“I think this is going to open an entire new debate about security versus privacy,” said Michael Morell, a former deputy director of the CIA. This assessment encapsulates, in a nutshell, the narrative that is developing in the aftermath of the horrific terrorist attack in Paris.
Despite the lack of solid evidence that encryption, too difficult for law enforcement to crack, was at the heart of the most recent Paris attacks, some still choose to capitalize on the issue. In a companion piece, the probable effect it will have on the 2016 US Presidential campaign will be explored. But for now, suffice so say that all pundits are weighing in on the topic – from Presidents to police – and seeking to slant the narrative to their liking. To use the excuse that too-tough-to-crack encryption was used by the terrorists, and that it formed the basis for the attack, is a stretch of the imagination, and contradicts the facts.
The much maligned and much feared end-to-end encryption can indeed be problematic for law enforcement, but is not an impossible obstacle. Calls to ban it or provide “backdoor” saccess to law enforcemen,t is a conundrum without a simple solution, and will invariably revive the long- running debate as to when security should prevail over privacy. The matter is further complicated by the fact that it is not necessarily especially difficult, secret, or exclusive encryption used by terrorists claimed to be at the core of the horrific assault.
Some of the most powerful technologies are free, easily available encryption apps, with names like Signal, Wicker and Telegram, which encode mobile messages from cellphones. ISIS militants used one such app, Telegram, two weeks ago, in claiming responsibility for the downing of the Russian jet in Egypt that killed 224 people. They used it again last week, in Arabic, English and French, to broadcast responsibility for the Paris massacre.
But much information is still easily and readily available and useable by police. For example, it has just been learned that the ringleader of the attack, Abdelhamid Abaaoud, was tracked to, and reportedly ultimately killed using information gleaned from a cellphone found in a trash bin near one of the attack sites.
In the US, national security officials are playing coy about their abilities to break ISIS encryption, while acknowledging that they’ve used a range of encryption-breaking technologies over the past two years. But the fact that the Obama administration had given up on legislation compelling the tech companies to provide encryption keys to law enforcement may be telling. It has led many experts to believe that the NSA may be able to pierce some of the terrorist’s encryptio,n but are naturally reluctant to disclose specifics lest their advantage evaporates. Paris may change the dynamic, however.
But before one makes the knee-jerk assumption that it was impenetrable encryption that allowed the planning to fester, and ultimately resulted in the carnage, one must sift carefully through the per-attack evidence. Obama, in abandoning the fight for backdoors, rejected the argument of FBI director, James Comey, that the United States should require any company that provides encrypted software and hardware to engineer a way for the government, armed with a court order, to get access.
For the tech companies, this is a thorny issue that is fraught with peril for thier businesses. The natural, patriotic, inclination is to help out law enforcement where possible. However, to this they risk undercutting, as Apple’s Tim Cook opined, customers’ confidence that the most precious data they keep in their phones is safe from everyday cyber criminals, as well as sophisticated nation states that could gain access to keys via hacking, or lawfully through court order. Mr. Cook asserts that investigators have ways to obtain crucial clues from the available metadata about who is talking to whom by phone, from information in the Internet, cloud or, security experts have said, by hacking a target’s device.
The tech companies’ position seems to be supported by a study the White House sanctioned before shrinking from the encryption debate. The Obama administration reluctantly adopted a view put forth by 14 of the world’s top cryptographers and computer security experts. They wrote, in a white paper, that weakening the encryption of American technology sold by companies like Apple, Google and Facebook would only render confidential data and critical infrastructure more vulnerable to criminals and national adversaries, and push terrorists to adopt encrypted services sold overseas.
Also, security experts assert that even when strongt encryption ius used a trail of metadata is left behind, which can yield valuable, actionable information about who is talking to whom and the when and the where of the communication. As Matt Blaze, a computer security expert at the University of Pennsylvania, notes,
“Encryption is really good at making it difficult to hide the content of communications, but not good at hiding the presence of communications. All the encryption in the world doesn’t help if the end point that holds the keys are compromised. So this idea that encryption make terrorists’ communications go completely dark has a pretty big asterisk next to it.”
Of course, proponents of tech companies caving in on the encryption issue will not be dissuaded by such arguments. So the defenders of privacy must be equally resolute regarding their position. This, after all, is how true democracy operates thrives, and will endure, even under the strain of aberrant attacks.