By John Chen:
In the wake of the Paris terror attacks earlier this month, U.K. Prime Minister David Cameron proposed banning encrypted communications services such as those offered by Apple, Facebook and others. President Obama partially endorsed Prime Minister Cameron’s proposal a few days later, indicating he would support banning encrypted communications services that cannot be intercepted by law enforcement and national security agencies. While there is no publicly-available evidence that encrypted communications played any role in the Paris attacks, security officials say their ability to prevent future attacks will be hindered if terrorists are able to evade surveillance using encrypted communications and messaging services.
Privacy advocates have harshly criticized the Cameron-Obama proposals, arguing that encryption is a vital tool for protecting sensitive government, corporate and personal data from hacking and other forms of cyber theft. Following the recent spate of hacking attacks against Sony, Target, Home Depot, certain celebrity users of popular but hackable smartphones, and others, these advocates argue we need more, not less encryption. Further, they argue that banning encryption will not necessarily make it easier for security agencies to surveil terror plotters; after all, the terrorists will know they are being overheard and will simply communicate in new and ever-changing forms of coded language.
Reconciling these opposing perspectives on encryption requires a reasoned approach that balances legitimate national security concerns with legitimate cyber security concerns.
Privacy is Everyone’s Concern
Our dependence on computing devices for transmitting and storing sensitive personal information has become irreversible. Billions of items of personal information including health records, bank account records, social security numbers and private photographs reside on millions of computers and in the cloud. This information is transmitted via the internet every day. The same is true for highly confidential and proprietary business information. And of course no government or law enforcement agency could function without maintaining high levels of information security.
With so much information residing on computer networks and flowing through the internet, cyber security has emerged as one of society’s uppermost concerns. Protecting private and sensitive information from hacking, intrusion and exfiltration now commands the attention not just of computer professionals, but also heads of state, CEOs, Boards of Directors, small business owners, and every individual using a computer or smartphone, and even those who never use a computing device.
Modern forms of encrypting voice and data traffic provide the best protection for highly valuable and private personal, business and government information. Rendering data unreadable to the intruder greatly diminishes the incentive to hack or steal. Banning encryption, therefore, would dramatically increase the exposure of all such information to hacking and cyber theft. Clearly that is not a viable option.
Call of Duty
On the other hand, the same encryption technology that enables protection of sensitive data can also be abused by criminals and terrorists to evade legitimate government efforts to track their data and communications. Companies offering encrypted communications thus have a duty to comply with lawful requests to provide information to security agencies monitoring would-be terrorists. Companies like BlackBerry: We’ve supported FIPS 140-2 validated encryption in all of our devices for the past 10 years – longer than many of our competitors have been selling smartphones.
Depending on the particular technology involved, that information requested by law enforcement agencies might include the content of encrypted messages, but it may include other vital data such as user information, the dates and times the subscriber contacted other users, the length of such communications, the location of the user, and so forth. In many instances non-content user information can be even more important than the actual content itself, because such metadata can provide crucial leads and other vital intelligence to law enforcement and security agencies.
Let’s be clear: I am not advocating sharing data with governments for their ongoing data collection programs without a court order, subpoena or other lawful request. However, telecommunications companies, Internet Service Providers, and other players in the modern communications and messaging ecosystem need to take seriously their responsibility to comply and to facilitate compliance with reasonable and lawful requests for such information. Unfortunately, not all players in the industry view this issue the same way. Some Silicon Valley companies have publicly opposed government efforts to enable lawful surveillance and data gathering, even where lives may hang in the balance. These companies appear to be trying to position themselves as staunchly “pro-privacy,” without according sufficient weight to legitimate and reasonable governmental efforts to monitor and track would-be terrorists. Far from protecting privacy rights, this irresponsible approach risks providing ever stronger arguments to those who would subjugate all cyber privacy concerns to national security.
The answer, therefore, is not to ban encryption, because doing so would give hackers and cyber-criminals a windfall, making it much easier for them to mine billions of items of sensitive personal, business and government data. Instead, telecommunications and internet companies should cooperate with the reasonable and lawful efforts of governments to fight terrorism. That way we can help protect both privacy and lives.