Trading in privacy doesn't increase security

Written by

The last 18 months since Edward Snowden revealed to the world that the NSA was performing massive data collection, not only on US citizens, but virtually every citizen of the world, has been interesting. Our illusions that governmental agencies were protecting us while playing by an imagined set of rules that protected our privacy have been blown apart. We found out that it wasn't just the US government spying upon its citizens. Nearly every government in the 'free world' is spying on its citizens in bulk to some degree. Which has led to international debate about the validity of spying upon your own citizens, bulk data collection and the role that businesses play in such a field.

Businesses have heard the cry from the public loud and clear that participating in governmental data collection is a serious concern for many people. Especially in Europe, businesses have had to answer probing questions about how they work with governments and what efforts they're making to ensure that they aren't contributing to what many see as illegal overreach by the agencies in the name of protecting from vague threats to the populace. Apple and Google in particular responded by beefing up the security of iOS 8 and Android Lollipop, with both operating systems encrypting their storage by default using keys that only the user has access to and making it impossible for the companies to cooperate in decrypting the data. It's also led leading social media sites like Twitter and Facebook to re-examine their own practices and beef up the security and privacy of their platforms, such as Facebook's enabling access from the Tor network.

Cue concerns by law enforcement agencies that allowing encryption which they don't have the keys to will enable criminals, terrorists and pedophiles to commit horrible deeds without fear of being caught.  One of the first and most strident was an article in the Washington Post laying out a story about how encryption could have compromised a recent effort to help a kidnap victim.  Except there were major holes in the story and the ways encryption would have stymied the investigation; almost every piece of information that was mentioned as being vital to the effort isn't affected by cell phone encryption. Information such as location and call records aren't under the control of the owner of the cell phone and won't be affected by the encryption of data on the phone itself.

This was followed quickly by FBI Director James Comey loudly and stridently criticizing the privacy moves by Apple and Google. His argument is that allowing encryption of devices without including a back door for governmental bypass enables users to place themselves "beyond the law". Director Comey seems to make a number of the same mistakes made in the Washington Post article, placing more importance on the data on the phone than the metadata available through service providers. The main problem with this argument is that data on the phone is more useful in later prosecution than it is in prevention.

The latest law enforcement figure fighting to keep access to the public's data is Robert Hannigan, director of GCHQ.  In the Financial Times, Hannigan argues that terrorists organizations such as ISIS rely heavily on social media to spread their message and any effort by companies such as Twitter, Facebook and WhatsApp to provide privacy to their users are directly counter to the security of the nation. His claim is that any social media site or program that makes it possible for a user to encrypt their communications adds a layer of difficulty for law enforcement that is insurmountable without the aid of the companies providing the tools. He calls on these companies to work with law enforcement and welcomes public debate over the privacy concerns.

The argument that encryption can be used by bad people was a large part of the argument used in the original Crypto Wars back in the 90s.  It was a scare tactic used by the US government to label cryptography as a weapons-grade technology and made exportation of crypto software from the US to hostile countries a crime. But governmental concerns were baseless. Arguments that allowing cryptography to flourish would lead to the downfall of western civilization proved false and eventually the battle to make encryption usable by the average user was won. Comey, Hannigan and others in law enforcement have forgotten that battle, or are hoping to retake ground lost two decades ago.

A second counter to the government's arguments is that it's impossible to make a back door that the can be used legitimately by one government that can't also be abused by another. Whether the government is a foreign power whose rules are in opposition to your own or an agent within your own structure abusing his or her access, once you've made that back door available to yourself, it's also going to be available to other actors whether that's desirable or not. There's also the security of the back door itself. It's hard to create a back door that can be used by legitimate actors that can't be hacked or broken by the criminals and terrorists themselves, placing the public in even greater danger.

Finally, there's the question of whether giving law enforcement agencies access will even have the effects they're claiming it will. In the US, the statistics disprove the claims made by Director Comey; prior to 2012, there were no cases of encryption interfering with a criminal investigation involving eavesdropping. In 2012, there were four cases, and in 2013 there was a grand total of nine cases that were interfered with by encryption out of over 3500. And in each of these cases the investigations continued without the encrypted information. If encryption only interferes with 0.3% of all cases, is it actually worth potentially compromising the security of all users in order to catch such a small minority of criminals?

When you take a scholarly view of the effectiveness and ethics of mass surveillance, almost every type of monitoring fails. The damage done to personal liberties, primarily privacy, far outweigh any increases to the security of the populace. If the GCHQ and FBI want to have the cooperation of businesses and the public, they need to cease the rhetoric of terrorism and prove that mass surveillance is actually effective in any way. The public debate that Director Hannigan is asking for is going to require that he brings statistical data to the conversation rather than just fear, uncertainty and doubt.

When we're talking about terrorism, it pays to remember that it was a failure of human intelligence, not machine intelligence, that allowed the attacks of 9/11 to be carried out.

What’s hot on Infosecurity Magazine?