It is a rare law enforcement officer or intelligence agent who doesn’t want access to more information. Yet total information awareness, to use a term from the George W. Bush administration era, has never been possible. Some people whisper to avoid prying ears. Others draw the blinds to prevent looking in.
More fundamentally, the right to privacy – the personal preserve where governments should not be allowed to snoop – is an impediment to official surveillance. That privacy is necessary to safeguard such sensitive matters as our banking information, our medical history, our personal relationships, or our ability to explore unpopular or potentially embarrassing points of view.
Today the battle between law enforcement and privacy is being fought over encryption. One response to Edward Snowden’s revelations about the extent of U.S. government surveillance has been growing popular insistence on encryption – such as the end-to-end encrypted communications used in iPhones or WhatsApp to which no phone or Internet company holds an access key. Meeting this week in Ottawa, the “Five Eyes” intelligence sharing partnership – Australia, Canada, New Zealand, the United Kingdom and the United States – is considering an Australian proposal to mandate such a key, or “back door,” to encryption. Officials in the U.S. and U.K. have made similar proposals.
The rationale is that many terrorists and other criminals are using end-to-end encryption to hide their activities. Even if law enforcement officers or intelligence agents obtain a judicial warrant to monitor their communications, the lack of a back door key means there is no way that phone or Internet companies can let these officers in.
Yet a mandated back door – essentially a built-in vulnerability – is dangerous because there is no way to ensure that only the good guys will exploit it. Today’s hackers, both criminal and governmental, are increasingly sophisticated. They have hacked Internet companies, sensitive infrastructure, even the National Security Agency itself. Technology companies are in a feverish race to enhance privacy and security protections. The last thing they need is to introduce a deliberate vulnerability. Few would want to return to an era when encryption was not the norm.
And to what end? A mandated back door to encryption might enable governments to catch some criminals. But criminals with any degree of sophistication would simply download encryption services that are widely available on the Internet without going through one of the brand-name companies that might be mandated to introduce a back door. Meanwhile, ordinary members of the public would be stuck with vulnerable communications.
Moreover, Western Internet and phone companies would be competitively crippled. Even if Five Eyes and other Western governments mandated a back door for devices made in their country, other countries might not follow suit. Anyone concerned with their privacy and security would flock to and try to sneak in devices produced in non-back-door countries.
The crimes that might be stopped through a back-door mandate must be weighed against the crimes that would be created. The vulnerability in our software and digital devices would mean more theft, blackmail and extortion as hackers enjoy a field day. Street crime would also be affected. The rise of strong default smartphone encryption has contributed to a plummeting in once-rampant cellphone theft. There’s no point in stealing a phone (often violently) if you can’t penetrate its encryption. A mandated back door, once its vulnerability has been hacked, would once again expand the market for stolen phones.
Proponents of a back door also tend to assume that law-enforcement or intelligence access to it would require a judicial warrant or some lawful process, but it is easy to imagine circumstances in which these processes would be circumvented or subverted. In many countries where these devices are used, unscrupulous governments or officials in possession of this information would be more likely to persecute dissidents for their private criticisms.
For these reasons, a pantheon of senior security officials think a mandated back door is a bad and dangerous idea. In the United States, these include the past heads of the CIA, the NSA, and the Department of Homeland Security, as well as former president Barack Obama’s Presidential Review Group on Intelligence and Communications Technologies. Europol has also warned that “solutions that intentionally weaken technical-protection mechanisms to support law enforcement will intrinsically weaken the protection against criminals as well.” Security officials would be better off adapting to a world of encryption than to weaken the security of our communications.
Even where end-to-end encryption is used, many types of communication already are subject to judicially-ordered surveillance. Metadata – such as the data that guides a communication to the proper destination – cannot do its job if it is encrypted. It remains available to government monitoring by appropriate judicial order, although care should be taken to ensure that this data, which can reveal a great deal about our personal life, is not collected excessively. Other metadata can pinpoint where a phone (and presumptively its user) has gone. Much information stored in the cloud is unencrypted.
The plethora of such unencrypted information has led some to say that today is the “golden age of surveillance.” Rather than press for encryption back doors, governments would be better off teaching investigators how to access important unencrypted sources of information.
It’s time to abandon the quest for total information awareness. Yes, some criminals will benefit from encryption. But just as we don’t outlaw whispering or drawing the shades, so we should accept that encryption is the only way to safeguard our communications in an era of increasingly sophisticated cybercrime and unauthorized surveillance.