When eight men carrying assault rifles and wearing suicide vests killed 129 people in Paris last week, the issue of access to encrypted communications again reared its head. If the attackers planned their assault over secure data networks, doesn't it make sense to give law enforcement organizations access to those networks?
Not necessarily. The real question is whether anything has changed since the White House decided not to seek controls on encryption last month. In light of the carnage in Paris, even raising the issue may seem cold-blooded. In the wake of such an attack it is tempting to react with, “Let us do anything we can to prevent another such attack. Make law enforcement access to communications easy.” But there are national security reasons why routinely securing communications is important.
Such security decisions should be done with deliberation and thought, and not as a hurried emotional response to a crisis. (The latter can lead to actions that ultimately diminish security). A careful analysis shows nothing has substantively changed from when the White House made its decision last month. This rests on four observations:
The first is that no open society can be fully protected against attacks involving a handful of participants. It is extremely hard to accept that our societies will continue to be subject to such threats, and everyone—from local police to mayors to prime ministers and presidents—wants to promise that no terrorist attack will ever happen on their watch. Yet they cannot. To expect that law enforcement will always uncover plots involving a small group of collaborators means accepting a level of surveillance inimical to the very notion of an open and free society.
The second observation formed part of the rationale behind the White House decision. Manufacturing in modern societies consists of producing intellectual property— the design of airplanes, pharmaceuticals, software, hardware, etcetera. In such societies securing bits and bytes is crucial for industry and national security. This means securing both communications and data at rest, with cryptography as an essential tool to do so.
The third observation is that governments' desire for “exceptional access”—secured communications accessible to law enforcement under court order—has two very serious costs. First, the complexity exceptional access adds makes it far more difficult to get security right. Second, it prevents the deployment of two modern security tools: forward secrecy and authenticated encryption. Forward secrecy makes communications ephemeral; the encryption key disappears when the conversation ends, which means an intruder—a cyber thief—can only capture new data, not old. Authenticated encryption simultaneously secures and encrypts; if law enforcement insists on exceptional access, then these steps must be separated, increasing the risk for data compromise. Thus, designing communications systems for exceptional access means we make data theft easier. But such direction runs contrary to our national security interests.
The fourth observation is that there is a solution to the above conundrum. End-to-end encryption of communications doesn’t prevent investigators from wiretapping but it does require the use of a somewhat different set of techniques. Every electronic communications device—every phone, tablet, laptop—has exploitable vulnerabilities. These enable remotely loading wiretaps onto a device. It’s a complex, two-step process. First law enforcement must remotely “hack” into a device to determine what operating system and applications are running on it; then authorities must revisit the device to download a wiretap using a vulnerability present in the operating system or one of the applications. This approach is very similar to how cyber theft is done, the difference being this “lawful hacking” is done under legal authority. This technique has been used by both law enforcement and national security agencies to read traffic of targets.
This solution is more expensive for law enforcement than if communications were unencrypted (and thus always accessible under a wiretap). But the latter puts all communications at risk. Encouraging widespread use of encryption while employing vulnerabilities for wiretapping allows targeting the bad guys and securing everyone else.
Last week everything changed and nothing did. For Parisians, a certain joie de vivre disappeared. Sitting in outdoor cafés and going to music clubs and soccer stadiums is likely to be difficult for quite some time. And fears have escalated for people in New York City, London, Madrid, Brussels, Beirut, Delhi, Mumbai and elsewhere.
The French have taught us many things. One is that plus ça change, plus c’est la même chose (the more things change, the more they stay the same). The realities regarding encryption have not changed. A careful analysis determined that securing private communications end to end is crucial for national security. In no way do the horrific events of last week change that conclusion.
Susan Landau is a professor of Cybersecurity Policy at Worcester Polytechnic Institute, author of Surveillance or Security? The Risks Posed by New Wiretapping Technologies (The MIT Press, 2011) and co-author of Privacy on the Line: The Politics of Wiretapping and Encryption (The MIT Press, rev. ed. 2007).