Edward Snowden: Without encryption, we will lose all privacy. This is our new battleground
Without encryption, we
will lose all privacy. This is our new battleground
The US, UK and Australia are taking on Facebook in a bid
to undermine the only method that protects our personal information
Edward Snowden is a US surveillance
whistleblower Tue 15 Oct 2019 21.06 EDT
‘If internet traffic is unencrypted, any government,
company, or criminal that happens to notice it can – and, in fact, does – steal
a copy of it, secretly recording your information for ever.’
In every country of the world, the security of computers
keeps the lights on, the shelves stocked, the dams closed, and transportation
running. For more than half a decade, the vulnerability of our computers and
computer networks has been ranked the number one risk in the US Intelligence
Community’s Worldwide Threat Assessment – that’s higher than terrorism, higher
than war. Your bank balance, the local hospital’s equipment, and the 2020 US
presidential election, among many, many other things, all depend on computer
safety.
And yet, in the midst of the greatest computer security
crisis in history, the US government, along with the governments of the UK and
Australia, is attempting to undermine the only method that currently exists for
reliably protecting the world’s information: encryption. Should they succeed in
their quest to undermine encryption, our public infrastructure and private
lives will be rendered permanently unsafe.
In the simplest terms, encryption is a method of
protecting information, the primary way to keep digital communications safe.
Every email you write, every keyword you type into a search box – every
embarrassing thing you do online – is transmitted across an increasingly
hostile internet. Earlier this month the US, alongside the UK and Australia,
called on Facebook to create a “backdoor”, or fatal flaw, into its encrypted
messaging apps, which would allow anyone with the key to that backdoor
unlimited access to private communications. So far, Facebook has resisted this.
If internet traffic is unencrypted, any government,
company, or criminal that happens to notice it can – and, in fact, does – steal
a copy of it, secretly recording your information forever. If, however, you
encrypt this traffic, your information cannot be read: only those who have a
special decryption key can unlock it.
I know a little about this, because for a time I operated
part of the US National Security Agency’s global system of mass surveillance.
In June 2013 I worked with journalists to reveal that system to a scandalised
world. Without encryption I could not have written the story of how it all
happened – my book Permanent Record – and got the manuscript safely across
borders that I myself can’t cross. More importantly, encryption helps everyone
from reporters, dissidents, activists, NGO workers and whistleblowers, to doctors,
lawyers and politicians, to do their work – not just in the world’s most
dangerous and repressive countries, but in every single country.
When I came forward in 2013, the US government wasn’t
just passively surveilling internet traffic as it crossed the network, but had
also found ways to co-opt and, at times, infiltrate the internal networks of
major American tech companies. At the time, only a small fraction of web
traffic was encrypted: six years later, Facebook, Google and Apple have made
encryption-by-default a central part of their products, with the result that
today close to 80% of web traffic is encrypted. Even the former director of US
national intelligence, James Clapper, credits the revelation of mass
surveillance with significantly advancing the commercial adoption of
encryption. The internet is more secure as a result. Too secure, in the opinion
of some governments.
Donald Trump’s attorney general, William Barr, who
authorised one of the earliest mass surveillance programmes without reviewing
whether it was legal, is now signalling an intention to halt – or even roll
back – the progress of the last six years. WhatsApp, the messaging service
owned by Facebook, already uses end-to-end encryption (E2EE): in March the
company announced its intention to incorporate E2EE into its other messaging
apps – Facebook Messenger and Instagram – as well. Now Barr is launching a
public campaign to prevent Facebook from climbing this next rung on the ladder
of digital security. This began with an open letter co-signed by Barr, UK home
secretary Priti Patel, Australia’s minister for home affairs and the US
secretary of homeland security, demanding Facebook abandon its encryption
proposals.
If Barr’s campaign is successful, the communications of
billions will remain frozen in a state of permanent insecurity: users will be
vulnerable by design. And those communications will be vulnerable not only to
investigators in the US, UK and Australia, but also to the intelligence
agencies of China, Russia and Saudi Arabia – not to mention hackers around the
world.
End-to-end encrypted communication systems are designed
so that messages can be read only by the sender and their intended recipients,
even if the encrypted – meaning locked – messages themselves are stored by an
untrusted third party, for example, a social media company such as Facebook.
The central improvement E2EE provides over older security
systems is in ensuring the keys that unlock any given message are only ever
stored on the specific devices at the end-points of a communication – for
example the phones of the sender or receiver of the message – rather than the
middlemen who own the various internet platforms enabling it. Since E2EE keys
aren’t held by these intermediary service providers, they can no longer be
stolen in the event of the massive corporate data breaches that are so common
today, providing an essential security benefit. In short, E2EE enables
companies such as Facebook, Google or Apple to protect their users from their
scrutiny: by ensuring they no longer hold the keys to our most private
conversations, these corporations become less of an all-seeing eye than a
blindfolded courier.
It is striking that when a company as potentially
dangerous as Facebook appears to be at least publicly willing to implement
technology that makes users safer by limiting its own power, it is the US
government that cries foul. This is because the government would suddenly
become less able to treat Facebook as a convenient trove of private lives.
To justify its opposition to encryption, the US
government has, as is traditional, invoked the spectre of the web’s darkest
forces. Without total access to the complete history of every person’s activity
on Facebook, the government claims it would be unable to investigate terrorists,
drug dealers money launderers and the perpetrators of child abuse – bad actors
who, in reality, prefer not to plan their crimes on public platforms,
especially not on US-based ones that employ some of the most sophisticated
automatic filters and reporting methods available.
The true explanation for why the US, UK and Australian
governments want to do away with end-to-end encryption is less about public
safety than it is about power: E2EE gives control to individuals and the
devices they use to send, receive and encrypt communications, not to the
companies and carriers that route them. This, then, would require government
surveillance to become more targeted and methodical, rather than indiscriminate
and universal.
What this shift jeopardises is strictly nations’ ability
to spy on populations at mass scale, at least in a manner that requires little
more than paperwork. By limiting the amount of personal records and intensely
private communications held by companies, governments are returning to classic
methods of investigation that are both effective and rights-respecting, in lieu
of total surveillance. In this outcome we remain not only safe, but free.
• Edward Snowden is former CIA officer and whistleblower,
and author of Permanent Record. He is president of the board of directors of
the Freedom of the Press Foundation
Comments
Post a Comment