Stanford CIS

Blaming cryptography (and Snowden) again.

By Richard Forno on

Less than 2 days after the Daesh attacks in Paris, technology was, predictably, named as an accomplice -- if not an enabler -- of terrorism, crime, and other nefarious outcomes.

To wit:

The New York Times led the 'reporting' with this ...

The attackers are believed to have communicated using encryption technology, according to European officials who had been briefed on the investigation but were not authorized to speak publicly. It was not clear whether the encryption was part of widely used communications tools, like WhatsApp, which the authorities have a hard time monitoring, or something more elaborate. Intelligence officials have been pressing for more leeway to counter the growing use of encryption.

...which was followed by former CIA acting director Mike Morell's comment on CBS' "Face The Nation:

I think what we're going to learn, we don't know for sure yet, but I think what we're going to learn is that these guys are communicating via these encrypted apps, right, the commercial encryption, which is very difficult, if not impossible, for governments to break, and the producers of which don't produce the keys necessary for law enforcement to read the encrypted messages.

And then yesterday, the current CIA Director, John Brennan, told an audience at the Center for Strategic and International Studies that:

In the past several years, because of a number of unauthorized disclosures and a lot of handwringing over the government’s role in the effort to try to uncover these terrorists, there have been some policy and legal and other actions that are taken that make our ability collectively, internationally to find these terrorists much more challenging," he said. "I do hope that this is going to be a wake-up call particularly in areas of Europe where I think there has been a misrepresentation of what the intelligence security services are doing by some quarters that are designed to undercut those capabilities. [Brennan also noted that] terrorist operatives have "gone to school" recently on techniques that render their communications more difficult to intercept.

By contrast, if not also as a pre-emptive response, The Intercept’s Glenn Greenwald dropped a scathing and highly critical analysis of this absurd, highly predictable knee-jerk finger pointing under the title "Exploiting Emotions About Paris to Blame Snowden, Distract from Actual Culprits Who Empowered ISIS."  In it, he dredges up headlines and events dating back well into the 1990s to demonstrate the logical lunacy involved in the "blame Snowden" and "blame crypto" arguments -- or the notion that terrorists suddenly have, to quote Brennan, "gone to school" only recently (i.e., post-Snowden) to learn how to conduct clandestine communications.

Nevertheless, four days into the latest Daesh-induced global news cycle, not only do we see statements like these, but the renewed emergence of initiatives and efforts designed to weaken Internet security technologies in the name of fighting terrorism:

After Paris Attacks, Encrypted Communication Is Back In Spotlight (NPR)

Intelligence Officials Have Named One More Enemy in the Paris Attacks: Encryption (Slate)

Cameron advocates fast-tracking of controversial net legislation after Paris attacks (The Stack)  -- which CIS Cryptography Fellow Riana Pfefferkorn recently analysed.

After Paris, Encryption Will Be a Key Issue in the 2016 Race (Wired)

My own take?

Pointing fingers at technology or a single whistleblower represents little more than an attempt by a government to present the appearance of controlling a situation that may not be controllable.  After all, during times of public crisis or mass casualty events, citizens look to their government for answers and solutions.

However, those invoking Snowden or bemoaning strong encryption technologies in conjunction with Paris are being sensationalist at best and reactionary at worst.  Strong encryption, covert channels, and other ways of hidden communication between people, groups, and nations existed long before 2013 and the world ever hearing of Edward Snowden. The fact that several news outlets, including the so-called "newspaper of record" feel duty-bound to uncritically echo such claptrap (to include citing "unnamed officials" providing what essentially are conveniently-unattributable official statements) makes this questionable logic even more controversial when later used to support policy positions on the matter.

It's quite evident that "encryption" has become global law enforcement/intelligence's latest way of providing institutional and political CYA, even if it played no part in anything relevant to a given situation.  Didn't predict X?  Didn't know about Y?  Can't ascertain where Person Z was at a given moment?  Even if none of these items were ever really knowable or predictable to begin with, you can bet the "lack of warning" or "lack of knowledge" or "inability to 'connect the dots'" will be blamed retroactively on the availability of encryption.  Even if it isn't a factor, merely mentioning it (and then quietly retracting the statement if challenged on it) can assist in planting seeds of concern in the public (and political) consciousness. After all, the intelligence community's general counsel noted in an e-mail to the Washington Post in September 2015 that “the legislative environment is very hostile today [regarding privacy, security, and cryptography].....it could turn in the event of a terrorist attack or criminal event where strong encryption can be shown to have hindered law enforcement. [There is value, he said,] in “keeping our options open for such a situation.”   Will the aftermath of Paris -- and the statements mentioned above -- be that desired tipping point for the Going Dark camp? And, oh-by-the-way, don't forget ... Snowden!

In light of the Paris attacks and the possibility that encrypted communications between the terrorists were involved, the desired government solution is to control/weaken (or potentially outlaw) any technology or mathematical algorithm that prevents it from quickly and easily accessing any and all digital information in the name of fighting terrorism and/or crime.  At the moment, governments are leaning toward the former.  But is there a sentient cryptographic algorithm (perhaps a government program called RAINBOW UNICORN) that can determine with absolute certainty who the "good guys" are when requesting access to protected digital data while at the same time ensuring that the "bad guys" cannot also gain access?  I think not.  Accordingly, this 'solution', while sounding helpful in the aftermath of a kinetic terror attack, if it ever becomes reality, likely will create more problems for society than it purports to solve -- as others have discussed over the years.

Encryption and other as-yet-undiscovered technologies will influence human society well into the future.  As such, in some cases, I'm reminded of Robert Romanyshyn's words from Technology as Symptom and Dream -- in it, he notes that since we can't disinvent discoveries like nuclear weapons or unsound medical advances, "it is a question of learning how to live with the knowledge which we have." We must recognise that strong mathematical equations (i.e., cryptography) are one of those things we can't disinvent -- and that the laws of math are, for the moment, not subject to the whims of man or his legal system.