Islamic State and other terrorist groups espouse a primitive ideology and rely on medieval tactics, but they use distinctly modern tools: social media and communications platforms designed to evade our most advanced efforts to fight terrorism.
By taking advantage of widely available encryption technologies, terrorists and common criminals alike can carry out their agendas in cyber safe havens beyond the reach of our intelligence agency tools and law enforcement capabilities. This is unacceptable. Americans of course need access to technology that keeps our personal and business communications private, but this must be balanced with concerns over national security.
Some technologists and Silicon Valley executives argue that any efforts by the government to ensure law-enforcement access to encrypted information will undermine users’ privacy and make them less secure. This position is ideologically motivated and profit-driven, though not without merit. But, by speaking in absolute terms about privacy rights, they bring the discussion to a halt, while the security threat evolves. Top cryptologists have reasonably cautioned that “new law enforcement requirements are likely to introduce unanticipated, hard to detect security flaws,” but this is not the end of the analysis. We recognize there may be risks to requiring such access, but we know there are risks to doing nothing.
To be clear, encryption is often a very good thing. It increases the security of our online activities, provides the confidence necessary for economic growth through the Internet, and protects our privacy by securing some of our most important personal information, such as financial data and health records. Yet as with many technological tools, terrorist organizations are using encryption with alarming success.
For example, “end-to-end” encryption -- which allows communications and data shared across devices and platforms to be seen only by the individual holding the receiving device -- protects information even from a lawful court order backed by probable cause. Apple, Google and other companies have recently made this level of encryption the default setting on many phones and operating systems. The result will be digital crime scenes to which law enforcement has no access.
Encryption technology is easy to get hold of and doesn't require much sophistication to use. Islamic State knows this, and keeps close tabs on which technologies to direct its followers to in order to evade government surveillance. A recent article in the journal Foreign Affairs called it “the first terrorist group to hold both physical and digital territory: in addition to the swaths of land it controls in Iraq and Syria, it dominates pockets of the internet with relative impunity."
This isn't just a problem in Iraq and Syria. The jihadists' followers and adherents use encryption to hide their communications within the U.S. FBI Director James Comey recently testified that the attackers in last year's Garland, Texas, shootings exchanged more than 100 text messages with an overseas terrorist, but law enforcement is still blinded to the content of those texts because they were encrypted.
In October, President Barack Obama announced that he would not seek legislation requiring government access to such data -- a capability that would have been routine for law enforcement before the age of advanced encryption. The administration is instead asking for the industry’s voluntary assistance in modifying technology to meet our security needs. Progress in this outreach to industry has been made, Comey said in November, and “venom has been drained out of the conversation.”
But this is not enough. Efforts to eliminate cyber safe havens must not be marked by the same half-measures that have defined this administration’s military fight against Islamic State. The president needs to define a coherent strategy to address the increasing use of encrypted communications by those who wish America and its allies ill.
This would mean building coalitions, domestically and internationally, to update laws and international conventions that allow law enforcement agencies across the world lawful access to digital criminal evidence.
As part of this effort, Congress should consider legislation that would require U.S. telecommunications companies to adopt technological alternatives that allow them to comply with lawful requests for access to content, but that would not prescribe what those systems should look like. This would allow companies to retain flexibility to design their technologies to meet both their business needs and our national security interests. Such a proposal would be similar to legislation enacted in the 1990s that ensured law enforcement agencies are able to lawfully wiretap without mandating how those systems ought to be designed.
We have to encourage companies and individuals who rely on encryption to recognize that our security is threatened, not encouraged, by technologies that place vital information outside the reach of law enforcement. Developing technologies that aid terrorists like Islamic State is not only harmful to our security, but it is ultimately an unwise business model.
The threat posed by the status quo is unacceptable. The use of technology by terrorist groups to recruit members, spread hateful ideology and plot attacks will only expand. But, just as Islamic State’s growth through the establishment of safe havens in Iraq and Syria was not inevitable, the group's ability to use technology to the same end does not need to be either.
This column does not necessarily reflect the opinion of the editorial board or Bloomberg LP and its owners.
To contact the editor responsible for this story:
Tobin Harshaw at firstname.lastname@example.org