diego's weblog

there and back again

encryption is bad news for bad guys! (and other things we should keep in mind)

Once again, a senseless act of violence shocks us and enrages us. Prevention becomes a hot topic, and we end up having a familiar “debate” about technology, surveillance, and encryption, more specifically, how to either eliminate or weaken encryption. Other topics are mentioned in passing (somehow, gun control is not), but ‘controlling’ encryption seems to win the day as The Thing That Apparently Would Solve A Lot Of Problems.

However, as of now, there is zero indication that encryption played any part in preventing security services from stopping the Paris attacks. There wasn’t a message with a date and names and a time, sitting in front of a group of detectives, encrypted.

I feel obligated to mention this, even if it should be obvious by now. “If only we could know what they’re saying,” sounds reasonable. It ignores the fact that you need incredibly invasive, massive non-stop surveillance of everyone, but setting that tiny detail aside it comes back to the (flawed) argument of “you don’t need encryption if you have nothing to hide.”

First off, needing to hide something doesn’t mean you’re a criminal. Setting aside our own intelligence and military services, this is what keeps Chinese dissidents alive (to use one of a myriad examples), and I’m sure there are a few kids growing up in ISIS-controlled areas that are using encrypted channels to pass along books, movies (plus, probably some porn), or to discuss how to get the hell out of there. In less extreme territory, hiding is instrumental in many areas of everyday life, say, planning surprise parties. Selective disclosure is a necessary component in human interaction. 

There’s only one type of debate we should be having about encryption, and it is how to make it easier to use, more widespread. How to make it better, not how to weaken it.

Because encryption can’t be uninvented, and, moreover, widespread secure communications don’t help criminals or terrorists–it hurts them.

(1) Encryption can’t be uninvented

A typical first-line-of-defense argument for encryption goes: “eliminating or weakening encryption does nothing to prevent criminals or terrorists  from using encryption of their own.” Any criminals or terrorists (from now on “bad guys”) with minimal smarts would know how to add their own encryption layer to any standard communication channel. The only bad guys you’d catch would be either lazy, or stupid.

“Aha!” Says the enthusiastic anti-encryption advocate. “That’s why we need to make sure all the algorithms contain backdoors.” What about all the books that describe these algorithms before the backdoors? Would we erase the memory of the millions of programmers, mathematicians, or anyone that’s ever learned about this. And couldn’t the backdoors be used against us? Also get this: you don’t even need a computer to encrypt messages! With just pen and paper you can effectively use any number of cyphers that in some cases are quite strong (e.g., one-time use pads, or multilayered substitution cyphers, etc.) Shocking, I know.

The only way to “stop” encryption from being used by bad guys would be to uninvent it. Which, hopefully, we can all agree is impossible.

Then there’s the positive argument for encryption. It’s good for us, and bad for bad guys.

(2) Herd immunity, or, Encryption is bad for bad guys

Maybe we in technology haven’t done a good job of explaining this to law enforcement or politicians, or the public at large, but there’s a second, more powerful argument that we often fail to make: widespread secure & encrypted communications and data storage channels hinders, not helps, criminals, terrorists, or other assorted psychos.

That’s right. Secure storage and communications hurts bad guys.

Why? Simple: because bad guys, to operate, to prepare, obtain resources, or plan, need three things: money, time, and anonymity. They obtain these by leeching off their surroundings.

More and more frequently terrorists finance their activities with cybercrime. Stealing identities and credit cards, phishing attacks, and so forth. If everyone’s communications and storage (not just individuals but also banks, stores, etc) was always encrypted and more secure, criminals would have a much harder time financing their operations.

That is, to operate with less restrictions bad guys need to be able to exploit their surroundings. The more protected their surroundings are, the more exposed they are. More security and encryption also mean it’s harder to obtain a fake passport, create a fake identity, or steal someone else’s.

Biosafety experts have a term for this: Herd Immunity. Vaccines work only when in widespread use, for two reasons. First, the higher the percentage of immune individuals, the fewer avenues a disease has to spread, but, as importantly, the less probability that a non-immune individual will interact with an infected individual.

More advanced encryption and security also helps police agencies and security services. If the bad guys can’t get into your network or spy on your activities, you have more of a chance of catching them. The first beneficiaries of strong encryption are the very agencies tasked with defending us.


Dictatorships and other oppressive regimes hate encryption for a reason. Secure, widespread communication also strengthens public discourse. It makes communication channels harder to attack, allowing the free flow of information to continue in the face of ideologies who want nothing less than to shut it down and lock everyone into a single way of thinking, acting, and behaving.


(Postscript) Dear media: to have a real conversation we need your help, so get a grip and calm down. 

The focus on encryption is part of looking for quick fixes when there aren’t any. In our fear and grief we demand answers and “safety,” even to a degree that is clearly not possible. We cannot be 100% safe. I think people in general are pretty reasonable, and know this. But it’s kind of hard to stay that way when we are surrounded by news reports that have all the subtlety and balance of a chicken running around with its head cut off. We are told that the “mastermind” (or “architect”) of the attack is still at large. We hear of “of an elaborate international terror operation.” On day 3, the freakout seems to be intensifying, so much so that a reporter asks the President of the United States: “Why Can’t We Take Out These Bastards?

The Paris attacks were perpetrated by a bunch of suicidal murderers with alarm clocks, a few rifles, bullets, and some explosives. Their “plan” amounted to synchronizing their clocks and then start firing and/or blow themselves up on a given date at roughly the same time, a time chosen for maximum damage.

“Mastermind”? Reporters need to take a deep breath and put things in context. This wasn’t complicated enough to be “masterminded.” We’re not dealing with an ultra-sophisticated criminal organization headed by a Bond villain ready to deploy a doomsday device. This is bunch of thugs with wristwatches and Soviet-era rifles. They are lethal, and we need to fight back. But they are not an existential threat to our civilization. We are stronger than that.

With less of an apocalyptic tone to the reporting we could have a more reasonable conversation about the very real and complex reality behind all of this. Naive? Maybe. Still —  it doesn’t hurt to mention it.



Comments are closed.

%d bloggers like this: