Since the Paris attacks earlier this month there has been debate as to whether the government should prevent civilians from using high-grade encryption. Various government officials - and certain presidential candidates - contend that encryption hampers governmental efforts to monitor the communications of terrorists, a notion challenged by technology firms that wish to offer the best security to their users.
Here are ten reasons that I stand firmly against government crippling of encryption technology:
1. There is no evidence that allowing law-abiding private citizens to use encryption actually helps terrorists. (If there is, let the government present it to the public.) In fact, it seems that anti-encryption folks may have made up many of the claims made that the Paris terrorists communicated with encryption; many, if not all, of the communications between the terrorists seem to have been carried out without any encryption. The government's failure to monitor terrorist communications is arising from other deficiencies - such as not quickly enough identifying the right people to monitor - not from its inability to decrypt encrypted communications.
2. There are more effective actions to take against terrorists that should come first. Before we ask Americans to surrender privacy in order to gain security, the government should demonstrate that in has acted with competence in all other areas of the war against terror and exhausted other means. When we hear the Commander-in-Chief telling us how ISIS is "contained" days before it kills over a hundred people in Paris, when we barely hear anything from the government when an American student is murdered by a terrorist in the West Bank, when we hear that the Turkish government tried to warn France twice about one of the suspects involved in the Paris killings but that the French did not respond until after the attacks, etc. we have to wonder if there are other actions that the government could (and should) be taking to combat terrorists before it deems it necessary to strip us of our rights.
3. The government has a poor record when it comes to protecting sensitive information. Before it demands access to our data, the government should prove that it will properly protect any information that it collects. Recent incidents give us reason for concern: From the Chelsea-Manning-WikiLeaks incident that revealed that basic information-security strategies were not being applied in various parts of the government, to the hack of the Office of Personnel Management in which the government was not only breached, but in which it initially underreported the amount of data stolen, to the Edward Snowden leak of data from the NSA, we have serious reason to believe that even if the government did not intended to misuse our data, it might inadvertently allow others to do so.
4. Weakening encryption will increase crime. There is no way to weaken encryption so that the government can crack it without also allowing criminals to do the same; to quote Apple's CEO, Tim Cook, "You can't have a backdoor that's only for the good guys." As mentioned above, the government does not have a great record of protecting its own data - will criminals be able to steal the government's decryption keys and decrypt online banking sessions and other sensitive activities? Could government access allow people to steal private photos and communications between spouses?
5. There are plenty of foreign made encryption applications. If the USA outlaws strong encryption, terrorists wishing to use strong encryption will simply use foreign-made applications. The only people who will lose out will be law-abiding Americans.
6. Terrorists can easily craft their own encryption applications. Many strong encryption algorithms are not secret - and, even if the United States could get every government around the world to mandate backdoors in all commercially viable encryption applications, terrorists could easily commission the writing of undamaged software.
7. Metadata already provides enough information. In most cases encryption does not stop authorities from obtaining sufficient information about a communication to properly monitor those involved. Metadata - such as the IP addresses or phone numbers of parties communicating can be used to determine who is communicating with whom, when they are doing so, and from where they are doing so. Armed with that information, authorities can get the warrants that they need to conduct surveillance, etc.
8. Terrorists can hide data in pictures and videos even without encryption. Even if the government somehow did manage to cripple all encryption technology including custom-developed apps, terrorists could still hide their secret communications within pictures and videos using a method known as steganography. For more on steganography - and for a chance to win an Amazon gift card if you can find the data that I hid in a photo in order to demonstrate the power of steganography - please see this article: How To Hide Data In Plain Sight So Nobody Can Find It.
9. Crippling American software harms Americans businesses. Foreign companies scared that their data may be obtained by the US government - or by other parties exploiting the vulnerabilities introduced at the demand of the government - will turn to foreign providers at the expense of American businesses.
10. It is against the American tradition. Many politicians have pointed out that should America fail to take in Syrian refugees it would be violating its core values. The same holds true if we demand that Americans surrender their privacy to the government without good reason. The founding fathers created the Bill of Rights at a time that our nascent nation was under serious risk of attack - they still felt Americans had rights to privacy. We should preserve those rights.
Please feel free to discuss this article with Joseph Steinberg on Twitter. He is at @JosephSteinberg.