Is the ability to send encrypted messages making it hard to stop terrorists? That’s what many intelligence officials and politicians have been saying about rumors that the terrorists in France communicated using encrypted services like WhatsApp or Apple iMessage.
From Our Advertisers
For decades, government officials have been warning about the threat of criminals and terrorists “going dark” — becoming impenetrable to law enforcement surveillance — through the use of encryption. There is a bill in Britain calling for weaker encryption. Here in the United States, Senator John McCain says he will hold hearings in the Senate and propose legislation on this topic, while Hillary Rodham Clinton warned that encryption was a “particularly tough problem.”
And yet, just last month, people claiming to be teenagers hacked into the AOL account of the director of the Central Intelligence Agency, John Brennan. Almost every week, we read about another spectacular data leak. It seems that, simultaneously, a set of technologies exist that defy all attempts, including by well-resourced governments, to spy on private messages, and yet our data is so unprotected that even C.I.A. directors can’t keep their files secure.
We hear a lot about privacy (a crucial consideration) in this discussion, but there is another fundamental issue at stake: Law enforcement agencies can’t weaken encryption for terrorists without weakening it for everyone. And making it easier for malicious hackers and foreign governments to spy on us is not a good idea.
Governments don’t like encryption because it impedes mass surveillance — the scooping up of everyone’s information to sort out later. But most governments don’t need mass surveillance. They have other ways of getting into potential terrorists’ phones and computers, using methods better suited to counterterrorism.
Here’s a short history of encryption. Until the 1970s, in order to send a secret message, you had to find a secure way to send a “key” first, so that the recipient could decode the message. This, as you might know from spy novels, made routine covert communication difficult, largely the realm of governments.
In the 1970s, computer scientists and cryptologists created a brilliant solution — public key cryptography — that allowed a computer to generate a linked set of keys, one private and one public. “Alice” would publish this public key for the world, and “Bob” would use that key to encrypt a message that only she could read. Alice and Bob no longer needed to meet first to securely exchange keys, or even know each other to communicate in secrecy.
This is essentially how platforms like WhatsApp work. They allow far-flung networks of strangers to communicate securely. Mass surveillance can’t scoop up these communications, because they’d just look like gobbledygook in all the reams of data. (Though even with encryption, many governments can still collect “metadata,” which reveals who talks with whom.) But there’s simply no way to ban encryption, for terrorists or anyone else. The technology is already widely available, and will remain accessible, even if WhatsApp is pressured into abandoning it.
Mass surveillance is not the only tool to use in going after terrorists. Think of it this way: Our computer networks have some really strong locks (encryption) on flimsy houses where every window (i.e., the rest of the computer) is left open. If encryption is widespread, law enforcement has to enter each targeted house one by one, through the open windows.
Law enforcement has little problem doing this. Computer weaknesses in areas other than encryption mean that an adversary with resources (like the American government) can almost always break into computers and phones that it actively targets. This is targeted surveillance, and it’s actually a more appropriate method for countering terrorism.
Terrorism is perpetrated by a small number of people who are not easy to identify in an automated manner. Mass surveillance creates a lot of big data that is more suited to analyzing large-scale patterns — things that are done by lots of people in similar and predictable ways — rather than finding those needles in haystacks. It can overwhelm security systems by producing a lot of noise and false positives.
After many terrorist attacks in the past, we have learned that law enforcement agencies had dossiers on some of the attackers, but failed to connect the dots. This one is no different. The problem, once again, appears to be that there were too many potential suspects on too many lists, and that the authorities had not developed the capacity to identify and track the threat that only a few actually posed.
Access to the unencrypted text of messages is no magic bullet. Drowning in data, the authorities didn’t even get around to translating the 9/11 terrorists’ messages until after attacks had taken place. Many of the Paris attackers lived in the same area, and some in the same house; they didn’t need to write to one another. They also spoke a Moroccan dialect of Arabic that the police apparently did not understand too well.
Intelligence agencies bear the blame for not predicting terrorist attacks, and they tend to defensively call for more surveillance and less encryption after each attack. But the real problems that need to be discussed involve far broader issues, like a destabilized Middle East; protracted wars; the huge outflow of desperate refugees; colonial pasts; homegrown religious fanatics; and the failures of assimilation.
We should acknowledge that it’s very hard to stop a few people who want to murder civilians in public places and are willing to die along the way. The challenge is not how to collect more data from everyone, but how to identify and track the few truly dangerous people.
In the meantime, law enforcement agencies should quit trying to weaken encryption. They can help harden all computer networks against all types of spying (including their own) or let them stay weak to make all spying easier (including by hackers and foreign powers). Just this year, we learned that sensitive files containing security clearance information for more than 20 million Americans, including many fingerprints, had been stolen by hackers probably working for a foreign government. Encryption cannot be wished away, and weakening it will hurt us all.
Zeynep Tufekci is an assistant professor at the School of Information and Library Science at the University of North Carolina and a contributing opinion writer.