Intelligence Agencies Keep Getting Dumber

I’m in Mumbai. A few days ago, homemade bombs killed nineteen(1) people only blocks away from the Internet cafe in which I’m writing this, the latest in an eighteen-year string of terrorist attacks on India’s busy commercial capital. And how have the authorities reacted? With sheer idiocy. Today, highway signs advised Mumbai’s population: PLS. AVOID GOING TO CROWDED AREAS – which, in this densely packed city of thirty-one million people, is a bit like telling fish: PLS. TRY NOT TO GET WET.

In related news, last week the Times of India reported that the Indian government would show “no leniency in monitoring social media sites.” Telecom minister Sachin Pilot, who last year demanded that Research In Motion allow the Indian government to eavesdrop on all BlackBerry communications within the country, is now targeting Skype and Google. His justification? “We can’t afford to take chances with national security.”

It’s an open question, and probably a moot point, whether Mr. Pilot really is that dense. RIM is providing some access, but can’t provide the encryption keys for BlackBerry Enterprise Server customers, because it doesn’t have them. India keeps demanding them nonetheless. Skype is a peer-to-peer service with no central nexus to tap into. And even if RIM does start collecting customers’ encryption keys, and Skype is re-architected to permit wiretaps—not entirely out of the question now that Microsoft owns them—smart terrorists will simply encrypt their conversations themselves, using any of a panoply of tools.

I don’t mean to pick on India in particular; I just happen to be here now. Authorities everywhere are just as dumb. The US government has made exactly the same demand: they more or less want all Internet communications redesigned so they can wiretap them. Because eavesdropping on POTS was easy, governments came to treat the ability to listen to any long-distance conversation as a divine right; and now that encrypted digital communications have taken it away from them, they have reacted with all the maturity and thoughtfulness of a child whose toy has been taken away. To cope, they want to build the tools and infrastructure of a police state(2), at enormous expense—and even if they succeed, that will still only help them catch the stupid terrorists.

Which is admittedly a worthwhile goal. Most terrorists are stupid: eg the shoe bomber, and the underwear bomber. But surely there are better ways to catch these morons than building a vastly expensive and dehumanizing panopticon surveillance state. My fear is that the authorities devoted to catching terrorists are, by and large, almost as dumb as their quarry. Do you think of the famed and feared NSA as a temple of brilliant acumen? Guess again: they recently wasted $1.2 billion on a boondoggle software system, before finally killing the project, and then thought it would be a good idea to pursue/prosecute the whistleblower who they should have promoted.

If intercept facilities are built into communications media, they will be used—and not necessarily lawfully. Last year Chinese hackers used Gmail’s backdoor access system, built because the US government demanded it, to access dissidents’ accounts. Even as governments everywhere clamor for the ability to hack into phone conversations, News International, and the entire British government, is reeling from the repercussions of illegal phone hacking.

You see the same thing with photography; tinpot dictators in the UK tried to effectively ban photography of police officers, or even pictures of public —a man was even jailed for photographing a sewer grating—and even though the suggested ban on cameras in New York’s subway was eventually kiboshed by cooler heads, people have been (wrongfully) arrested for just that. Meanwhile, tiny undetectable cameras get cheaper and cheaper. Again, the authorities so-called anti-terrorism measures will at best only catch the very stupid; meanwhile, they provide tools and excuses to harass, restrict, and inconvenience the innocent. Security guru Bruce Schneier calls most of what the TSA does “security theater“. Well, these attempts are nothing but the same thing on a larger and even more disturbing scale: national security theater.

The fundamental problem is that the people in charge of public security, whether in India, the USA, or the UK, tend to be either technically ignorant or more desperate to look like they’re accomplishing something meaningful than to actually do so, or both. But security theater doesn’t keep anyone safe. In fact, in the long run, it endangers everyone. The oh-so-dangerous twin genies of strong cryptography and surreptitious photography are long since out of the bottle, and all the futile demands and legislation in the world won’t stuff them back in. But it seems that governments around the world would rather live in furious denial than deal with that fact.

(1) Twenty, if you count the guy who died while being interrogated by the police.

(2) Of course, the police are less likely to have a problem with a police state.