational security. Do not be fooled by unscrupulous politicians and spies who piggy-back on the terror spread by extremists to promote their own under-handed agenda. Hobbling encryption will not stop the bad guys, and it will hurt the rest of us. DM