The Paris and San Bernardino, Calif., attacks confirm that countries on both sides of the Atlantic are facing — indeed, have been facing for some time — an insidious form of terrorism, largely homegrown. They should spur a serious examination of our approaches to fighting terrorism.
Without waiting for such a review, however, policymakers are already using the attacks to support the long-standing and previously rejected idea of compromising secure encryption tools, in an effort to ensure government access to private communications and stored data.
While the anger and fear generated by the events in Paris and San Bernardino are still strong, citing the attacks as support for preconceived proposals risks pushing aside questions of effectiveness and civil liberty.
Some of the terrorists involved in the Paris attacks were previously known and under varying degrees of scrutiny. The fact that they were nevertheless able to act is disturbing; it may point to the futility of casting too wide a net, which makes it harder to distinguish the true threats. More unsettling is San Bernardino, where the attackers were apparently not even on the government’s radar. That may highlight a reality of self-radicalization — that attackers are able to avoid attention even under the most comprehensive of surveillance schemes.
Yet all we are sure of so far is that police and intelligence agencies were unable to prevent the attacks. Indications of how this could have happened are fragmentary, and those fragments are likely misleading.
Police, homeland security and intelligence agencies bear a very heavy burden in the face of terrorism. As is often said, the agencies protecting us have to be successful every time, while the terrorist plotters have to escape detection only once. But before proposing new laws, it is worth considering how terrorists do slip through what are — on both sides of the Atlantic — very intensive surveillance systems. Are we monitoring too few people, or too many? Is it the failure of analysis or something else? Have efforts at countering violent extremism been misguided or merely underfunded?
Effectiveness isn’t the only question that must be considered, and even an otherwise robust policy must be balanced against its adverse impact on other values. But effectiveness is a threshold question. If we do not first ask what is working and if anything is likely to work better, adjustments in our security policies are likely to be both ineffective and corrosive of civil liberties and other principles of democratic governance.
So far, it does not seem that the San Bernardino attackers used encryption to mask their planning. FBI Director James Comey has testified that two shooters in Garland, Tex., used encrypted communications in May during the morning of their attack on an art gallery. However, there is no indication that the government would have had adequate warning of that attack if the encryption had been designed for government access.
Undoubtedly, there will be cases in which terrorists use encryption to mask their plans. And it appears that encryption has put evidence in some ordinary criminal cases out of reach. The hard truth is that we may be seeing a transition: from a world in which police and intelligence agencies had near-comprehensive access to data to one in which much of what those agencies want to obtain is no longer available.
But will any policy be effective in reversing the proliferation of unbreakable encryption technologies? Efforts to regulate corporations providing encryption services might yield short-term benefits. But how long will those last? How long before even ordinary criminals download products built outside the reach of U.S. law? The basic math of encryption is now globally understood, and leading encryption products are open source, meaning that no one owns them.
The threat of terrorism is real. But a clear-eyed analysis of the technological realities is needed before imposing mandates that could weaken the security of corporations, governments and individuals — while not stopping the bad guys.
James X. Dempsey is executive director of the Berkeley Center for Law & Technology at the University of California, Berkeley, Law School.