Policymakers don’t understand the importance of encryption

Posted on by Joshua Lasky Posted in Technology

And citizens will be the ones who suffer as a result

Reaction to last week’s terrorist attack in London followed a predictable pattern. After a terrible act occurs, wait a few days, then turn on your television to see your country’s chief investigator / defense minister / homeland security advisor come out in opposition to any technology that may be tangentially related to the attack.

So, in this case, cue up UK home secretary Amber Rudd with an argument against WhatsApp — the messaging app that was reportedly used by Khalid Masood in advance of the attack — and its use of encryption.

Among several choice quotes from Secretary Rudd:

“It is completely unacceptable. There should be no place for terrorists to hide.”

“We need to make sure that organisations like WhatsApp, and there are plenty of others like that, don’t provide a secret place for terrorists to communicate with each other… In this situation, we need to make sure that our intelligence services have the ability to get into [applications] like encrypted WhatsApp.”

“I’m not saying I want to get into your WhatsApp, Andrew, what I’m saying is that where there are situations where there are ongoing investigations with terrorists… [messaging companies] should be on our side.”

Her argument echoes similar sentiments from Senator Richard Burr (R-NC), expressed in a Wall Street Journal op-ed in 2015:

“While the terrorist attacks in Paris, San Bernardino, Calif., and Garland, Texas, have brought discussions about encryption to the front pages, criminals in the U.S. have been using this technology for years to cover their tracks. The time has come for Congress and technology companies to discuss how encryption — encoding messages to protect their content — is enabling murderers, pedophiles, drug dealers and, increasingly, terrorists.”

Needless to say, these are both terrible approaches to this issue. Sound policy isn’t a knee-jerk reaction to external threats. Sound policy isn’t careless to the true drivers of illegal activity or the needs of everyday citizens either. Simply put, Rudd and Burr are forgetting that encryption is vital to the modern digital environment, and that the costs of weakening it far exceed the benefit to intelligence services and national security efforts.

Encryption underpins a vast swath of our digital world — including activities that are increasingly core to our daily lives. It’s easy to think that you have nothing to hide online, but billions of people hide critical information every day.

Think about your own daily habits. Would you transmit your financial data over the internet without some assurance that it was private? What about your passwords? Do you want to go back to a time when it was impossible to approve transactions over the internet? Encryption both safeguards our most sensitive data and enables us to save time by making transactions quick and seamless.

Encrypting content and messages follows the same principle. To use an extreme example, if you happen to live in an authoritarian state, or are communicating with someone under such a regime, you must expect that the state is tapped into everything you say or do. Communicating by normal means is impossible without taking on significant risk. This is why encrypted messaging services such as Signal have been hailed as an essential service for journalists and whistleblowers. It is quite literally a matter of life or death for these people, yet politicians like Burr see encrypted communications as solely the domain of criminals and terrorists.

If anti-encryption advocates got their way, and encrypted services were either compromised by backdoor access or eliminated entirely, say goodbye to social authentication, online banking, digital signatures, private messaging, and much more. Even if such services continued in some form, the public’s trust in such services would eventually break down.

This isn’t hyperbole — the key takeaway from the many security-related leaks of the past few years has been that once you build a weakness into the security of a system, that’s a weakness than anyone can exploit. It’s great in theory to create a government-only backdoor, but the argument that governments are the only actors that would seek to use these access points is both disingenuous and dangerous.

Citizens in the United Kingdom, the United States, and elsewhere around the world deserve policy that targets malicious actors without taking out essential digital services. As such, we need to hold policymakers like Amber Rudd and Richard Burr accountable when they introduce proposals to weaken encryption.