In the aftermath of last Friday’s terrorist attacks in Paris, U.S. government officials have reignited the debate over encryption and government surveillance. They argue that encryption is a huge problem in the fight against the Islamic State in Iraq and Syria (ISIS), and that tech companies should create “backdoor” access to encrypted information for the government—something that big tech companies including Apple, Google and Facebook fiercely oppose. Yet despite speculation, we still do not know whether encryption played any role in the Paris attacks—and even if it did, security analysts say, granting the government access to encrypted data will not make it much easier to track terrorists.
The fight over surveillance and encryption is not new, but the Paris attacks have energized arguments in favor of government access. California Sen. Dianne Feinstein (D) told MSNBC on Monday that ISIS has “apps to communicate on that cannot be pierced, even with a court order,” she said. She added, “Silicon Valley has to take a look at their products, because if you create a product that allows evil monsters to communicate in this way—to behead children, to strike innocents, whether it’s at a game in a stadium, in a small restaurant in Paris, take down an airliner—that’s a big problem.”
CIA Director John Brennan voiced similar concerns about encryption at a global security forum on Monday. When a reporter asked why intelligence agencies “didn’t even catch a whiff” of the planned attacks, Brennan responded, “There are a lot of technological capabilities that are available right now that make it exceptionally difficult, both technically as well as legally, for intelligence and security services to have the insight they need to uncover it.”
Brennan and other officials are mainly concerned with end-to-end encryption, which prevents anyone except the user from accessing personal data; not even the tech companies that provide encryption can unscramble the information and hand it over to governments. Messaging apps like Facebook’s WhatsApp, Apple’s iMessage, Telegram, Wickr and others use end-to-end encryption, and it is those types of services that officials say are helping ISIS keep their communications hidden from intelligence agencies. That is why officials argue tech companies need to build backdoors that will let governments in when they need critical information and have obtained a court order.
But many security analysts doubt this reasoning. Yes, encryption makes investigations more difficult for intelligence agencies, they say. But the problem with giving the government backdoor access to a major platform like WhatsApp is that bad actors will just use other platforms instead. “Encryption is just math, and there are dozens of open-source encryption packages. There’s no way you could stop it,” says Matthew Green, an assistant professor at the Johns Hopkins Information Security Institute, “Law enforcement is talking about easy encryption apps that you download from the app store. What we've learned from terrorists is that they will go to great lengths to encrypt and even hide their communications in code. They're not completely dependent on these easy-use apps that people are talking about.”
Computer security expert Bruce Schneier agrees. “The bad guys are going to pick and choose” whatever encryption products they want, he says. “You can’t force terrorists to use Apple.” So if the government gets backdoor access to iMessage, terrorists will just switch to something else.
Although some officials make it sound as if encryption renders intelligence work impossible, agencies can still gather critical information from messages they cannot read directly. Security experts point out that it is possible to access metadata with end-to-end encryption, and this tells you who someone is talking to, the date and time of the communication and some other information. In other words, encryption does not leave governments entirely in the dark. FBI Director James Comey has acknowledged this but has said that metadata is not enough. “Metadata doesn’t provide the content of any communication,” Comey has stated, “It’s incomplete information, and even this is difficult to access when time is of the essence.”
Even if governments have access to encrypted information, security analysts say that would not necessarily be enough to stop a terrorist attack. There is so much information—and so many false alarms—it is like searching for a needle in a haystack to predict what is going to happen. “After the fact, it’s really easy to claim you should have connected the dots,” Schneier says. “Before the fact, there are two million dots, and you don't see it coming.”
After a tragedy like the attacks in Paris, people rightly want to know why no one saw it coming. Encryption is an easy scapegoat, but experts say the public should know that installing backdoors in encryption software is not a good solution. “I think there's this magical view that you can have FBI or NSA [National Security Agency] listen to people's communication and this is going to stop terrorist attacks,” Green says, “What we've learned is that these terrorists are very adaptable and they will find ways to communicate no matter what you do.”
Backdoor access for governments has a huge downside, too, security analysts say: It also gives hackers, criminals and other governments easy access to everyone’s private information. More people might be comfortable with this trade-off in the wake of the Paris attacks but there are many who say it is still not worth it. “Encryption is so important for our security and backdoors are so detrimental. I think it would be a disaster to our security to allow that kind of access,” Schneier says, “Are we really that stupid? We might be, because we're scared. That's the problem.”