[Cryptography] A Paris Cryptographer On Encryption and Terrorists

Tue Nov 24 10:34:00 EST 2015

FYI --

https://nadim.computer/2015/11/23/on-encryption-and-terrorists.html

Nadim Kobeissi
On Encryption and Terrorists

Nov 23, 2015

In light of the recent terrorist attacks, things are getting heated for the regular security and encryption software developer.  Being one myself, Ive been on the receiving end of a small avalanche of requests from journalists, political pundits and even law enforcement.  Im also someone who was born and raised in Beirut and who recently immigrated to Paris, both of which were the sites of twin attacks, one day apart from each other.

It seems necessary to share some perspective on whats going on with encryption software, the terrorists supposedly using it, and what this means for the rights and the security of our global communities.

The encryption software community writes a large variety of software, from secure instant messaging to flight tower communication management to satellite collision prevention.  We do this for a number of reasons, but theres always an underlying shared understanding: that were using mathematics and engineering to contribute towards a society thats safer, more capable and able to communicate with a sense of privacy and dignity inherent to all modern societies.  The premise driving the people writing encryption software is not exactly that were giving people new rights or taking some away: its the hope that we can enforce existing rights using algorithms that guarantee your ability to free speech, to a reasonable expectation of privacy in your daily life.  When you make a credit card payment or log into Facebook, youre using the same fundamental encryption that, in another continent, an activist could be using to organize a protest against a failed regime.

In a way, were implementing a fundamental technological advancement not dissimilar from the invention of cars or airplanes.  Ford and Toyota build automobiles so that the entire world can have access to faster transportation and a better quality of life.  If a terrorist is suspected of using a Toyota as a car bomb, its not reasonable to expect Toyota to start screening who it sells cars to, or to stop selling cars altogether.

And yet, this is the line of questioning that has besieged the cryptography community immediately after the Paris attacks.  A simple mention of my encryption software in an Arabic-speaking forum is enough to put me on the receiving end of press inquiries such as are you aware of any terrorists using your software?  Do you feel its your responsibility to monitor terrorist activity?  Or, more bluntly, do I feel like Im complicit in aiding terrorists, by the simple fact that I write cryptography software or currently do PhD research in applied cryptography?

The brouhaha that has ensued from the press has been extreme.  Ive received calls that bluntly want to interview me regarding technology used by terrorists, such as yours.  A Wired article, like many alongside it, finds an Arabic PDF guide on encryption and immediately attributes it as an ISIS encryption training manual even though it was written years ago by Gaza activists with no affiliation to any jihadist group.

In this rush to blame a field that is largely unknowable to the public and therefore at once alluring and terrifying, little attention has been paid to facts: The Paris terrorists did not use encryption, but coordinated over SMS, one of the easiest to monitor methods of digital communication.  They were still not caught, indicating a failure in human intelligence and not in a capacity for digital surveillance.

But even in light of all the evidence pointing towards a human intelligence failure, cryptography, being to the outsider a scary and mysterious usage of secret codes and complicated algorithms, remains an easy target.  The press again drives the discussion, each time with a lessened priority for measured questioning and proper investigation.  Why havent you inserted back doors into your software?  Do you want terrorists to use your tools?

The call for backdoors is nothing new.  During my career in the private sector, Ive seen requests to backdoor encryption software so as to please potential investors, and have seen people in the field who appeared to stand for secure software balk under the excuse of if thats what the customer wants, even if it results in irreparable security weaknesses.  Ive had well-intentioned intelligence officers ask me informally, out of honest curiosity, why it is that I would refuse to insert backdoors.  The issue is that cryptography depends on a set of mathematical relationships that cannot be subverted selectively.  They either hold completely or not at all.  Its not something that were not smart enough to do; its something thats mathematically impossible to do.  I cannot backdoor software specifically to spy on jihadists without this backdoor applying to every single member of society relying on my software.

And Ive seen what guarantees secure communication can give a society.  Ive seen my software used in Hong Kong to organize protests against a government otherwise unwilling to give people their rights.  Ive seen my colleagues produce software used by Egyptians rallying for democracy.  Ive had childhood friends call me from Beirut, desperate to know of a way to organize protests against a government that would lock them up were they to use public phone lines.  Ive set up communication lines for LGBTQ organizations so that they can give counsel without fearing ostracization or reprisal.  And in the comfort of my new life in France, Ive also relied on encryption so that I know Im obtaining my simple right to privacy when discussing my daily life with my friends or with my partner.

Ive come to see encryption as the natural extension a computer scientist can give a democracy.  A permeation of the simple assurance that you can carry out your life freely and privately, as enshrined in the constitutions and charters of France, Lebanon as well as the United States.  To take away these guarantees doesnt work.  It doesnt produce better intelligence.  Its not why our intelligence isnt competing in the first place.  But it does help terrorist groups destroy the moral character of our politics from within, when out of fear, we forsake our principles.

If we take every car off the street, every iPhone out of peoples pockets and every single plane out of the sky, it wouldnt do anything to stop terrorism.  Terrorism isnt about means, but about ends.  Its not about the technology but about the anger, the ignorance that holds a firm grip over the actors mind.

I grew up and spent a decade of my childhood in south Beirut and was literally neighbors with the security sector of Hezbollah, a guerilla organization that fights frequent wars with Israel.  During the 2006 war, an Israeli fighter jet carpet-bombed the entire neighborhood, razing my home and that of many others to the ground.  While walking through a field of rubble and unexploded cluster bombs to try and find my house, I distantly saw a friend of mine, far away on the other side of whatever it was that I was staring across.  We locked eyes.  Then, we burst out laughing.  We laughed for a long time.

In 2008, I got the opportunity to move away from Lebanon and to get an education abroad.  This opportunity was rare and unusual.  Making encryption software is hard, too: for many of my first years abroad, much of my software was riddled with bugs, and it took practice and feedback in order to start getting things right  namely, what my education abroad of Lebanon really was about.

Visiting south Beirut a few years later, I found that I had changed but that no one else there had.  The rubble was mostly but not completely gone.  I also found that people were angry, and that Hezbollah had pledged to rebuild their homes.  Left without any hope for a good education, for a happy life, with much of their families missing, with their friends dead, many pledged themselves in return.

Thats whats causing terrorism, not encryption software.

nadim at nadim.computer