Cryptography and Terrorism

It's time to ask a few questions: Isn't cryptography dangerous? Shouldn't it be outlawed? Surely the terrorists could use it to keep their secrets? Cryptography in and of itself is not a tool for terrorism, it is a tool for eveyday things, like ensuring that software updates are secure, or safeguarding pin numbers - or love letters.

Yes, cryptography can be used to frustrate law enforcement, but then, so can many things - including the complete absence of a message. Is it better to have knowledge of an encrypted message between a known terrorist and another person - or for that message to go some other route and not be detected? Consider the effect of banning cryptography. If all cryptography were outlawed, then the terrorist might send a message which says 'I'll go shopping later, want me to get something for you', which means 'attack now!'.

They could send 'When you go shopping, will you get that CD I wanted?', which means 'abort!'.

They could even send a message by courier, i.e. stored in somebodies head.

Philip Zimmerman, creator of PGP, once famously said that 'if privacy is outlawed, then only outlaws will have privacy.

To illustrate this, it is illegal to fly planes into public buildings. It is illegal to blow things up in public spaces, yet this does not stop people doing such things.

Putting this to one side, if cryptography were banned, terrorists might stop using it in order to avoid 'standing out'. However banning cryptography would not make it easier for law enforcement (who are, like it or not, scanning electronic communications) - it would probably make it harder. A ban on cryptographic methods would probably yield less information for the intelligence services than they have at present.

Why?

As mentioned above, the bad guys would move away from the electronic networks. Many of them will stay off the networks anyway. This is probably one of the main reasons that Osama Bin Laden tapes are delivered by courier. Indeed, they'll probably be delivered via several couriers, each one leaving the tape in a 'drop', so the next guy never sees who left it.

Moving off the electronic networks make it harder for intercepts to be made, it makes it harder to tell there is a message, and it makes it harder to track the message. When the internet or phone system is used, even without decrypting the messages an analysis of message traffic is certainly useful. How many times have we heard about 'an increase in chatter'?

The thing is that a lot of cryptography out there is actually weak. Personally, most of the stuff I have an interest in is weak - I'm interested because it's a challenge to analyse. If it's requiring a big budget to solve then I lose interest.

If I were send messages out which I really want to keep secret, encrypting them with, say, vigenere and then sending them out is silly. Vigenere can take fractions of seconds to crack once you have a reasonable amount of text.... however, people do silly things. Vigenere will be quite sufficient to prevent idle nosiness. Indeed, I might encourage someone I wanted to spy on to use vigenere as it might cause them to be indiscrete thinking they were secure!

On an international level After WW2, the British and Americans knew how to decode enigma machines - we encouraged their spread across the world and for many years they were used in foreign embassies. This yielded much useful information!

For most practical cryptographic methods, cryptanalysing is a matter of time and money. The more money, the less time. The US government created something called the 'Data Encryption Standard', DES. Various people began to suspect it was insecure, and in the late nineties built a machine which could break it in 24 hours. The US story of this is available. One can bet that governments had DES broken long before, and that they were using that information to look at financial records and 'follow the money'.

So what use cryptography? It acts as an 'envelope', preventing casual observers reading. It prevents 'data mining', but for anti-terrorism, it provides more a mild inconvenience.

It's true that 'strong' cryptography might, for practical purposes, be too difficult to break in a timely way. Even if it is too difficult (which we have no way of knowing for sure), the existence of a message is still information that can be of use.

What if we just banned the 'strong' crypto? If we banned the strong crypto, the terrorists would still use it (they're terrorists, remember? they don't follow laws) - they could use a strong algorithm and then disguise this fact by encoding the message using a weaker algorithm as a 'wrapper'. Indeed, banning strong algorithms might act as adverts for them!

Alternatively, they might simply go 'off net'. They might also use stegonographic techniques, hiding data by changing individual pixels of a photograph, for example. Meanwhile, the rest of us, with legitimate reasons for keeping data private, lose the protection provided for our business from casual observers (including that spotty youth on work experience at your ISP which is reading your email).

At this point, someone usually objects saying 'I've got nothing to hide....'. There are several responses to this.

1) Why isn't all your private correspondance on a postcard rather than in an envelope? If you have nothing to hide surely you wouldn't object to that?

2) Why should you reveal your business to anyone who is curious?

3) Finally, protecting your personal information is a good thing - identity theft is very real - removing cryptographic protections would be a criminals wet dream!

4) Can I have your pin number?

To summarise: Cryptography is essential to our society, and there is a balance between liberty and security - it's not an obvious balance either. If we remove the liberty to keep private business private, this could very well have the effect of reducing security by pushing the terrorists and criminals off the internet to other methods of communication (one can fly round the world in less than a day).

There is also the philosophical argument - do we wish to live in a state where the governments of the day can monitor its citizens that closely? Regardless of your response to that, its probably the case that we already do. ---------- If you have updates, additions, or corrections - please feel free to comment. Registering for typekey is free (follow the 'sign in' link), and will allow you to comment on many sites which are based upon movabletype.