In recent years, pro-democracy and pro-human rights protesters from Egypt and Tunisia to Thailand and Hong Kong have used social media and mobile phones to organize and broadcast their message to fellow citizens and the world. But governments are ratcheting up their surveillance capabilities in response. Fear of heavy monitoring and the reprisals that can follow has led human rights activists to adopt services that support encryption. To them, encryption is a critical security tool to avoid being identified, arrested, harassed, or worse—merely for criticizing government policy.
The U.S. government supports Internet freedom abroad as a pillar of its human rights foreign policy. In recognition of the link between encryption and human rights, Congress has appropriated over $125 million to the State Department and US AID since 2008 to promote Internet freedom, including through programs that develop encryption tools and train activists on how to use them.
But the FBI has embarked on an aggressive campaign to convince the public that encryption built into our digital tools should be weakened in the name of countering terrorism. Yet it has failed to recognize the broad, though unintended, harm such an approach would bring to human rights activists worldwide.
On June 3, Michael Steinbach, assistant director of the FBI’s counterterrorism division, testified before the House Committee on Homeland Security that technology companies like Apple and Google should “prevent encryption above all else” because terrorists are increasingly using the companies’ secured tools to shield communications and access to their activity is “going dark.”
“Privacy, above all other things, including safety and freedom from terrorism, is not where we want to go,” Steinbach said. FBI Director James Comey is likely to make the same argument before two hearings at the Senate Judiciary and Intelligence Committees on Wednesday.
Governments have a human rights obligation to investigate and prosecute crime and thwart terrorist attacks. But while strong encryption may limit some existing surveillance capabilities, these limitations are greatly offset by the explosion of new kinds of investigatory material enabled by the digital world, including location information and vast stores of metadata. It is also unlikely that limiting strong encryption in U.S. products would prevent bad actors from using it. Terrorists could merely shift to foreign alternatives.
Most jarring for human rights groups, however, is that the FBI’s “going dark” narrative simply ignores the cost of undermining encryption to human rights activists around the world. For activists, this debate is just as much about their safety and freedom as about privacy.
All Internet users, including those most vulnerable, rely on the security practices of U.S. tech companies to protect them from abusive surveillance and cybercriminals. In December 2010, in the midst of the Tunisian uprisings, Facebook, a crucial platform for the activists, began receiving reports that Tunisian Facebook accounts had been compromised or deleted. Facebook soon discovered that the government had launched a large-scale attack to steal social media passwords of activists and journalists and access their private communications and contacts. So Facebook turned to encryption, enabling HTTPS, a secure communication protocol, automatically to thwart the attack in Tunisia.
Facebook now deploys HTTPS automatically for its 1.4 billion users. In 2014, Apple and Google announced they would go further and begin encrypting data stored on mobile devices used by activists worldwide, with even the companies unable to decrypt locally stored data. WhatsApp, a group chat application, is also rolling out end-to-end encryption for its 800 million users. These measures can help protect the safety of protest organizers in places like Hong Kong, Thailand, and the Middle East, along with millions of other, even if they may not realize it.
The FBI insists that they don’t want a “back door” into secured services, but rather a requirement that companies design their services so they can still decrypt data with a lawful court order. But whatever label you use, the nearly universal view within the digital security community is that there is no technical solution that would allow the FBI to decrypt all communications, but wouldn’t leave internet users exposed to actors (government and non-government) that would try to uncover that vulnerability for malicious purposes. Repressive regimes will exploit back doors to identify “troublemakers” and throw them in jail.
And if the FBI forces tech companies to weaken their security, then why wouldn’t every other government demand the same, including those that equate dissent with terrorism. How comfortable would we be if Russia, China, and Saudi Arabia had back door access to Apple and Google devices?
Indeed, China has already started down this road in a counter-terrorism bill introduced earlier this year that would require firms to install back doors and disclose encryption keys. The US government would lack credibility to criticize these demands on behalf of US industry or on human rights grounds.
Strong encryption is a cornerstone of security in the digital age. It helps protect vulnerable human rights activists everywhere. Internet back doors make us all less safe. The FBI and Congress should not ignore these inconvenient facts, even in the name of fighting terror.