Imagine a world where no online message or internet history could be tracked or decoded by intelligence services. Whilst it might protect our personal information and private messages, surely it would also allow terrorists and other criminals to congregate, plot and plan in secret on the internet? What if a terrorist organisation was planning an attack and intelligence services couldn’t find out the details of it because all of the messages were encrypted?
Using the above logic, governments have determined that encryption is terrible for national security and that it is necessary for them to have access to every single citizen’s data. This is why UK Prime Minister David Cameron called for a ban on encrypted messaging at the beginning of 2015.1
Encryption transforms our emails, pictures and conversations into a secret code and guards it with a key to ensure that no unwanted third parties, such as hackers and advertisers, can access that private data.
It is easy to imagine encryption as a safe harbour for those who wish to harm us.
However, there is plenty of evidence to suggest that encryption is not the enemy of national security. On the contrary, not using encryption leaves us all in danger.
Banning encryption will not help governments catch criminals
In 2009, a study of crime statistics released by the German Federal Crime Agency found that the introduction of mass data retention made almost no difference to fighting crime in
Germany.2 The number of serious crimes being cleared fell by less than 1%, and there was not enough causal evidence to suggest that even this miniscule improvement could be attributed to the introduction of mass data retention.3 It was found that scanning all telecommunications actually obstructed investigations because criminals took up alternative means of communicating such as unregistered mobile phone cards, public phones and letters.4
Cybersecurity experts also confirm that banning encryption and mass data retention will hinder intelligence services from catching criminals. One of the issues with the Charlie Hebdo attacks was that whilst the French intelligence service was already intensely monitoring those involved in the shootings, they were also keeping tabs on thousands of other suspects. As a result, when the intelligence service could not find adequate evidence, just six months before the attack, they dropped the surveillance in order to prioritise other more “high risk” cases. Figuring out who was a real threat, let alone working out when and where an attack was likely to happen, was like trying to “find a needle in a haystack”.5 If intelligence services expand their search to everyone, they will have to go through a vast array of online communications: email, Skype calls, FaceTime, instant messaging, photo sharing, cloud storage, etc. Instead of finding more “bad guys” they will simply be piling
“more bales of hay” on top of the needle, making it even harder to decipher real criminal threats.6
It’s worth noting that the terrorists involved in 9/11 did not use encryption when plotting their attack. They communicated via standard unencrypted emails, using their real names and frequent flier identifiers.7 Similarly, as stated above, the men involved in the recent Charlie Hebdo attack were already under intense surveillance prior to the shootings but were taken off surveillance because the intelligence services had to prioritise resources. It is possible that the shooters coordinated the attack in the six months that they were not under surveillance.
Other experts point to other potential causes of the intelligence failure. Colonel Cedric Leighton, former deputy director of the National Security Agency, stated that the intelligence failure was caused by a lack of international cooperation between intelligence agencies. The US had already put the attackers on the “no-fly” list, but it would appear that the French intelligence failed to act on this.8 Similarly, former senior FBI official, David Gomez, suggests that the intelligence services need to improve their relations with informants and those who could voluntarily report suspicious behaviour.9
It is possible that the reason why French intelligence failed to generate evidence when surveying the attackers is not because of encryption, but because the attackers tried to not communicate with others whom they knew to be under surveillance, and/or “avoided any activities that might have drawn the attention of French security and law enforcement services”.10 Additionally, they could well have been using other forms of communication.
The Charlie Hebdo attacks were caused by an intelligence failure, but it remains to be seen that this was a failure caused by encryption or one which could have been prevented by banning encryption.
Is there not a compromise?
One solution that governments have suggested is for people to use encryption software that contains a “government-only” backdoor. This would allow the government to access a person’s communications on a case by case basis. One method of this would be giving the government a special key or password to the encrypted files.
However, in the online world there is no such thing as a secret backdoor that only government can use. If there is a backdoor, anyone with enough skill can enter through it.
As Jill Killock, director of the Open Rights Group explains, “The problem with key escrow or the use of master keys is that they leave a particular encryption method with a secret backdoor, and give every criminal the certain knowledge that this backdoor exists. Criminals then know that they can find a way to break into encrypted material, given a certain amount of effort.”11
Encryption needs to be all or nothing – your files are either completely encrypted or not secure at all.
Encryption decreases crime
The truth is that terrorists are not the only threat to our security. Every day criminals use the internet to steal our identities, extort money from us, spread malware attacks, hack our social media accounts, and ransack our businesses. In the last four years alone, US-based organisations have experienced a 176% increase in the number of cyberattacks. In the past year the average cost of cybercrime for US retail stores has more than doubled.12
In 2014 we experienced some of the biggest and most high-profile hackings to date. Millions of customers’ credit card details and personal information were stolen from retail giants Target and Home Depot. Messaging and data storage providers such as Google, Yahoo!, Evernote, iCloud and Snapchat were also hacked, leaving email accounts and personal information in the hands of criminals.13 Naked pictures of Jennifer Lawrence were shown to the world. Sony is currently being sued by its employees after the biggest hacking scandal of the year – hackers broke into Sony’s servers and released employees’ healthcare records, personal details and private emails (one email infamously called Angelina Jolie a “spoilt brat”.)14
Cybercrime costs the world approximately $400 billion a year, and without encryption these costs will continue to rise.15
Everyone who uses the internet needs encryption software
Encryption is not only used by evil villains and criminals with “something to hide”. Every day ordinary people are victims of cybercrime: credit card details and entire identities are stolen, email accounts hacked into (and subsequently any online account linked to that email address), and phishing scams successfully carried out. These are very real and increasing dangers that we all face, and encryption is our only protection from them. A document from the US National Intelligence Council actually states that encryption is the “best” (and only) defence against cybercrime.16
We need encryption so that we can buy and sell items online, and digitally store and exchange information (for instance healthcare and insurance records, online banking, private photos and documents in the cloud). Encryption is the only way that you can ensure that your emails are not read by hackers or unwanted third parties such as advertising companies.
And it is not only our money that encryption protects. In recent years it has become increasingly clear that our online personas affect our insurance premiums, credit ratings and job prospects. If someone were to hack into your private accounts and leak personal information, the effects could be disastrous for your reputation as well as your bank account. An example could be sharing a private photograph with your partner via email, and a hacker getting into your email account and sharing your photo with the world. Every time someone
Googled your name, the photo would show up. Once something is posted on the internet, it will be there forever and cannot be forgotten.
We cannot expect the law to protect us
The laws surrounding online privacy and cybersecurity remain unclear and fragmented. If someone broke into your home and copied your documents, they would be guilty of trespass and invasion of privacy, but your online privacy is not protected in the same way.17 There have been countless cases where wronged individuals have sought justice for blatant online privacy violations, only to be faced with a blank wall because the current laws are not up-to-date with cybercriminals and online communications.
The Nikki Catsouras case is a classic example. Nikki Catsouras was a young teenage girl who was decapitated in a car crash. The Californian Highway Patrol who arrived at the scene took a picture of Nikki’s body and uploaded it to the internet. The photo rapidly spread across the internet, featuring on more than 2500 websites. The Catsouras family then attempted and failed to sue the Californian Highway Patrol. Whilst you would think that it would be an open and shut case in the Catsouras’ favour, according to Californian law the rights to the photo died with Nikki, preventing the family from gaining adequate justice.18
Another problem is that the laws regarding cybercrime vary from country to country. The laws are not the same even within one country alone as they often differ according to local councils, local governments and various courts of justice.
The law has not caught up with modern cybercrime and it is currently our responsibility to ensure our privacy and security.
Encryption protects us more than it harms us
The internet has become a virtual extension of our homes. We would not leave our homes unlocked and give people access to our paper bank statements, health records, personal letters and family photo albums, so why should we leave our digital homes and documents unprotected? The best way to look at encryption is that it is like the lock and key that you use to protect your home. Encryption does not let the criminals in – it’s the only thing that keeps them out.