The Paris Attacks Were Tragic, but Cryptography Isn’t to Blame

We have met the enemy, and it is math.

That’s the clear takeaway from the latest round of outrage over gadgets and apps that use encryption to ensure no third parties can see your data.

image

The ‘Bombe’ —a machine invented by British mathematician Alan Turing to decrypt the German Enigma code in WWII (Photo: Garrett Coakley/Flickr).

Is privacy protected by complex cryptographic equations — what we rely on to shield our online banking from snoops and to keep the data on our phones safe from thieves — a bad thing? Well, apparently it is when terrorists might use those same tools.

Emphasis on “might”: Despite initial speculation about the plotting behind the Paris attacks requiring encrypted communications, some of the murderers responsible used plain old text messaging.

Crypto in the cross hairs

A lack of supporting evidence (see also the groundless panic over Syrian refugees in the U.S.) has not stopped politicians from denouncing strong encryption as shielding the members of the Daesh death cult who fancy themselves an “Islamic State.”

“The Achilles heel in the Internet is encryption,” Sen. Dianne Feinstein (D.-Calif.) said on CBS’s Face the Nation Sunday. The vice chairman of the Senate Select Committee on Intelligence then cited a Paris-attacks theory that had already been debunked: “Terrorists could use PlayStation to be able to communicate, and there’s nothing that can be done about it.”

(If only they would: Sony’s game console doesn’t employ the kind of encryption that would shut out police with a warrant.)

On that same program, Rep. Michael McCaul (R-Tex.) voiced a similar thought: “The biggest threat today is the idea that terrorists can communicate in dark space, dark platforms, and we can’t see what they’re saying.”

A former speechwriter for U.K. prime minister David Cameron, Clare Foges, phrased things a little more bluntly in an op-ed in the Telegraph: “Terrorists want ever-safer spaces to operate in, and the tech giants say ‘Sure! Here’s an end-to-end encrypted product that is impossible to crack.’”

(Note that Yahoo Tech’s publisher has been testing end-to-end e-mail encryption software developed with help from Google.)

We’ve had this argument before

The remedy you hear most often proposed is to require vendors of encrypted software to include a mechanism that would let the government see encrypted content after getting a search warrant—“a kind of secure golden key,” the Washington Post’s editorial board memorably wrote last year.

That sounds great in principle, but in practice it means impaired security. As 15 veteran cryptographers explained in a paper posted in July, such a system will always make encryption more fragile and gives attackers—from organized crime to other governments—a high-value target in the form of whatever third party holds these backup keys.