18 January 2015

Paris and London Should Think Before They Undermine Encryption

January 15, 2015

Heads of state including Britain's Prime Minister David Cameron (3rdR), Denmark's Prime Minister Helle Thorning Schmidt (2ndR), Poland's Prime Minister Ewa Kopacz (R), Greece's Prime Minister Antonis Samaras attend the solidarity march (Marche Republicaine) in the streets of Paris

Sharone Tobias is a research associate for Asia Studies and the Digital and Cyberspace Policy program at the Council on Foreign Relations. 

The recent terrorist attacks in Paris have led European leaders to revisit Internet surveillance policies in their countries in the hopes that more effective data collection can prevent future terrorist attacks. EU leaders released a joint statement over the weekend expressing concern “at the increasingly frequent use of the Internet to fuel hatred and violence,” and calling for a partnership with Internet service providers. In France, Prime Minister Manuel Valls announced that the government will soon propose a new security law to reinforce the intelligence community’s surveillance capabilities, especially directed at Internet-based communications. 

EU leaders are particularly concerned about encrypted communication technology that allows individuals to send messages not accessible to law enforcement, even by a court order. Over the last few years a number of widely used applications like WhatsApp, iMessenger, and Facebook Messenger have adopted end-to-end encryption. Much of the data passing between users of these applications are inaccessible to anyone without a password—including law enforcement with warrants. UK Prime Minister David Cameron is leading the way, stating at a recent security meeting that “terrorists are using the Internet to communicate with each other and we must not accept that these communications are beyond the reach of the authorities.” Cameron also plans to lobby U.S. President Barack Obama to criticize U.S. technology companies like Facebook for their encryption methods during Cameron’s visit to the United States this week. 

Many have already questioned the proposals on grounds of privacy and freedom of expression. Some have interpreted Cameron’s comments to mean he wants to try and block access to these types of applications. The technical restrictions and regulations required to enforce such a ban would be enormous: it could involve blocking websites from which users download encrypted applications, or even render communication between UK-bought and foreign-bought devices impossible because of the differences in encryption standards. British technology companies would be especially affected, since they wouldn’t be able to produce competitive encrypted software and so lose out to other technology companies in third markets. 

Even if Cameron does not intend to ban access to the apps, but just wants to make them more open to surveillance, there is cause for concern. Weakening encryption or building “back doors” creates vulnerabilities that make it easier for criminals, not just the “good guys,” to access data. Unforeseen problems with government intervention in encryption have come to light before. Last year, Edward Snowden released classified documents that showed a highly classified NSA decryption program called Bullrun that used a combination of supercomputers, court orders, and even inserting “back doors” into certain encryption technology to tap into secure data. For example, the agency allegedly paid security firm RSA $10 million to use less secure encryption standards. Several U.S. technology companies supported an amendment last year that would prohibit the agency from installing such back doors, which the companies say hurt their businesses abroad. 

Law enforcement practices have long relied on the ability to gain access to phone calls, mail, and other communication methods to track criminals and terrorists (and in many countries, journalists, activists, and political opponents). Encrypted messaging services present new challenges to law enforcement and intelligence agencies in their fight against terrorism and other crime, particularly important after the terrorist attacks in Paris last week. But before making any rash decisions, it is essential that leaders first determine the real-world effects of taking a stand against technology that has now become so commonplace.

No comments: