September 17, 2015

Encryption: the Internet user’s friend and the government’s illusory bogeyman

This article originally appeared in CapX on September 17, 2015.

Earlier this year UK Prime Minister David Cameron said, “[t]he question is are we going to allow a means of communications which it simply isn’t possible to read. My answer to that question is: no, we must not.” Cameron’s comments follow on the heels of an ongoing debate in Western nations focusing on a perceived need for law enforcement to have “backdoor access” to encrypted communications.

Cameron’s approach, however, is simply untenable.

Among the primary criticisms levied against anti-encryption crusaders is the lack of a coherent and technically feasible plan for implementing such a regime. Like many in domestic US law enforcement, as well as those of Republican candidates vying for the 2016 GOP nomination, the fallback retort usually amounts to “we need to have more cooperation between tech companies and law enforcement.” But those calls are a rhetorical circumvention of the technical impossibilities of developing an encryption system that would only permit backdoor access to the good guys. As almost every notable cryptographer and security expert has expressly detailed their opposition to such a scheme, noting it is a technical impossibility to create encryption with vulnerabilities that would not create the possibility for nefarious actors to gain access to such communications.

As the world-renowned security expert Bruce Schneier noted in a responseto Cameron’s proposal:

It’s simply not possible to ban strong encryption within a country and software that uses strong encryption from crossing borders. It’s simply not possible to prevent people from installing the software they want on the computing devices they own.

He goes on to describe exactly how such a regime of outlawing encryption would proceed:

It gets draconian pretty fast. UK citizens would be banned from using secure software, and UK companies be banned from producing secure software The government would have ot enforce Internet censorship: people couldn’t download secure software, search engines couldn’t answer queries about secure software, and every packet [of information] would be inspected to ensure it isn’t being encrypted with secure systems. … [I]t wouldn’t work, and trying would destroy the Internet.

And it’s not just security experts. As I noted in a recent blog post for the Niskanen Center, even former high level intelligence officials have come out in support of the use of encryption and opposition to mandates ordering the installation of security vulnerabilities. Clearly, the prime minister is proposing a regime that simply would not work in practice.

Of course, as some have suggested, the prime minister’s office is more than likely aware of the technical infeasibility of its designs. Rather, it is likely that Cameron’s hard stance on the issue is meant as a means to justify a “compromise” that merely expands the draconian surveillance powers of the GCHQ. Much like the ongoing debate surrounding law enforcement “going dark” here in the United States, the ongoing discussion in the UK is filled with the prevaricating rhetoric of a government that supports encryption in certain situations while simultaneously attempting to undermine its proliferation and use. Baroness Shields, the Minister for Internet Safety and Security, in a letter delivered to Business Insider, pointed out that while the UK government “supports encryption” and recognizes its necessity for online banking and commerce, the prime minister “has been clear that there cannot be areas of the Internet which are off limits to the rule of law.”

While it is true that encryption can give a safe harbor for terrorists and criminals to communicate sans government eavesdropping, it also allows the use of safe and secure communications for law-abiding citizens. The benefits associated with strong encryption are general and can be had by criminals and law-abiding citizens, no different from literally any other consumer good. Public transportation and automobiles benefit people trying to get to and from work; it also benefits terrorists attempting to arrive at their strike destination. Banks provide a centralized conduit where people can deposit and withdraw their money from secure holdings; bank robbers, however, benefit disproportionately from all that money being stored in a central vault. And in the same way, computers benefit individuals with massive increases in productivity, the ability to communicate with the global community via the Internet, and permits the easy, on-demand access to ubiquitous information flows that have transformed the modern world into an information economy; and yes, in the course of such benefits terrorists and criminals alike can use such a platform for their own exchange of communications and information. If Cameron proposes banning encryption because a few seedy elements will benefit from its use, then why not ban automobiles and banks as well? Or, perhaps more feasibly, why not simply ban computers?

On the one hand, President Obama previously came out supporting Cameron’s calls for security “holes” to be inserted in encryption for law enforcement agency use. More recently, he has tempered the language, falling into the chorus line of officials claiming the need for increased “collaboration between the private and public sector” and arguing their position is not in support of backdoors, but rather for “front doors.” The President has also played rhetorical flip flop with the issue internationally,arguing the Chinese government proposing a law to mandate backdoor access in imported software and hardware from US tech companies was a non starter “if they wish to do business with the United States.” Even more telling, Obama clearly explained how “those kinds of restrictive practices … would, ironically, hurt the Chinese economy over the long term.” Even more ironic, some might say, is the President’s chastisement of the Chinese for engaging in precisely the type of practices he and others have championed here in the US.

Similarly, FBI director James Comey, in an oped he penned just prior to appearaning before the Senate Intelligence Committee, claimed that the “going dark” phenomenon was becoming a more pronounced public safety problem, whereby

Those charged with protecting our people aren’t always able to access the evidence we need to prosecute crime and prevent terrorism even with lawful authority. We have the legal authority to intercept and access communications and information pursuant to court order, but we often lack the technical ability to do so.

Of course when fact-checking the director’s claims, the evidence doesn’t pan out in favor of his position. To wit, as reported by the US Department of Justice, in 2014, of 3,554 total wiretaps issued by federal and state judges, only 22 issued by the states encountered encryption and the encryption was unbreakable in only two of those cases. Of the federal issued wiretaps, only three involved encryption and only two of those situations resulted in unbreakable encryption.

In short, officials in the UK and US are making a mountain out of (less than) a molehill. Encryption is a tool, one that is admittedly readily available to criminals and terrorists just as it is to the overwhelming majority of law-abiding citizens, no different from a variety of consumer goods and services that can be utilized for nefarious purposes. To intentionally weaken encryption comes with costs, just as it does with allowing it to be ubiquitously available, but the question is whether the costs outweigh the benefits. No encryption means no online banking, no e-commerce, and no strong protection for individuals’ data. In short, without encryption, the Internet becomes much more vulnerable and fragile and its future as a global communications platform – as well as an enduring force for economic growth and the proliferation of liberty – becomes far less certain.

Ryan Hagemann is the civil liberties policy analyst at the Niskanen Center.