Terrorism And Encryption
Terrorism. It seems like every month some new ISIL (or other) terror gets the world’s attention, and I take time from my suburban life to think about how fortunate my family is to be so far from these horrors. And if I’m being honest with you, fear starts creeping into my mind; it’s scary to think that the next one could be in my neck of the woods. Perhaps it makes me fear a little more intensely since having my one and only child… So when I started hearing officials on the news talk about how encryption is hindering terrorist investigations, I listened.
Make no mistake, I currently work for Microsoft, and we’ve made it very clear where we stand. Microsoft, Apple, Google, Facebook, and many other tech companies provide the services that literally billions of people rely on for their personal information and communication. Despite my fear of terrorists, and supporting the government’s protection, I wonder about my rights as a citizen.
In case you haven’t been following in the news, or if everything seems a little too complicated, here’s a fictitious conversation which outlines the for and against backdoor access arguments regarding encryption:
Intelligence Agencies/Law Enforcement: We need back door access to investigate against child pornographers, kidnappers, and terrorists.
Tech Companies: If we give you backdoor access it will make it easier for hackers to gain access as well.
Intelligence Agencies/Law Enforcement: Come on tech companies, you’re really smart and can figure out a way that will be safe (read: that’s your problem not ours).
Tech Companies: People are afraid of the government abusing this power, and we can’t blame them considering what’s been brought to light the last few years (read: Edward Snowden exposing the NSA).
Intelligence Agencies/Law Enforcement: Law abiding citizens shouldn’t have anything to hide.
Tech Companies: Many of these communications travel over international boundaries, and the information is stored in different international locations; the laws of several countries for protecting their citizens’ private information often will not align with a backdoor policy for the US Government. Oh, and the White House doesn’t support you either.
Intelligence Agencies/Law Enforcement: Change your business model to accommodate (read: handicap your business).
Tech Companies: No.
Although I am far from being an expert in law enforcement or the law in general, it seems there might be a middle ground here. I think if we’re talking about domestic problems, we can make proper laws for device manufacturers who allow encryption to build in requirements for users to log in biometrically. That way, if local law enforcement has the appropriate search warrant, they can physically compel the suspect to log in to their device. No back door needed.
It gets a little more tricky once you think about terrorists whose devices are physically inaccessible because they are protected by some kind of militant force, or just simply that they’re on foreign soil, or in an unknown location. That’s when having a remote “backdoor” into the system becomes necessary if you want to access information. Although I’ve thought about things like “we can fight terrorism by other means” or “if we offer backdoors to encryption then terrorists will just start using some foreign company’s products who offer true encryption” and finally “third party apps can offer encryption independent of the device or service maker”, it just seems kinda wrong. Whereas I understand the point of having a device encrypted by default may empower criminals and terrorists, I think it actually also empowers all the people in the world to communicate better. Technology and globalization are influencing nations, religions, and ordinary people to come together. Trust is a big part of that communion, and encryption enables trust.
What do you think?
This article was originally published on www.SlowlyFantastic.com
I hate terrorists, kidnappers and human-traffickers; but we need secure banking and privacy too. Backdoor's are not an answer, and any backdoor setup for a government, bad-players will eventually find a way to access and exploit. The reality is the criminals are often more talented, motivated and well-funded. I think eventually, the balance that will be struck is not far from the stalemate, like this: 1) Service-providers and other companies continue to encrypt all data "at-rest" and "in-flight". Customers keep their own keys and pass-phrases. Government agencies won't like this, but there's something else that is almost as valuable to them that we can give them ... 2) Those providers give the appropriate Government agencies API's for near-real-time access to the "meta-data" (only). The Government agencies would have to go through some vetting process (to ensure they are legit themselves, not impersonators) and hire their own consultants to program to those API's, and there would need to be keys exchanged. So, I don't picture this being some random local Sheriff's department. This would be maybe the FBI (or CIA? or NSA?) doing this centrally for *ALL* US Law Enforcement and security purposes, whatever the Canadian equivalent does it for them, etc. Centralizing it should also include ensuring it is not use for petty cases - certainly nothing involving a civil matter (like divorce proceedings, etc.). I think most people would be willing to give-up their meta-data if they know its only being used for life-threatening matters - rather than trying to track down the local pot dealer, or a divorce attorney looking for dirt that benefits their case, or somebody looking to crack-down of who is talking to journalists. Although people finding-out the NSA has been stock-piling and analyzing their meta-data was a very upsetting and scary experience, the reality is that some of that data was already available to law enforcement agencies with open cases (how many times have we heard of a criminal being tracked-down by the cell-phone?). It was just scary for people to find out about it, and that it was happening on a "hyper-scale". Giving the security / law-enforcement community meta-data query capabilities would provide them with the ability to see where traffic is coming-from and going-to, but not the content of the conversations themselves (VOIP data, e-mails, chats, files stored in the Cloud, etc). Further, giving them a near-real-time ability to query that, and build their own systems around that capability - would eliminate the hypothetical case of a bad player holding a hostage or some similar situation. I only say "near" real-time, so as to not push the technical capabilities into the mode of putting too much of a load on the systems that are actually trying to provide these services (VOIP, e-mail, file sharing, etc.). Obviously, people are worried about their privacy, and they are worried about their ability to speak freely with whomever they want about whatever they want. But, giving the security/L.E. community to ability to know who is communicating with a known terrorist or suspected kidnapper would really help in mitigating those efforts. While the content of the conversations would be the holy grail for them, the reality is probably that knowing who is communicating with a known-bad player "right-now" is much more actionable, then what they are actually talk about. And, if they track down one party or the other, they will likely get the keys or pass-phrases from one side of the conversation or the other eventually. Well, those are my thinking - "off the top of my head". IMH(f)O, peace.