Texas senator John McCain is again calling for the US to legislate against encryption technology, calling its use by terrorists “unacceptable.”
Writing in Bloomberg View, the former Republican Presidential Candidate says that “the threat posed by the status quo is unacceptable … But, just as Islamic State’s growth through the establishment of safe havens in Iraq and Syria was not inevitable, the group’s ability to use technology to the same end does not need to be either.”
Encryption is a hot button topic right now. The technology allows users to protect their messages in such a way the cannot be deciphered without the correct password or key — even by law enforcement, or the company that built the tech.
It has been around for decades — but has been increasingly incorporated into mainstream tech products (like the iPhone) after NSA whistleblower Edward Snowden’s revelations of government surveillance. This has made a lot of people very angry — principally law enforcement, who worry that vital evidence is “going dark.”
McCain is calling for a legislative solution — but one that just won’t work.
John McCain says that Congress “should consider legislation that would require U.S. telecommunications companies to adopt technological alternatives that allow them to comply with lawful requests for access to content, but that would not prescribe what those systems should look like.”
Software backdoors that will give law enforcement access to data, in short.
There are two key problems with this: Security, and efficacy.
First, let’s deal with security (and privacy). McCain writes that “our security is threatened, not encouraged, by technologies that place vital information outside the reach of law enforcement. Developing technologies that aid terrorists like Islamic State is not only harmful to our security, but it is ultimately an unwise business model.”
There’s a famous saying among cryptographers and privacy activists: “You can’t have a backdoor that’s only for the good guys.”
If you introduce a backdoor, there’s the risk of it being exploited by anyone. If US companies are being forced to weaken their encryption — encryption that stores often highly sensitive and valuable data — you can be sure that hackers, some state-sponsored, will do their utmost to find these backdoors and use them. We’ve seen something similar happen recently, with an apparent backdoor in Juniper firewall software exploited by an unknown third-party.
But even ignoring privacy/security, there’s still the issue of efficacy. Legislative attempts to crack down on encryption just won’t work.
McCain acknowledges that “encryption technology is easy to get hold of and doesn’t require much sophistication to use.” Even if Congress did manage to force American companies to weaken encryption (crippling them commercially abroad in the process), any would-be terrorist/paedophile/criminal will simply switch to an encryption product not made in America.
ISIS guy 1: I know, let’s use cryptography to hide our messages!
ISIS guy 2: We can’t, it’s against the law in the UK.
ISIS guy 1: Oh, OK.
— Mustafa Al-Bassam (@musalbas) January 12, 2015
Stop freaking out guys: This is the new normal.
The use of encryption products by bad actors is well-documented. But this is inescapable. Because it’s not just used by criminals: Strong encryption underpins modern finance, secures our data, supports government communications. We couldn’t function without it. And it’s impossible to tell which uses are “legitimate” and which uses facilitate illegal activity because it’s all, well, encrypted.
Yes, this will be immensely frustrating to law enforcement unable to access certain communications. But there are still workarounds when investigators bump up against encryption.
Michael Hayden, the former director of the NSA, disagrees with the FBI’s current push to undermine encryption. After early efforts in the 1990s to regulate encryption failed, “we were still able to do a whole bunch of other things [to get the info needed],” Hayden said at a panel in October 2015 attended by Motherboard. “Some of the other things were metadata, and bulk collection and so on.”
It’s an alluring idea that we should require government access to encrypted data. But it would be impossible to enforce, software developers outside of Western jurisdictions would totally disregard it, and it would put ordinary people’s data at risk.
So yes, terrorists use encryption, and will continue to do so. But this is our new reality. As security researcher The Grugq puts it: “If your secure communications platform isn’t being used by terrorists and pedophiles, you’re probably doing it wrong.”
Business Insider Emails & Alerts
Site highlights each day to your inbox.