When authorities realized the Paris terrorists used strong encryption to send messages to one another they went off the encryption deep end. Now, many nations are considering legislation to ban strong encryption. If strong encryption is banned, only terrorists will have it. Moreover, restricting strongly encrypted speech over the Internet would be a victory for the terrorists. After all, one aim of terrorism is to scare us into giving up our freedoms. Once we give up our freedom to communicate privately we are sliding down the slippery slope of despotism—and the terrorists win.
An Open Backdoor
Law enforcement agencies like the FBI have long advocated for an information technology backdoor so they can read or crack encrypted messages under a court order. Court orders have long been used to bypass Constitutional guarantees such as the right to privacy in your home or car and the right to private telephone conversations. These legal violations of privacy are justified only when sufficient evidence is available to suggest that a crime is being committed, or national security is at risk. Why is the proposed information technology backdoor so controversial when it is so similar to what we already tolerate?
I will use the phrase “strong encryption” to mean an unbreakable code devoid of any way around it such as a backdoor. I will use the phrase “weak encryption” to mean any protocol that can be broken in a reasonable time or bypassed altogether. The literature is not clear on what constitutes weak encryption as proscribed by law enforcement, so it may be useful to explore what a backdoor actually means—a topic rarely explored by either side.
At one extreme, it could simply be a key escrow database containing all of the keys used to encrypt SSL/TLS messages. While this database would be enormous and itself constitute a vulnerability to hacking, it would allow law enforcement authorities to obtain keys used by suspected terrorists under the authority of a court order. Assuming such an escrow account can be maintained securely, it would give law enforcement the ability to intercept conversations between terrorists either to deter them or to prosecute them after the fact. This ability is no different than the current ability to tap telephone conversations between suspected criminals under court order.
At the other extreme is the scheme Silicon Valley leaders like Tim Cook, CEO of Apple object to—code within all devices that bypass the encryption process itself. The so-called backdoor is an alternative access path that bypasses protections provided by encryption. Most likely, the backdoor would itself be locked and require a superkey to unlock it. Who has access to the superkey, and how can consumers be assured the backdoor is secure? The presence of a backdoor essentially weakens any encryption technology, hence strong encryption becomes weak encryption. Law enforcement could use it to eavesdrop on communication during an illegal activity or use the eavesdropped data as evidence in a prosecution. In theory, only the legal authorities would have access to the backdoor. But here is the rub—it is almost a theorem of technology that if the authorities can do it, so can the criminals. Backdoors are even more dangerous than strong encryption because they give the false impression that communication is private, when it may not be. Simply the knowledge that a backdoor exists challenges hackers to attempt to break it open. Eventually, they do.
Free Speech 101
Strong encryption would have to be banned if weak encryption becomes the law of the land, because the existence of strong encryption that cannot be cracked, or bypassed by a backdoor, defeats the purpose of legislating a backdoor or any other form of surveillance. Naturally, the question is, “Can they do this?”
A ban on strong encryption may face First Amendment challenges, because it limits what can be communicated. (Is encrypted language equivalent to any other language?) The U,S. Constitution defines many freedoms that have saved both Americans and non-Americans from tyranny. While the so-called Free Speech Clause (FSC) says freedom of speech is an American right, freedom of expression has also been accepted as a human right by the UN since 1948 (Article 19).
The U.S. First Amendment says, “Congress shall make no law respecting an establishment of religion, or prohibiting the free exercise thereof; or abridging the freedom of speech, or of the press; or the right of the people peaceably to assemble, and to petition the Government for a redress of grievances” [1]. Article 19 of the UN’s Universal Declaration of Human Rights says, “Everyone has the right to freedom of opinion and expression; this right includes freedom to hold opinions without interference and to seek, receive and impart information and ideas through any media and regardless of frontiers” [2].
FSC prevents, “abridging the freedom of speech,” and the UN guarantees “freedom of opinion and expression,” but interpretation of these freedoms has evolved over a long period of time. In some cases, laws have been passed that nullify both the FSC and UN Article 19. What exactly does freedom of speech and expression mean when applied to encrypted messages? Does it mean anyone can say anything against anyone else with impunity? Do these declarations extend the freedoms to criminals and terrorists? Is the use of cryptographic hash function SHA-256 the same as the use of the Navajo language to conceal messages during WWII? Strong encryption seems to ban the use of “encryption language” from the Internet.
Intended Consequences
Law enforcement has good intentions. Obviously a backdoor allows them to intercept terrorist communications and prosecute cases. More significantly, banning strong encryption may be no different than existing bans on speech. For example, we have laws that prevent discriminatory or “hate speech.” There are bans on speech that defames others, and much of our copyright law protects authors from plagiarism. Sensitive stock market information is withheld to prevent “insider trading,” and client-patient confidentiality restricts what doctors, lawyers, and journalists can say about their clients or subjects.
I am not worried about the intended consequences, because they are narrow and focused. It is the unintended consequences that come with broad and sweeping side effects of a backdoor that worry me. When it comes to Internet encryption, we are talking about the entire human population.
Unintended Consequences
I suspect lawmakers do not understand the many unintended consequences of a ban on strong encryption. The first and most obvious consequence is the rise of black market, strong, encryption technologies for use by criminals. Banning strong encryption makes it illegal, but does not actually banish it. But there are other, less obvious potential bad consequences. The entire online financial system depends on strong encryption. For example, the highly touted Bitcoin block chain is likely to accumulate exabytes of critical financial data over the next decade. It depends on strong encryption. Do we want this house of banking cards to fall if and when someone hacks its backdoor?
Suppose we all start using encryption technology with backdoor access. Furthermore, what if we use this backdoor technology to encrypt national secrets that rival the classified data exposed by Edward Snowden, and sometime in the distant future a clever adversary finds a way through the backdoor. The security of the entire country suddenly goes down the drain.
Suppose I use SHA-256 encryption to conceal love letters emailed to my wife, when she is visiting a free-speech country. If that country bans strong encryption—making it an exception to the free-speech doctrine—is my wife an outlaw for reading her email? Am I an outlaw for sending it? Simply by encrypting it—translating if from English to a cryptogram—we become outlaws. Is this right?
Banning my right to communicate in encryption language instead of plain English is one step toward banning other forms of expression. For example, does the ban apply to communicating with my driverless car? Does it prevent me from talking confidentially to my domestic robots? Even worse, does it expose all of my conversations with my domestic robots over past years of service? Can I be punished for “hate speech” against my appliances many years later?
Do we really want to give up assurances of privacy and security simply to make life easier for law enforcement? Are we considering backdoors to save ourselves, or are the terrorists making that decision for us? Consider the trade-offs before you simply give in to fear.
References
[1] First Amendment to the United States Constitution. Wikipedia.
[2] The Universal Declaration of Human Rights. United Nations.