Encryption is not for terrorists

Recent attacks by Daesh in Turkey, Egypt, Lebanon, and Paris have fanned the flames of an ongoing debate about software that is resistant to surveillance. It seems that some participants in that debate are trying to use these attacks as an excuse to drum up fear around end-to-end encryption. They argue that these events tell us that the general citizenry shouldn’t have access to strong privacy-preserving tools.

A lot of people are saying a lot of smart things on the subject, but I want to briefly outline a couple ways in which this call for limiting encryption is problematic.

This instance

There appears to be no actual evidence that encryption software was used to plan recent attacks, much less that such software thwarted intelligence agents who would otherwise have been able to prevent the tragedies. Indeed, Le Monde reports that the cell phone found in a trash can near the Bataclan in Paris contained “a detailed map of the concert hall in addition to an SMS message saying, according to information gathered by Le Monde, ‘Let’s go and get this started.’” [1] Not an encrypted chat program, or an encrypted email – an old-fashioned, easily-intercepted text message.

This lack of evidence did not prevent “European officials” from asserting that encryption tools had a role in the Parisian attacks – assertions that were published and silently removed in an article by the New York Times.

We all have an interest in seeing terrorists’ attacks prevented, and we can all appreciate that finding and monitoring the activities of malicious actors is hard work. It’s also understandable if officials are trying to keep details of the investigation (like what communication tools the terrorists used) quiet. But fear-mongering about encryption – whether it’s truly disingenuous or simply unsupported – doesn’t make the public feel better when attacks occur, nor does it mollify people’s concerns about the massive surveillance systems that have been put in place to thwart such plots.

Indeed, false claims of encryption hampering intelligence efforts only highlight the ineffectiveness of mass surveillance. The cynics among us must wonder, “Why are they complaining about encryption, when they can’t even thwart attacks that are planned in the clear?”

The bigger picture

Even if there is evidence that the terrorists who planned these attacks were using high-quality encryption tools (and not just ones that are likely insecure in practice), that doesn’t mean that law-abiding citizens should be prevented from doing so. There are many imperfect analogies we can use to argue this point: terrorists use fast cars, paper shredders, cell phones, and (for countries with minimal gun-control laws) terrorists use firearms. When push comes to shove, the fact that a technology with substantial lawful use is sometimes used by malicious people – and even when this use of technology makes it more difficult for law enforcement to stop the “bad guys” – does not justify efforts to ban it.

This is especially true when it comes to things like encryption. We live in a world where the internet is integrated in every intimate corner of our lives – from our love letters to our financial and health records – and numerous criminal factions stand to profit from gathering our personal data. The average person’s integrity and even safety depends on keeping their private information private. Some policy-makers would have us believe that it’s possible to build a “backdoor” into encryption so law enforcement can peek into our private lives when they have probable cause, but the technological reality doesn’t line up. Backdoors can’t reliably be marked “good guys only”; when one is introduced, it will inevitably be used by malicious actors as well. Encryption tools that only work some of the time aren’t proper encryption tools at all. All sorts of organizations and people – from Google and Facebook to the EFF and The Tor Project, from the CISO of Yahoo to the co-inventor of the RSA algorithm – agree.

The future of this debate

Simply Secure believes that all people deserve access to privacy-preserving communication tools, including end-to-end encryption. We are working to support software developers in their efforts to make these tools more user-friendly, and to help tool-makers express the value of their software to non-experts.

The debate on who should have access to these tools will only intensify as they become more popular. If the pundits arguing in favor of backdoors – or, more absurdly, in favor of outright bans on certain encryption algorithms – have their way, dedicated terrorists won’t be thwarted. They’ll still find ways to communicate out of the eyes of law enforcement. But law-abiding citizens will have lost the ability to protect their data in the process.

[1] My own translation; original text: "un plan détaillé de la salle de concert ainsi qu’un message SMS disant, selon des informations du Monde, « On est parti on commence »." </p>


Awkward! QR Scanning + LinkedIn Spam

Messaging with friends and colleagues is rewarding – but sharing contact information is awkward. Many people want to preserve their privacy by carefully controlling who... (Read more)

Meeting Users' Needs: The Necessary Is Not Sufficient

Building great software requires understanding what users want and need. If you’re building privacy-preserving software, this includes understanding the privacy threats that your users face.... (Read more)

Video Roundup

It’s always great to attend security and privacy conferences in person. But in cases where you have to miss an event, online videos of the... (Read more)