Why the government can't actually stop terrorists from using encryption
WASHINGTON - Even if the U.S. government prevails in its quest to compel Apple and other U.S. companies to give the authorities access to encrypted devices or messaging services when they have a warrant, such technology would still be widely available to terrorists and criminals, security analysts say.
That's because so many encrypted products are made by developers working in foreign countries or as part of open source projects, putting them outside the federal government's reach. For example, instant messaging service Telegram - which offers users encrypted "secret chats" - is headquartered in Germany while encrypted voice call and text-messaging service Silent Phone is based out of Switzerland. And Signal, a popular app for encrypted voice calls and text messaging, is open source.
"Trying to put a mandate on encryption software is really pretty hopeless," said Matt Blaze, a computer science professor and cryptography researcher at the University of Pennsylvania.
President Barack Obama sided with law enforcement Friday in the policy debate over encryption, saying at the South by Southwest Festival that an "absolutist perspective" of privacy on smartphones doesn't account for the danger of letting digital security stand in the way investigators.
His comments come as the Justice Department is trying to force Apple to help the authorities unlock an iPhone used by one of the San Bernardino shooters. The New York Times reported that the Justice Department is also weighing how to approach a case where encryption used by Facebook-owned messaging app WhatsApp stymied a wiretap order.
In both situations, investigators ran into difficulties because the companies are using types of encryption where they don't store the digital keys needed to unlock data for authorities even when they have a warrant.
But any U.S. mandate on encryption would only affect software covered by U.S. law, said Blaze. "It's not going to prevent people from using open source software or foreign-made software, even in the United States," he explained.
Last year, researchers at New America's Open Technology institute cataloged 16 different encrypted communications applications that are either developed outside of the U.S. or by open source projects.
The U.S. government can't really stop what developers do outside of its borders, so cracking down on domestic tech companies that offer strong encryption protections may just drive consumers to foreign competitors without the same restrictions, analysts said.
And open source projects tend to rely on volunteers based around the world. That means there often isn't one person the U.S. government could ask to get encrypted data. But even if the government did succeed in closing down an open source project, the code would already be available online - so pretty much anyone could set up their own homebrew version of the application.
At best, the government's efforts to push U.S. companies away from the technology could slow its spread - at least among normal users.
More people are using strong forms of encryption now than ever, but mostly because tech companies have started making it an automatic feature, according to Matthew Green, a computer science professor at Johns Hopkins University. For instance, new iPhones encrypt information stored on the device by default when you set up a passcode. And WhatsApp users don't have to think about encrypting their messages - the protection is just there.
The government likely realizes it can't stop encryption from being available, but law enforcement officials probably hope to reduce the amount of information that automatically receives the protection, according to Green.
"They don't care if people use encryption, as long as it's not 95 percent of traffic," he said.
But forcing U.S. companies to shy away from strong forms of encryption would still leave the technology available to those who seek it out - including criminals and terrorists - according to Blaze.
And it would "likely do quite a bit of damage to everyday users because it would leave them more exposed to criminals and foreign intelligence services," he said.