Influencers: Paris attacks don't justify government access to encryption
Even as the Paris attacks rekindle the encryption debate between Washington and Silicon Valley, a strong majority of Passcode Influencers said tech companies should not provide law enforcement a solution to decrypt communications to pursue terrorists.
Investigators have not yet provided concrete evidence about which platforms the Islamic State militants used to coordinate the attacks in Paris last week that killed at least 129 people. Even so, US听lawmakers听补苍诲听听are already calling for greater access to strongly encrypted consumer devices and apps they complain are nearly impossible to access even with a听warrant.
Yet 74 percent of Passcode鈥檚 own pool of more than 120 experts from across the government and the private sector cautioned against a knee-jerk response to a tragedy that could give US intelligence and law enforcement agencies a power that could harm all consumers鈥 security and听privacy.
鈥淭he Paris attacks are absolutely tragic, but the response must not be to undermine cybersecurity for digital services on which many millions of people depend,鈥 said Harley Geiger, senior counsel at the Center for Democracy and Technology. 鈥淲eakening strong encryption will expose regular Internet users to increased risk of cyberattack and devastate small businesses and innovators.鈥
Giving the US government access, Mr. Geiger continued, will not prevent organized groups from using strong encryption. 鈥淒ifficult-to-crack encryption and apps will continue to be available on the Internet, even if governments seek to ban them. Government-mandated cybersecurity vulnerabilities will do a great deal of damage, are of highly questionable effectiveness, and should not be the hasty reaction to these reprehensible terrorist attacks.鈥
After conducting an extensive policy review, the White House moved toward听听earlier this fall, to cheers from security pros and privacy advocates. Now, even as officials such as FBI Director听听in the wake of the Paris attacks, others in the government are already worried about the fate of consumers鈥 security if the US moves too quickly on this听issue.
鈥淚t is important not to leap to the conclusion that mandating backdoors or exceptional access systems in commercial products is necessary,鈥 said Terrell McSweeny, a commissioner at the Federal Trade Commission. 鈥淓xperts agree that backdoors introduce security flaws and vulnerabilities. Consumers using these products may be more vulnerable if the security of them is weakened.鈥
That concern was echoed by several Influencers, who said it鈥檚 still important to note that if law enforcement has a channel to bypass encryption, an unauthorized party also has a better chance of getting access to the听data.
鈥淚f tech companies create an encryption 鈥榖ackdoor鈥 then what is the point of encrypting things in the first place?鈥 said Cris Thomas (aka Space Rogue), strategist at Tenable Security. 鈥淚f a backdoor is created, there is no way to limit access only to law enforcement or 鈥榝riendly鈥 governments. Eventually, and sooner rather than later, the bad guys will get access to the backdoor... [and they themselves] will just evolve to use a different communications听method.鈥
That鈥檚 a grim scenario, he said: 鈥淟aw enforcement will still have no way to monitor the bad guys and the public will be left with weakened security.鈥
The fact that officials and policymakers are already using the attacks to revive the debate 鈥 without a definitive answer on whether or not encryption was used by the attackers 鈥 is especially problematic, some Influencers said. 鈥淎t this point there is no confirmation that end-to-end encryption was used by the attackers, much less that the use of that encryption is what led the world鈥檚 intelligence services to fail to detect the plot before the tragedy,鈥 said Cindy Cohn, executive director of the Electronic Frontier Foundation. 听
On the other hand, the benefits of widespread, strong encryption are well known, Ms. Cohn said. 鈥淲hat we do know is that strong encryption is crucial to allow political organizers, government officials, and ordinary people around the world to protect their security, privacy and safety from criminals and terrorists听alike.鈥
鈥淎ny 鈥榖ackdoor鈥 into our communications will inevitably (and perhaps primarily) be used for illegal and repressive purposes rather than lawful ones,鈥 she said.听
Unfortunately, said Julian Sanchez, a fellow at the Cato Institute, a libertarian think tank, the urgency policymakers feel to respond to the attacks 鈥 and other threats the Islamic State has made against other targets, including Washington 鈥 does not lend itself to an even-handed听debate.
鈥淚t鈥檚 increasingly clear that advocates for compromising encryption rushed to exploit a tragic attack in the absence of any evidence that encryption technology had actually stymied investigation of the Paris attackers,鈥 Mr. Sanchez said. 鈥淭his looks like yet another effort to scapegoat technology for an intelligence failure.鈥澨
Despite the loud opposition from many technologists and privacy advocates, a 26 percent minority of Passcode Influencers said the Paris attacks do highlight reasons why the US government needs the ability to encrypted communications to keep the country听safe.
鈥淭hey should provide as much access to securing the national defense as they do to profit making advertisers and data aggregators,鈥 said one Influencer who preferred to remain anonymous. Influencers have the option to comment on the record or anonymously to preserve the candor of their responses.
The debate over balancing national security and privacy is much bigger than this one attack, some Influencers stressed. 鈥淭he Paris events should have nothing to do with this,鈥 an Influencer who preferred to remain anonymous听said.
鈥淯nder any circumstances, with due process under the law, mechanisms must exist to allow law enforcement to gain access to communications.鈥
What do you think?听听of the Passcode Influencers Poll.
听
Comments
NO
鈥淟aw enforcement 鈥榖ackdoors鈥 can be abused by attackers to decrypt traffic of victims.鈥 -听Charlie Miller, Uber Advanced Technologies Center
鈥淣o. That lesson should have already been learned with the abuses of the Patriot Act post 9/11. Our rights must remain intact as we pursue and punish terrorists and other criminals.鈥 -听Jeffrey Carr, Taia Global
鈥淭he risks after 13-11 remain as they were before 13-11 鈥 听the vulnerabilities enabled by broken crypto leave consumers and companies more vulnerable to cyber attack.鈥 -听Marc Rotenberg, Electronic Privacy Information Center
鈥淎ny 鈥榮olution鈥 would fundamentally weaken encryption for everyone and introduce new risks. The focus needs to be on how to surveil specific persons in spite of strong encryption, and not weakening encryption for all so that agencies can collect information in bulk.鈥 -听Chris Finan, Manifold Security
鈥淚f law enforcement have a way to decrypt communications, it鈥檚 an opening for others.鈥 -听John Bruce, Resilient Systems
鈥淚t is misleading to frame the policy discussion about crypto backdoors in the narrow context of terrorism. People who plan terrorist attacks take care to protect their schemes from discovery, and already have access to crypto systems that do not have backdoors. Technology companies are being asked to build backdoors into systems that regular people use everyday, and those backdoors would be accessed for a variety of mundane law enforcement purposes. It鈥檚 a complex issue that should not be oversimplified.鈥 -听Tom Cross, Drawbridge Networks
鈥淭here are many ways the intelligence community can use technology to fight terrorism, but breaking encryption should not be one of them. On net, we will all be more secure over the long term if we focus on developing a more secure digital world, not a less secure one.鈥 -听Daniel Castro, Center for Data Innovation
鈥淲hile technology companies should, of course, cooperate fully with law enforcement officials to capture terrorists, there is no magical 鈥榙ecrypt communications only for terrorists鈥 technology. Overwhelmingly, protecting the integrity of communications benefits civil society as a whole. Fools and cowards fear encryption -- they draw attention to secure communications because they are unwilling to have the far more meaningful conversations about how to stop terrorism -- including a Marshall plan for the MENA and AfPak regions that provides meaningful economic alternatives to local youth, expansion of social services to serve battered communities, and reining in of hostile action, and even gun control. We need a fundamental rethink of our failed foreign policy, not less secure communications that will inevitably make us all less safe to abuse by government authorities and hackers alike.鈥 -听Sascha Meinrath, X-Lab
鈥淚t may be a legitimate function of governments to attempt to collect information for law enforcement or intelligence purposes through cryptanalysis. However, nothing in that statement should be interpreted to suggest that vendors ever intentionally weaken privacy and security measures in their products in furtherance of that end. Encryption is 鈥渃ritical infrastructure鈥 in the modern online economy. One can鈥檛 design in a weakness and ensure that 鈥榦nly good guys鈥 have the ability to exploit it. The 鈥榞olden key鈥 that only allows access to government monitors without creating any new attack surface or weakness is the stuff of fantasy, until someone arrives with as-yet unknown mathematics.鈥 -听Bob Stratton, MACH37
鈥淪uggesting that we need to sacrifice privacy in order to preserve security is a false choice. The two are not mutually exclusive.鈥 -Trevor Hughes, International Association of Privacy Professionals
鈥淭here should be no knee jerk reactions to technology and cryptography. The Paris attacks shouldn鈥檛 be politicized in this way; instead we should simply mourn the loss of life instead of using this as a platform to advance the debate in any one direction. The cryptography debate has been going on for a long time and we have always known that terrorists do and will use cryptography. Backdoors into encryption undermine its value and open it up to abuse. There is no 鈥済ood guy backdoor鈥 and even if there was there is no evidence that doing so would actually result in more identification and prosecution of terrorists. Even in the case of the Paris attacks there were multiple aspects of information sharing, coordination, and traditional intelligence analysis that could have been done to identify warning signs. The problem with government鈥檚 not identifying terrorists is not an issue of technology but an issue of the challenges towards intelligence in modern day society. There is an overvaluing of Intelligence towards this problem when there are other aspects of statecraft that must be engaged to stem violent radicalism. Simply put, Intelligence is not to blame and any failures in Intelligence are more likely to be the result in processes and bureaucracy not technology.鈥 -听Robert Lee, Dragos Security
鈥淚 disagree with the premise of the question. I have yet to see a credible story linking the Paris attacks to any use of encryption.鈥 -Influencer
鈥淭his question is hard to answer as constructed. If presented with duly approved legal requests, companies should provide decrypted information - if they are able to do so. Companies should not, however, be compelled to build in backdoors for the benefit of government intelligence gathering.鈥 -听Influencer
鈥淎dding a backdoor is a giant sword that cuts both ways.鈥 -听Scott Montgomery, Intel Security
鈥淲e should not be giving up our right to privacy because a terrorist kills someone. That鈥檚 what terrorism is - it scares people into making irrational decisions. It is exactly what they want. They want us to give up our freedoms and overreact. It鈥檚 a dangerous precedent we鈥檙e giving our enemies, 鈥楢ttack us and we鈥檒l tighten our noose on our own people, give you better attack points, and lessen their ability to protect themselves.鈥 It鈥檚 just a terrible idea to make an irrational decision out of fear.鈥 -听Influencer
鈥淚n our digital world, the use of encryption is intertwined with the ability to exercise our human rights. Now, more than ever, we must defend those rights and our freedom to exercise them.鈥 -Amie Stepanovich, Access
鈥淕overnment-required backdoors of large tech companies will not stop peer-to-peer encryption efforts by criminal and terror organizations. They can make their own way. Most large tech companies generally operate for the common good when asked by governments to make information available in special circumstances without being forced to do so by law.鈥 -听Influencer
鈥淎 bad idea doesn鈥檛 improve with less time to consider it.鈥 -听Nick Selby, StreetCred Software
鈥淚f such a system in place, terrorists will switch to alternate communications mechanisms, resulting in zero benefit to law enforcement. A better approach is a combination of 鈥榦ld fashioned police work,鈥 eliminating the funding sources of terrorism, and eliminating the root causes of radicalization.鈥 -听Influencer
鈥淓ven if tech companies gave law enforcement a backdoor to decrypt communications, motivated terrorists could find a way to communicate without depending on these tech companies.鈥 -听Yan Zhu, security engineer
鈥淭his *will not fix the problems*. They鈥檒l use non-regulated crypto. Meanwhile, innocent Internet users everywhere will have their security and privacy violated.鈥 -听Influencer
鈥淲e have to give law enforcement the tools it needs to detect and disrupt terrorists and criminals. But rushing ahead could do more harm than good. The reality is we cannot protect these 鈥渂ackdoors鈥 or special 鈥渒eys鈥. In essence, we would be leaving the backdoor unlocked not just for law enforcement, but terrorists, and cyber criminals.鈥 -听Jenny Durkan, Quinn Emanuel
鈥淔irst off, we shouldn鈥檛 be rushing to make changes without even knowing if this played a role. Second, the reason the administration ultimately backed down from Jim Comey鈥檚 push on this front is that all technologists agreed there was no such feasible solution. Thus, we need to take a deep breath and simultaneously recognize that sometimes global technologies can overcome our policy predelictions.鈥 -听Influencer
鈥淚 take the question to be not whether companies should be responsive to warrants -- if they fall under a government鈥檚 jurisdiction, they鈥檒l have to be, adjusting for whatever options for legal objection they may have. The real question is whether companies should be prevented from designing products and services that happen to deprive the companies themselves of the ability to see what their users are doing. And that, for both practical and theoretical reasons, is not a requirement that companies should have to undertake. A lot of my reasoning on this is spelled听].鈥 -听Jonathan Zittrain, Harvard Law School
鈥淭he effort to relitigate this issue because of Paris is foolishness.鈥 -Jim Harper, Cato Institute
鈥淭errorism is horrible. But we are worse off with no encryption.鈥 -Influencer
鈥淭he terrorist attacks on Paris are a terrible tragedy. Without question policy makers should make sure law enforcement has the right tools and resources to track down terrorists and stop them. It is important not to leap to the conclusion that mandating backdoors or exceptional access systems in commercial products is necessary. Experts agree that backdoors introduce security flaws and vulnerabilities. Consumers using these products may be more vulnerable if the security of them is weakened. Moreover, in an environment where there are plenty of open-source encryption options, it is unlikely that mandating backdoors on commercial products and major platforms will stop bad actors from using open-source programs, legacy technologies, or even their own products to hide their communications.鈥 -听Terrell McSweeny, Federal Trade Commission
听
听YES
鈥淲hen national security matters dictate, it requires a strong public/private partnership to mitigate threats and save lives.Sharing cybersecurity capabilities should be part of that partnership.鈥 -听Chuck Brooks, Sutherland Global Services
鈥淭he Paris events should have nothing to do with this. Under any circumstances, with due process under the law, mechanisms must exist to allow law enforcement to gain access to communications.鈥 -听Influencer
鈥淭his is a very difficult question, with serious policy and political issues arising from however one answers. There is the old legal aphorism, that 鈥渉ard cases make bad law,鈥 and this is certainly a hard case. But we are dealing with an implacable threat, which has shown no reluctance or mercy in attacking a wide range of 鈥榮oft targets;鈥 what if ISIS or another islamic terrorist groups acquires a WMD? Surely they would not hesitate to use it, with catastrophic consequences for the targeted area. In the aftermath of such a disaster, the least we鈥檒l be talking about is giving LE access to encrypted systems. I鈥檇 rather we are never faced with such a Hobson鈥檚 Choice, but keeping the terrorists on the defensive and ultimately defeating them, rather than cleaning up after another devastating attack.鈥 -听Influencer
鈥淚 would have answered the same way before the Paris attacks. I do not believe we want to live in a world where criminals are given guaranteed safe spaces to conduct their planning. We have never built cars with trunks that cannot be opened by law enforcement with a search warrant. After 9-11 you can lock your luggage but only with a lock that allows TSA access. Why are cell phone communications different? Reasonable people can disagree, but I am more concerned about the threat from terrorists and criminals than I am concerned about the NSA surveilling me.鈥 -听Influencer
鈥淭his was a legitimate concern before the attacks and the issue has created greater urgency. National security is an inherently governmental responsibility and the governmental must have access to this information with appropriate safeguards.鈥 -Influencer
鈥淚f the provider has a key, they should be required to provide it under law. But they should not be REQUIRED to create such a key. It is pointless to try to legislate against scientific progress.鈥 -Influencer
鈥淲ithin a legal framework that is transparent to the American people.鈥 -听Influencer
鈥淚 think that decryption technology, used correctly and legally, is perfectly appropriate for defeating nefarious actors. Personally, I鈥檓 willing to give up a little privacy control for a safer world.鈥 -Influencer
鈥淲hile I respect privacy rights, this is an opportunity to build an adequate legal framework for counterterrorism in the digital age.鈥 -听Influencer
鈥淭hey should provide as much access to securing the national defense as they do to profit making advertisers and data aggregators.鈥 -听Influencer
What do you think?听听of the Passcode Influencers Poll.
听
