
A Back Door to Encryption Won't Stop Terrorists - giles
http://www.bloombergview.com/articles/2015-11-18/a-back-door-to-encryption-won-t-stop-terrorists
======
jacquesm
So, here's my take on all this 'surveillance is good for you'.

It more or less proves (to me at least) that the government(s) and the various
secret services have absolutely no idea who to monitor specifically. So
instead of targeting their operations they want to monitor all of us, just in
case something of interest pops out that then allows them to focus their
attention.

It's a pretty scary thought: just imagine, all that money, all those resources
and _still_ they can't do anything other than to put their ear to the ground
and _hope_ that someone messes up in plaintext so they can then try to
backtrack and see what they might have missed.

In all these attacks it never happened that everybody was under the radar.
Always one or more of the attackers that were technically known or even
already under surveillance. And yet the attacks happened anyway. Too many
targets make for a very thinly deployed service, which then has to be
automated to make it work at all.

It's a pretty sobering thought, it also suggests via yet another route that
mass surveillance is indeed meant to attempt to 'keep us safe', and that it
fails miserably. The road to hell is paved with the best of intentions.

Terrorists have it so easy, all they need to do is to be just a little bit
unpredictable or simply old-fashioned (in person) and there won't be anything
whatsoever that we can concretely do to stop them. The only thing that
actually gives a bunch of actionable data is when an attack is executed or
when an attack goes sour (or rather: sweet as in, it does not work) from which
direct evidence of contacts or plans is gained. This will then lead to a
relatively short lived number of arrests clustered around the people caught or
implicated and then it burns out again where the data ends.

And so then we get to wait for the next attack...

~~~
Spearchucker
You nailed it, I think. If surveillance works, then Paris, Beirut, Bagdad et
al wouldn't have happed. Realizing it's a pipe dream, I'd love to see a world
accept that we the west have done so much damage that nothing will stop
terrorism.

Accepting that means we can throw those wasted resources at things that have a
better chance of working - throw the tech that detects copyright infringements
at detecting pro-ISIL sites, and use DCMA-style tactics to take them down.
Fund new research to put effective bomb and weapon detectors into every
doorway. Because protecting borders doesn't work either (crunchy on the
outside, soft on the inside). Build schools, instead of bombing them. Stop
selling weapons to the very people that shouldn't have them. Teach politicians
to value non-American lives as much as American ones. Stop honouring violent
death, and honour the deaths of people who move humanity forward instead.

There's an endless stream of ideas of what we _could_ do, if only we actually
_wanted_ it.

~~~
criddell
> If surveillance works, then Paris, Beirut, Bagdad et al wouldn't have
> happed.

I don't think surveillance is very good at preventing terrorism, but I think
it could be useful to law enforcement after the fact to round up co-
conspirators. I bet that once the identity of the Paris attackers was learned,
the NSA pulled up a graph several levels deep of everybody they communicated
it or associated with. It could very well help them figure out who else is
involved and should be watched.

For the record, I'm opposed to surveillance and would be even if it were shown
to be very effective. Privacy is important and is worth more than the lives
that have been or will be lost to terrorists and other criminals.

~~~
pakled_engineer
They found one of the terrorists phones dumped in a garbage can outside the
theatre they attacked, and got the address of their hideout from the messages,
so used just regular police work.

All these guys were already on watch lists for fighting in Syria and returning
just nobody seems to ever watch the watch list.

~~~
Canada
If that phone was properly secured then those messages wouldn't have been
accessible.

~~~
junto
You'd still have a telephone number. From that telephone number you could go
to a judge and request a warrant for the telephone records. From there you
could look at all the numbers dialed and received. Now you get a warrant for
the addresses of the subscribers.

No bulk surveillance required, just honest police work within the confines of
a valid and acceptable legal framework.

------
russnewcomer
Encryption backdoors are a lightning-rod topic on HN, but instead of repeating
all the common-talking points, I'd suggest the following:

Think through something like this, outside of your expertise, that you think
the powers-that-be should just do. Maybe it's something with your local
municipality's approach to road resurfacing, maybe it's the quarterback on
your favorite football team, maybe it's your local zoning board.

Chances are better than even that there is a decent technical reason why they
don't do what they do. Looking at things that way will save you a lot of
headache in your life, and set you on the path to getting on someone's side to
affect change, rather than just being another shrill voice yelling against
them.

So politicians and intelligence services calling for encryption want,
institutionally, to keep people safe. How can tech companies do that without
breaking or backdooring encryption? That's the real problem to solve, and the
first person to figure out how to do that will be way ahead.

~~~
lholden
The best backdoor to encryption has always been social. Talk the right way to
the right people... and it doesn't matter what type of security you have.

Isn't that the entire purpose of agencies like the CIA?

It just bothers me when privacy is treated as a negative thing, for the
greater good or not. Encryption is a tool to create privacy. The ability to
create privacy should be a point of pride as not everyone has that luxury. It
should be a human right.

This is the primary reason why I feel things like CISA/CISPA/etc take society
in the wrong direction. It doesn't matter if the intentions are good or bad
when everyone loses.

~~~
slg
Except encryption provides a level of privacy that has never before been
possible. Could you imagine a physical padlock that was unable to be cracked,
cut, or circumvented in any way? It is easy to see how that would scare law
enforcement. Imagine your job is to keep people safe. Now envision a kid
strapped to a bomb inside a shack and the only thing preventing you from
breaking in and saving that kid's life is that magical and unbreakable
padlock. That is how many laypeople view encryption. It is hard to tell that
person that you won't consider introducing any weakness into that lock.

~~~
richdougherty
That's a good analogy, but the padlock has already bolted!

Information about the uncrackable padlock is widely available. Bad guys will
always be able to get these padlocks from the black market. The question is
whether we want the good guys (i.e. us) to have the padlocks too.

~~~
slg
This is a fair counter, but I feel like we already have examples of how the
government would respond there. We might have to switch analogies, but
wouldn't encryption then be like a weapon. The goal would then shift to being
about deproliferation. The fact that nuclear weapons or AK47s already exist
doesn't prevent the government from preventing regular people from acquiring
or using them. Maybe preventing new products from entering the market and
flooding the market with faulty products (encryption with backdoors) is a good
way of combating what is already out there.

~~~
dplgk
The terrorists will use encrypted, unbreakable methods no matter that Google
or Apple use is their OS. That's really the only point that matters.

~~~
slg
And I might be able to get my hands on an AK47 if I really wanted and had
enough money to dedicate to it. That is the truth of the world. But do you
believe that making it harder to acquire a weapon like that doesn't have some
benefit?

Back to HN's world, one of the basic principles of human factors is "make the
right thing easy and the wrong thing hard." You might not be able to prevent
people from doing the wrong thing, but there is still value in making it
harder to do.

~~~
dplgk
It's not hard to download some software while sitting in your house. Much
easier than buying an illegal gun.

------
coldtea
How about this: we assume terrorists can fucking talk covertly whenever they
like (since there are myriads of channels and codes that they can use) and
that mass surveillance is not the way to catch them plotting their next act.

And from then on, ONLY use surveillance on specific targets under
investigation.

And while at it, maybe even have a limit on the number of targets each agency
can investigate, so they chose them wisely.

~~~
kobayashi
>And while at it, maybe even have a limit on the number of targets each agency
can investigate, so they chose them wisely.

This is an insanely bad idea. I understand where you're coming from, but think
about how that would play out in real life. I was going to write it out, but I
really think that you can probably figure it out if you do think it through.
From the perspective of the intel/policing agency, and from a political side,
there are too many good reasons why we should not limit the number of targets
an agency can investigate.

~~~
nickpsecurity
How about actively at one time if not in general? I think if you think through
it you can figure it out. Just start with all the terrorists and crooks they
already had red flags on but did nothing. Then, look at what excuse they make
about connecting the dots in so much data. Then look at the two obvious
solutions:

(a) Magic, AI, pixie dust tech that spots the evil, relationships, and all key
information in nearly unlimited, streaming data.

(b) Eliminating bulk collection (except maybe metadata) while forcing them to
focus on the results of targeted investigations on accounts or individuals.
Also, forcing them to follow-up on solid, red flags rather than BS around
trying to find reasons everyone else might be guilty.

I think pushing for option B is a rational choice. Also, ensuring the greatest
accountability possible given all the main players have a history of using
their police and intelligence for matters that have nothing to do with
protecting citizens.

~~~
kobayashi
When does an investigation start and end? What about when you're close to
filling your limit but a few new great leads come in. Now the agents have to
go close a ongoing investigation to follow up on a new one. Sounds like a lot
of overhead. Not only that, but the fact of modern intel work is that
investigations don't operate in a clear, linear progression.

I think that anyone that's had to deal with arbitrary limits imposed from
above understands the perverse incentives that they create. This would be
another example of administrators trying to fix something that they don't
understand.

~~~
coldtea
> _When does an investigation start and end? What about when you 're close to
> filling your limit but a few new great leads come in._

What about that? They could have a limit in the tens of thousands or so. As
long as they don't waste it on BS, they could follow all the promising cases
they want.

The idea is not to let them follow everybody, just for the fun of it.

~~~
nickpsecurity
Exactly. You got the message easy enough. Makes me lean more toward sophistry
for the other person.

------
hbbio
Apparently, the terrorists that attacked the concert hall in Paris last week
were using... unencrypted text messages to communicate between themselves
and/or their "boss".

According to the newspaper Liberation [1], they sent a text message at 9:42pm
telling: "we're out we begin".

[1] [http://www.liberation.fr/france/2015/11/18/la-piste-du-
sms-e...](http://www.liberation.fr/france/2015/11/18/la-piste-du-sms-envoye-
par-un-des-terroristes-du-bataclan_1414317)

------
pera
> but debates about whether the technology should have a "back door" for
> intelligence services are heating up again

What "debates"? there is absolutely nothing they can do to enforce terrorists
to use backdoored encryption, any debate is just a waste of time, money, and
maybe even lives. What are they thinking??

~~~
mangeletti
Exactly. This is the same as gun control. If a technology exists, you cannot
tell people to not use it; otherwise, all you've done is put law-abiding
citizens at a competitive disadvantage while arming the bad guys. To argue
otherwise is absolute ignorance.

~~~
jacobolus
> _If a technology exists, you cannot tell people to not use it; otherwise,
> all you 've done is put law-abiding citizens at a competitive disadvantage
> while arming the bad guys._

This comment is amazing self parody.

So what, we should we let people cook up nerve gas and anthrax and build
surface-to-air missile launchers in their garages, to make sure they have
competitive parity with the bad guys?

~~~
15charlimit
Most individuals who would even begin to consider trying to "cook up"
substances like nerve gas or anthrax "in a garage" would undoubtedly die in
the process, in which case problem solved.

And yes, people should be able to build "surface to air missile launchers" in
their garages. It's called amateur rocketry, and last I checked it was quite a
popular (and legal) hobby.

The vast majority of encryption is used in a lawful way to protect important
things (information). The vast majority of firearms (in the USA at least) are
used in a lawful way to protect, deter, as a hobby/for fun, and for
sport/hunting.

They are very similar arguments, for a number of reasons, including the utter
stupidity of attempting to make law-abiding citizens jump through even MORE
hoops whilst accomplishing absolutely nothing in "preventing the bad guys from
making use of" said technologies.

------
mtgx
Oh and by the way - the Paris terrorists didn't even use encryption:

[https://theintercept.com/2015/11/18/signs-point-to-
unencrypt...](https://theintercept.com/2015/11/18/signs-point-to-unencrypted-
communications-between-terror-suspects/)

How about that? Hopefully now the blame will be put where it should be: the
wastefulness of mass surveillance, which dramatically increases the "noise"
compared to the signals, since the agencies have to "look" at many more
innocent people and waste time and resources doing so.

------
Steuard
The line at the end that really hit me was this:

> _Almost all the attackers were known to the authorities, and if they had
> been watched, their use of encryption programs would have itself invited
> closer scrutiny._

This is precisely the scenario that Phil Zimmermann (creator of PGP) and
others have been warning about (and working against) for decades. As
Zimmermann said in a 1999 essay linked here not long ago, "What if everyone
believed that law-abiding citizens should use postcards for their mail?"
([https://www.philzimmermann.com/EN/essays/WhyIWrotePGP.html](https://www.philzimmermann.com/EN/essays/WhyIWrotePGP.html))
The scary part to me is not just that it's our present reality, but that it's
so readily accepted. Crypto advocates need better PR. (And to be fair, better
UI.)

~~~
giancarlostoro
Better UX as well, but I guess you implied it. The only apps I can convince
friends to use that support encryption are the seamless ones.

------
helicon
The IRA were known to recruit top stem students from universities in Ireland
during their campaign to make bombs. Surely an entity as large and as well
financed and ISIS would have little trouble finding bright young engineers &
technologists sympathetic to their cause to simply build their own encrypted
services? And then so much for the spooks 'backdoors'

~~~
BinaryIdiot
> Surely an entity as large and as well financed and ISIS would have little
> trouble finding bright young engineers & technologists sympathetic to their
> cause to simply build their own encrypted services?

You wouldn't even need the brightest engineers. In fact so many encryption
algorithms have been opened sourced and / or in library form for so long that
it's easy for practically any developer to do.

~~~
drdaeman
Just having a library that does something doesn't magically bring security.
The issue is, engineer still needs to know a lot of stuff (or strictly conform
to the instructions) to use the thing correctly. There are too many ways to
screw the thing up without even knowing it.

So, if the thing's to slap some nice GUI upon an existing library that
implements the security bits, then almost no knowledge's required. But if one
has a library full of primitives but still has to combine them in a meaningful
way - it's a damned minefield.

------
zaroth
I think this article misses the most obvious point. Encryption is widely
available for free and in the open. It's not about listing the devices or code
they might not trust, if there's even one that they do trust, then you can
backdoor everything else and it won't matter.

Why do they think they can put the Genie back in the bottle? The answer is
they know that they can't, the backdoor only effects the people who don't care
they are being tracked. It's not for terrorists, it's for people who carry
smartphones. Which is almost everyone, so good enough for them. But the
argument is absolutely nothing to do with "preventing terrorism".

------
p01926
This is like in WWII, when Churchill and Turing gave so many newspaper
interviews re: how awful it was they couldn't crack Hitler's encryption
anymore that he finally gave in, went back to the 3-rotor Enigma machines and
we won the war.

------
conwaytwitty
When X is illegal, only the criminals will have X.

Replace X with basically anything.

~~~
aero142
"When nuclear bombs are illegal, only the criminals will have nuclear bombs."

I think your grand unifying theory needs more nuance.

~~~
coldtea
I hope we don't depend on the unavailability of nuclear bombs to the bad guys
on them being "illegal".

~~~
aninhumer
No, we depend on the enforcement of that illegality, which is usually assumed
when people discuss banning something.

(EDIT: Previously said "making something illegal", which I realised was
ambiguous.)

~~~
marcosdumay
What, do you plan to make talking about crypto illegal too?

~~~
aninhumer
I was replying to the general sentiment, not the specific.

Obviously banning encryption is ridiculous, but the "Only criminals will have
X" argument is just silly rhetoric.

EDIT: I just noticed the ambiguity you're more likely responding to in my
original post. I'll reword it.

------
TeMPOraL
I think the entire discussion misses the even more important point -
terrorists won't care whether encryption is backdoored or not. It's a good
OPSEC to assume all communication is being listened to anyway, and to rely on
steganography and disappearing in the noise. Bad guys will simply use the same
backdoored crypto everyone else will be using, communicating in the same way
they do today, because using the unbroken crypto will be easily detected as
suspicious action.

~~~
kbart
_" rely on steganography and disappearing in the noise."_

They already do that[0].

0\. [http://arstechnica.com/business/2012/05/steganography-how-
al...](http://arstechnica.com/business/2012/05/steganography-how-al-qaeda-hid-
secret-documents-in-a-porn-video/)

~~~
TeMPOraL
Yes. My point is, they'll keep doing that, so backdooring encryption doesn't
really help in any way.

------
jiantastic
As with most things, I think that it is a trade off. There is a very delicate
balance between security and privacy.

Too much surveillance

\- General public feels incredibly uncomfortable due to lack of privacy

\- An incredibly scary amount of power in the hands of whoever has access to
that information ( and who knows what they will do with it )

\- Reduced risk of terrorism and security concerns

Too little

\- Increased risk of terrorism + massive security concerns due to lack of
intelligence ( it's like trying to find a needle in a huge haystack )

\- Public feels safe due to perceived increased privacy and yet feels unsafe
due to ( potentially ) increased number of terrorist incidents.

It's a rather difficult problem to solve. How can we extract critical security
information without invading people's privacy?

------
staunch
_" I was able to leave and come to Shām (Syria) despite being chased after by
so many intelligence agencies. My name and picture were all over the news yet
I was able to stay in their homeland, plan operations against them, and leave
safely when doing so became necessary," Abaaoud claimed in the interview,
according to ISIS."_

[http://www.cnn.com/2015/11/16/europe/paris-terror-attack-
mas...](http://www.cnn.com/2015/11/16/europe/paris-terror-attack-mastermind-
abdelhamid-abaaoud/index.html)

------
api
A back door to encryption would be a great tool for terrorists if it were
leaked.

~~~
kwhitefoot
When not if.

------
tw04
I've gotta believe these organizations can find one or two developers among
the billions of muslims on this planet. Why wouldn't they just write their own
apps for android and call it a day?

~~~
vonklaus
The Mexican cartels captured and paid engineers to build them there own
private cell network[0], so it isn't out of the realm of possibility that ISIS
is doing something similar.

I am sure they have at least a few engineers kicking around what amounts to be
an entire country. I haven't heard many people harping on about encryption,
TBH, except people defending it here and that idotic NYT article.

However, if you had 10 amazing engineers you would likely have strike
capabilities orders of magnitude higher than a few suicide bombers. So sure,
gather surveillance, but let's play some defense. Shore up our infrastructure
much better than we do now, because after they make their own apps and
networks, they are going to come for ours potentially.

[0][http://www.wired.com/2012/11/zeta-
radio/](http://www.wired.com/2012/11/zeta-radio/)

------
kmonsen
This is to control the population, and it will get asked for every time there
is a nice excuse.

------
l0stb0y
I always assume these types of stories are red herrings and intelligence
agencies already have back doors or decryption methods that they want to keep
hush. Make a big song and dance about how encryption is secure and push
criminals towards it, meanwhile its a trap. Look at all the Tor takedowns as
evidence. It's all fine by me really.

~~~
nickpsecurity
Like they did with iPhone, etc before Snowden showed they had compromised it
all? ;)

------
randyrand
If they know there's a backdoor to one type of encryption wont they just use a
different form of encryption?

------
fapjacks
This isn't about terrorists using encryption. It's about a culture of control,
violence, and domination trying to extend its power to encrypted communiction.

------
ck2
_There 's no evidence the plotters of the Paris terrorist attacks used
encrypted communications_

First sentence is already wrong.

They recovered smartphones that had encrypted messaging apps.

Still no excuse for government backdoors which will be stolen by all kinds of
entities within months of their creation and allow the wrong people to spy on
law enforcement itself.

Government had a 10 year headstart before all this, where are all the
terrorists they stopped before this?

~~~
swiley
My phone has at least two encrypted messaging apps on it that I've been
meaning to learn how to use. Everyone I know uses Kik though and has 0 desire
to switch. So we really don't know that they where actually using them if
that's all they really found.

~~~
ck2
Well unless they factory reset the phones, which they obviously did not,
android keeps usage stats on app so it would be obvious if the apps were used
or not.

But you are right, it could just be someone overstating something where apps
have the ability to be encrypted, not that they were used that way.

Still all these people were already known to their secret services. Some even
had phone taps already. It was yet another intelligence failure like we saw on
9/11

------
Khaine
I think one thing we as a tech community overlook is the expectations on the
intelligence community. The broader community expects the intelligence
agencies to stop ALL terrorists attacks, and thats just not feasible. This
drives the intelligence agencies to do more, which is why I think there is a
big push for broad dragnet activity.

------
mrmondo
Terrorism, anarchy, and general mischief all existed long before the Internet
and will undoubtably outlive it.

------
oppositelock
Back doors are very useful to tracking down tax evaders, political opponents
or dissenters, or any other number of things which increase government revenue
or power. Terrorism is just one excuse used to justify the rest of it. Crypto
backdoors will be mandatory one day, it's inevitable.

~~~
RankingMember
It's inevitable only with an attitude of "it's inevitable".

~~~
reddytowns
If you believe it, it will come true!

------
MarkMc
Governments regularly intercept plain old SMS messages. If the government can
demonstrate cases where this has prevented a terrorist incident in the past,
wouldn't that suggest that similar snooping on iMessages would prevent
terrorism in future?

------
MarkMc
"Almost all the attackers were known to the authorities, and if they had been
watched, their use of encryption programs would have itself invited closer
scrutiny."

Well, unless they were using WhatsApp or iMessage, which almost everyone uses.

------
akerro
> A Back Door to Encryption Won't Stop Terrorists

It' not like terrorists use Twitter

