In the wake of Paris, San Bernardino, and now Brussels, the encryption debate has become such a potent cocktail of horror, idiocy, and farce that it has become hard to tease out any rational threads of discussion. There is so much stupidity that I hardly know where to begin; but let’s start with the farce. Everybody loves a farce, right?
To recap: immediately after the San Bernardino attack, the FBI acquired the attacker’s work phone, which (unlike his personal phone) he had not bothered to destroy, and promptly locked themselves out of it. Months later, they / the San Bernardino DA decided to try to use the 200-year-old All Writs Act to force Apple to hack into it, claiming — I am not making this up —
The seized iPhone may contain evidence that can only be found on the seized phone that it was used as a weapon to introduce a lying dormant cyber pathogen that endangers San Bernardino’s infrastructure
Can we all just pause for a moment to bask, once again, in the breathtaking idiocy of that statement? And then all agree that we so do not even? It’s like many of the people who make up our society’s hierarchy of power and influence have so little understanding of the technologies that underpin our world that they are unable to distinguish between cartoonish Hollywood depictions and reality.
…So, eventually, after a massive backlash, the powers that be–perhaps tired of gruesomely embarrassing themselves on a near-daily basis, and being unceremoniously schooled by Apple’s far superior lawyers–
–abruptly decided they didn’t need Apple to access that phone after all. As experts (including a friend of mine) had been saying all along.
So did sanity return to the discussion? Did it hell. First, word broke out that the US government is seriously considering attempting to legally force WhatsApp to cripple its end-to-end encryption in the name of wiretaps, possibly using the same legal strategies that have clearly been working so well for the FBI.
Then, days after the awful attacks on Brussels, the New York Times — which had previously published-and-then-retracted quotes from anonymous sources who (completely wrongly) blamed the Paris attacks on encryption — published these unbelievable howlers:
According to the police report and interviews with officials, none of the attackers’ emails or other electronic communications have been found, prompting the authorities to conclude that the group used encryption […] When the laptop powered on, she saw a line of gibberish across the screen: “It was bizarre — he was looking at a bunch of lines, like lines of code. There was no image, no Internet,” she said. Her description matches the look of certain encryption software, which ISIS claims to have used during the Paris attacks.
There is so much dumb in those two quotes that I scarcely even know where to begin. Fortunately, Rob Graham wrote an excellent takedown of them, along with this great tweet:
…So of course Rukmini Callimachi, the NYT reporter in question, doubled down on Twitter.
…Why, it’s like many of the people who make up our society’s hierarchy of power and influence have so little understanding of the technologies that underpin our world that they are unable to distinguish between cartoonish Hollywood depictions and reality. Again.
Unfortunately, we have now come to the part of this post where it is time for me to train my guns on my allies. As is probably clear, I support strong end-to-end encryption, and I think the creation of any kind of back door is a terrible idea. That said, a lot of people on my side are arguing from flawed principles based on political and emotional rather than rational precepts, and they should stop doing that posthaste.
Let me explain. First, many of my pro-encryption, anti-back-door allies are arguing from a nakedly American-libertarian, government-oversight-is-bad stance. I neither agree with them nor think that this is a particularly smart approach. Talk of deliberately putting technology beyond the reach of the law and/or government is what Fred Wilson calls “privacy absolutism,” and it is dumb and counterproductive. Wilson writes:
If society thinks someone is doing something wrong, and if law enforcement can get a warrant, there should be a mechanism to get access to our devices […] I am saddened by the tech sector’s absolutist approach to this issue. The more interesting and fruitful approach would be to think about the most elegant solutions and build them.
And, indeed, if we were to have back doors / escrowed keys, I prefer his partner Albert Wenger’s approach — a unique key for every single device — to a master “golden key” that would open everything. (This doesn’t mean I think that this is remotely a good idea, though; see below. Just a marginally less bad one.)
Second, my pro-encryption allies keep yammering on, loudly and pointlessly, about how what’s happening today is just another version of the “crypto wars” that were fought in the 90s. That may well be the case. So what? The world has moved on; technology has moved on; geopolitics have moved on; the people who make decisions have moved on.
You don’t win arguments by claiming “we won the last argument, 20 years ago, in the depths of Internet prehistory, so therefore you’re not allowed to start this new one, nyah nyah!” Please, my allies, stop talking about the 90s. The 90s are ancient history. Nobody cares about the 90s. Let them rest in peace.
What we should be talking about, loudly and ceaselessly, is the fact that even if the tech industry did give the government everything they wanted, this would be completely ineffective. We need to explain this as often as we can, because while it may seem obvious to us, we have been blessed–see above–with indication after indication that large swathes of the government and the media are too ignorant to understand this simple and unfortunate truth.
Consider two analogies. One: gun control. I don’t want to extend this too far — encryption is not a munition, the Second Amendment is not relevant to this debate, etc — but, as a proud Canadian, I think gun control is generally an excellent idea. However, if I knew that anyone who wanted to possess a gun illegally could have one delivered to them overnight by a stealth drone with zero chance of being caught, for free, then I expect I would reconsider my analysis in a hurry.
That is where we are with encryption. Anyone who wants strong end-to-end encryption can get it, for free, with very little effort. Some people seem to have a misconception that Apple’s encryption is especially strong. It isn’t. The state-of-the-art of end-to-end encryption software is Signal, which is free and open-source. (WhatsApp adopted their technology.)
The day Apple allows any government to insist on back doors is the day every remotely competent bad actor in the world switches to third-party encrypted apps which require their own separate access codes. (The non-remotely-competent ones, by definition, can be caught without resorting to back doors.) This will immediately put them out of the reach of that “lawful access.” Any attempt to fight encryption with back doors is Whack-a-Mole with an infinite number of moles, unless the powers that be are willing to expand it into an all-out war on general-purpose computing.
But guess who will be affected by back doors on default / widely used messaging systems? Everyone else who uses them — ie all the innocent ordinary people — because adding back doors, again by definition, hurts everyone’s security. (There is a long, sad, compelling history of “secure” back doors ultimately being used for unauthorized access. Even mighty Google has been successfully attacked in that way — by the Chinese, no less.)
Analogy two: TSA locks on luggage. I can certainly see, and even support, the logic behind that initiative. But what if anyone who really wanted to could install their own locks that the TSA couldn’t open, but airplanes were required to convey that luggage anyhow? Does that sound like an utter waste of time and energy whose only outcome would be to reduce the security of luggage and air travel in general? Does that sound, in fact, completely insane? It certainly does! But that is an excellent analogy for the claim that the tech industry needs to provide lawful-access back doors into their systems.
Let us focus on that unfortunate but inarguable truth. Let us not talk about government overreach, or technology trumping law, or libertarianism, or the crypto wars of the 90s. Let’s focus on how encryption is merely math, which anyone can do, and let’s explain how world-class “military-grade” implementations of that math are already available, for free, to anyone and everyone. Whether you like it or not, that djinn is well and truly out of its shattered bottle, and no “elegant solution” might squeeze it back in. No one can win a war on math, so please let’s not start one. Everyone will lose.Featured Image: Gunther/Wikimedia Commons UNDER A CC BY-SA 3.0 LICENSE