A Strong Case For Strong Encryption

A Strong Case For Strong Encryption

This post is also available in: heעברית (Hebrew)

by Konstantin Bodragin

A vocal and at times fierce debate over encryption has developed in recent months. On the one side are those proposing the introduction of government mandated backdoors into products that use encryption, mainly some members of the intelligence community and government officials of various countries. Opposite them you’ll find those in favour of strong encryption, among them cyber security experts, privacy advocates, the Dutch government, and some unlikely allies, such as ex-NSA chief General Michael Hayden and the current head of the agency, Admiral Michael Rogers.

The fear many in the for camp have is not unfounded. ISIS and other jihadi organisations, as well as criminal syndicates and other unlawful entities, have demonstrated a willingness and ability to use the most modern tools at their disposal. This includes encrypted messaging services like Telegram and other platforms. The fear, then, is that as more and more hostile elements use encryption the world will “go dark,” as the FBI put it in a statement on the issue, and that the agencies tasked with preserving our safety will be unable to monitor terrorist activity and perform their duties.

However, as Phillip Rogaway, professor in the Department of Computer Science at the University of California, Davis, says in a recent interview in The Atlantic, “law enforcement has an extraordinary set of tools available to them now. An unprecedented set of capabilities, both for law enforcement and intelligence services. These aren’t somehow the dark times for either law enforcement or intelligence. These are the times of extraordinary information. Nowhere in history has it been so easy to learn so much about everybody.”

The amount of information available to law enforcement is indeed staggeringly large. Even if a would-be attacker encrypts all his communications, investigators have access to something far more useful: his metadata. Nicholas Weaver, a computer security researcher at the International Computer Science Institute in Berkeley, California, wrote in a recent Washington Post column, “if the investigator knows everything [an attacker] does, everyone he talks to and everywhere he goes, how much does it matter that the investigator doesn’t know what [the attacker] says?”

Beyond communication metadata, if the suspect uses a Google or Facebook account, investigators can potentially access a treasure trove of information, such as search and browsing history, and usually automatic backups of the data itself. More importantly, however, with a simple warrant to the phone company, investigators could access such valuable information as call and text messaging records, and crucially, a record of the phone’s locations as it connects to various cell towers.

While there are certainly some benefits in security agencies being able to access the contents of encrypted communications, the risks could far outweigh them. It is simply not possible to introduce a backdoor that cannot be exploited. This poses a significant threat to security.

This message has not been lost on the government of The Netherlands. The Dutch Ministry of Security and Justice recently published a letter outlining a case against the introduction of encryption backdoors.

It said that granting law enforcement and security agencies access to protected data would make digital systems vulnerable to “criminals, terrorists and foreign intelligence services.”

“This would have undesirable consequences for the security of information stored and communicated and the integrity of ICT systems, which are increasingly of importance for the functioning of the society,” it added.

General Michael Hayden, a former Director of the NSA, has also stepped into the arena, and on an unexpected side. “I disagree with [FBI director] Jim Comey,” Hayden said in a speech at a cybersecurity conference in Miami Beach. “I actually think end-to-end encryption is good for America.”

No one could accuse Haydn of willingly giving up security for an irrelevant crusade, nor that he has no knowledge of what he speaks of. But, as Haydn said, encryption is good for America, and for the world. Globally, cybercrime will cost businesses over $2 trillion by 2019 according to a report by Juniper Research. Without end-to-end encryption, solutions to this vexing problem can only be partially effective.  “I know encryption represents a particular challenge for the FBI. But on balance, I actually think it creates greater security for the American nation than the alternative: a backdoor,” Haydn went on to add.

The current chief of the NSA, Admiral Michael Rogers, has also weighed in on the matter during a US Senate Intelligence Committee hearing last September. Rogers acknowledged that if backdoor keys were implemented for government use it would create “more opportunities for malicious actors or foreign hackers to get access to the key.”

Weakening security in the name of security is a futile enterprise. As Swedish cyber security expert Robert Malmgren said, “the bad guys will break the law anyway. If encryption is outlawed, they don’t care. They don’t care about laws.” It is also most likely impossible. “I can just win this argument on practical grounds,” Hayden said. “When was the last time you saw the success of legislation designed to prevent technological progress? It’s just not gonna happen.”

These comments from some of the intelligence community’s most prominent members corroborate what cybersecurity experts and data scientists have been saying for years: requiring companies to provide copies of encryption keys will only weaken security rather than strengthen it. As we have written here before, to most effectively combat the scourge of terrorism, intelligence agencies must fully utilise the information they have available to them: open source intelligence, metadata, and good old fashioned investigative work. Technology can provide great tools for these purposes, but when you declare technological progress as your enemy, you are fighting a losing battle.