Regulated encryption isn’t possible — here’s what is

Investigative roadblocks to law enforcement can be overcome without endangering our right to privacy.

Regulated encryption isn’t possible — here’s what is

In their opinion piece “The last refuge of the criminal: Encrypted smartphones” (July 26), Catherine De Bolle, executive director of Europol, and Cyrus R. Vance, Jr., district attorney of New York County, made their case for “regulated encryption,” arguing that law enforcement investigations are becoming increasingly difficult with so much evidence locked away in encrypted communications.

We do not doubt encryption presents serious investigative challenges for law enforcement. However, this solution would set a dangerous precedent for users’ fundamental rights and privacy. But that doesn’t mean there’s nothing to be done.

On paper, the idea that we could allow highly regulated and targeted access to a criminal or terrorist communications is appealing. The problem is that there is no such thing as regulated and targeted access when it comes to end-to-end encryption (E2EE).

Backdoors to encryption are like chinks in an otherwise impenetrable chain — once you’ve opened up a vulnerability, you cannot choose who can exploit it.

Encrypted communications are, therefore, only as strong as their weakest point, and experts have cautioned that any vulnerabilities in the encryption protocol means risk of exploitation by criminal actors, including terrorists and violent extremists. A backdoor for law enforcement to monitor criminal communications is also a backdoor for criminals to monitor any communications.

At Tech Against Terrorism, our research has shown that backdoors to encrypted communications would actually have a negligible effect on deterring terrorist activity: Terrorists are highly mobile online and would be quick to migrate to services unwilling to cooperate with law enforcement if screening E2EE communications or backdoor access became legal requirements.

That is not to say there is nothing law enforcement can do to combat the threat of encrypted criminal communications. The forensic use of metadata — which includes sender and receiver identification; IP address; basic subscriber information; date, time and location data and the frequency with which specific phone numbers contact each other — is a burgeoning area of investigation that both preserves the privacy of communications and enables law enforcement to collect robust evidence.

Before we undermine fundamental rights and freedoms, we recommend legislatures commit proper funding for research on how metadata can be used to identify criminal actors using E2EE services, acknowledging that any risk of infringing on the right to privacy should be proportional to its aim and inscribed in the rule of law.

Otherwise, we will have gained nothing in the fight against terrorism but lost everything in the fight for privacy.

Adam Hadley
Director, Tech Against Terrorism