NOV. 18, 2015 — In the aftermath of the bloody terrorist attacks in Paris, top national security officials and their allies in Congress called again for technology companies to ensure that the government can unscramble what their users have encrypted. For example, Sen. Charles E. Grassley, R-Iowa, told Politico: “Technology exists today that allows terrorists and criminals to communicate in the shadows, using encryption that makes it impossible for law enforcement or national security authorities to do everything they can to protect Americans.”
Added Sen. Dianne Feinstein, D-Calif., on MSNBC: “Silicon Valley has to take a look at their products, because if you create a product that allows evil monsters to communicate in this way — to behead children, to strike innocents, whether it’s at a game in a stadium, in a small restaurant in Paris, take down an airliner — that’s a big problem.”
The targets of the senators’ ire are companies such as Apple and Google, whose devices can encrypt users’ data in ways that even the companies cannot unscramble. That’s a relatively recent shift; the companies previously could unlock users’ messages or files in response to a court order. But after the leaks by Edward Snowden, a number of tech companies gave up that ability to mollify consumers concerned about widespread government surveillance. Now, the only way to decrypt such a file may be to gain access to the suspect’s device and, in some cases, persuade the suspect to help.
It’s not surprising to hear politicians argue for more surveillance powers after a terrorist attack. Yet before we try to strike a new balance between the competing interests of public safety and personal privacy (or individual liberty, for that matter), it’s important to know just what the threat is and how best to respond to it.
While it’s clear that some terrorists are using encryption, investigators haven’t shown that the plotters behind the Paris attacks or other recent Islamic State atrocities hid behind an impenetrable curtain of digital noise. So Grassley and Feinstein may be deriving the wrong lesson from the carnage. Instead of worrying about intercepted data being indecipherable, they should be worrying whether we’re simply not gathering enough data about Islamic State and its tentacles across Europe, Africa and South Asia, and if so, how to fix that problem.
Beyond that, the terrorists have made no secret of the fact that they’re developing and deploying their own encryption programs. Requiring Apple, Google and other mainstream tech companies to offer only breakable encryption may not affect Islamic State, but it will certainly leave millions of everyday consumers more vulnerable to much more common threats than terrorists: hackers and identity thieves. As Apple CEO Tim Cook recently noted, it’s impossible to weaken encryption for the good guys’ sake without doing the same for the bad guys.