Lawmakers are going after encrypted devices in a big way following the Nov. 13 terrorist attacks in Paris. But experts warn that doing so will actually hurt the average citizen and actually make it easier for terrorists to communicate without governments seeing it.
After the attacks, several lawmakers pointed to encryption as a contributing factor even before the facts had come out. Senate Intelligence Chairman Richard Burr, R-N.C., said it was "likely" that the terrorists used encryption to communicate. His ranking colleague on the committee, Sen. Dianne Feinstein, D-Calif., complained that encryption limited the amount of "good intelligence" that officials could gather. "Only good intelligence is going to keep people safe," Feinstein said.
Senate Judiciary Chairman Chuck Grassley, R-Iowa, struck a similar chord in more generic language. "Technology exists today that allows terrorists and criminals to communicate in the shadows, using encryption that makes it impossible for law enforcement or national security authorities to do everything they can to protect Americans," Grassley said.
However, the specifics of any solution were vague. "We're going to have hearings on it and we're going to have legislation," said Senate Armed Services Chairman John McCain, R-Ariz., without specifying what the legislation could look like. He added that encrypted communication is "unacceptable."
Yet on Nov. 18, French police found an unencrypted phone that had been used by one of the terrorists. One of its final messages was a text that said "Let's go, we're starting." As it turned out, there was no need for the terrorists to use encrypted communication. They were able to evade authorities without it.
For lawmakers who have long sought technical "backdoors" that would enable law enforcement officials to bypass encryption, that was bad news.
Industry leaders are opposed to weakening encryption, with companies like Apple and Google encrypting most of their users' data by default. The Information Technology Industry Council, a trade association that includes Apple, Google and Microsoft, put out a statement after the attacks affirming its opposition.
"We deeply appreciate law enforcement's and the national security community's work to protect us, but weakening encryption or creating backdoors to encrypted devices and data for use by the good guys would actually create vulnerabilities to be exploited by the bad guys, which would almost certainly cause serious physical and financial harm across our society and our economy," President Dean Garfield said in a statement.
Joseph Bonneau, a postdoctoral researcher at Stanford's Applied Crypto Group and fellow at the Electronic Frontier Foundation, elaborated on the position that many technical experts have taken. "Most governments naively believe they can mandate 'backdoors' or extraordinary access in a way that is available to 'nobody but us,' Bonneau told the Washington Examiner.
Bonneau added that the technical dimension is as problematic as the legal side. "Even if we could agree on the set of governments who should have access, in practice we've found consistently that attempts to build this kind of access end up with implementation bugs that can be exploited to gain access," Bonneau said. "It is effectively impossible to write software without bugs, and bugs in an extraordinary access system are particularly dangerous, which is why the tech community knows 'nobody but us' is impossible to achieve."
While the legal and technical ramifications are significant from an international perspective, that doesn't stop law enforcement officials, like FBI Director James Comey, from wishing for more effective surveillance methods.
"The threat posed to us by ... the so-called Islamic State, which, in the United States we talk about what they've been doing here, the recruiting through social media, if they find a live one, they move them to Twitter direct messaging, which we can get access to through judicial process," Comey said a cybersecurity symposium in New York. "But if they find someone they think may kill on their behalf, or might come and kill in the caliphate, they move to a mobile messaging app that's end-to-end encrypted."
However, experts have noted, a sophisticated adversary is going to adapt to find means of staying off the grid regardless of the legal status of encryption, which means that lowering security standards hurts average people more than anyone else. "On raw security terms, we are better served by raising the water level of global encryption," retired Gen. Michael Hayden, who led both the CIA and NSA, said in October.
"If the American government can insist that Google decrypt messages from Chinese citizens," Hayden added, "we've got to admit the Chinese get the same right to do that ... in the United States, because the Chinese definition of cybersecurity is just a hell of a lot more expansive than ours."
Despite the calls from some in Congress, it does not appear that any new laws will be passed in the short term. The Obama administration has leaned with relative consistency in favor of strong encryption standards, and in the days leading up to Paris, the president opposed passing any laws on the matter.
"As the president has said, the United States will work to ensure that malicious actors can be held to account — without weakening our commitment to strong encryption," National Security Council spokesman Mark Stroh said in October.
Though the president was not looking for a legislative remedy, Stroh suggested, the administration would seek to work with the industry in mitigating threats, adding, "We are actively engaged with private companies to ensure they understand the public safety and national security risks that result from malicious actors' use of their encrypted products and services."