BY ANN CAVOUKIAN
THE GLOBE AND MAIL
The aftermath of any major terrorist attack such as the recent tragedy in Paris appears to predictably include a call for new privacy-invasive policies that restrict freedom. After the attacks on 9/11, it was the passing of the USA PATRIOT Act; after the 2014 attack on Parliament Hill, it was the passing of Bill C-51. Throughout history, governments have always been a double-edged sword: We give them a monopoly on the use of force to protect us against the dystopian elements in our society, but in our constitutions, we have placed strong limits on the use of this force.
We are now enjoying a bonanza in innovation in the area of information technologies. The associated prosperity has improved the lives of millions, and will continue to do so. But the entire infrastructure of this new prosperity boom is based on security, specifically strong encryption. Modern-day Bonnie & Clydes don’t rob banks any longer, they rob bank accounts.
The target is now the use of strong encryption. Before the Paris attacks, intelligence agencies and pro-surveillance politicians were already resisting the widespread adoption of encryption. A number of notable companies nonetheless enabled encryption by default to protect the data on mobile devices such as cellphones and tablets. After Paris, this resistance has grown into an uproar, calling for regulations restricting the use of encryption, and the introduction of mandatory backdoors into encrypted communications – all in the name of protecting us from terrorism.
In theory, the proposed backdoors would give law enforcement the ability to access encrypted data. However, contrary to what the proponents of backdoors believe, the reality is very different. What is obvious to all cryptographers and security experts is: you cannot build “backdoors” which only the “good guys” can use. The “bad guys” will quickly discover them and gain entry. You only need to look at the spate of hacks and data breaches in the news to understand the difficulty of maintaining data security, even without the handicap of a government-imposed insecure backdoor, an issue addressed this past summer in a publication entitled Keys Under Doormats.
From a practical perspective, the majority of data infrastructure is now protected by strong encryption. Do we really think that businesses are going to “trade in” their “good” security for the “bad” security governments want us to have? Encryption is essential to preserving security in an insecure Internet. Any website which uses “https:” uses encryption with which to communicate securely. This enables the secure transfer of passwords, credit card numbers, mobile payments, etc. Encryption protects your medical records, your banking records, your financial transactions, and permits you to securely file your taxes online. This is only a fraction of the security uses it provides throughout the entire networked infrastructure of the Internet.
But encryption serves a far broader purpose than facilitating security: it enables our very freedom in a digital world. Encryption is a vital tool for enabling journalists to operate in countries without freedom of the press; allowing dissidents to co-ordinate against oppressive regimes; and in democracies, encryption empowers ordinary citizens to counteract intrusive government surveillance programs.
Even without backdoors, there are still numerous avenues available for intelligence and law enforcement agencies to investigate terrorists and criminals. Encryption may protect the content of a message, but it doesn’t hide where it is being sent. This leaves the “metadata” associated with an e-mail, text, or phone call accessible to the authorities with the production of a proper warrant or court order. Moreover, seasoned law enforcement and intelligence operatives will tell you that what is needed to catch the “bad guys” is good old-fashioned “boots on the ground” infiltration of their networks, and information sharing among various arms of law enforcement and intelligence. Both in 9/11 and in the Paris attacks, greater co-ordination among these agencies may have potentially served to subvert or minimize the attacks.
We stand to gain far more from strengthening encryption than we do by curtailing it. Repressive regulations introducing backdoors would only serve to hamper the implementation of strong security controls that are absolutely essential in the digital world. We must stand against any government measure that would compromise or weaken encryption. Encryption is critical to protecting a wide swath of information and a vital component of preserving our privacy and freedom.