The November terrorist shooting rampage in Paris that took the lives of 130 people and wounded 367 others has become France's own 9/11. And it has reignited the ongoing debate between national security and personal privacy.
In early December, the French newspaper Le Monde got its hands on leaked documents from French security forces and police calling for a ban on public WiFi and blocked access to the Tor network, a popular tool for surfing the Web anonymously. Security officials in France share concerns in the U.S. and England that terrorists could use encrypted Internet connections to plot new attacks, completely undetectable by authorities. Encryption is a method of encoding data so that only the sender and receiver can read it.
The leaked French documents caused a mini-uproar among privacy advocates, who charge that encryption is their final protection against the kind of intrusive government surveillance disclosed by National Security Agency (NSA) whistleblower Edward Snowden. Snowden himself is a passionate advocate for Tor, the anonymity tool targeted in the French documents.
"I think Tor is the most important privacy-enhancing technology project being used today," Snowden told The Intercept. "I use Tor personally all the time." Snowden's Tor use included when he was smuggling top-secret NSA documents to journalists. The Tor browser re-routes all traffic through a network of volunteer-run servers that mask the original user's IP address and physical location.
Days after the Le Monde story broke, French Prime Minister Manuel Valls denied the existence of any official plan to block Tor or ban public WiFi.
"Internet is a freedom, is an extraordinary means of communication between people, and is a benefit to the economy," Valls said. "It is also a means for terrorists to communicate and spread their totalitarian ideology. The police must take in all of these aspects to improve their fight against terrorism, but the measures we take must be effective."
The Million-Dollar Question
But how do we monitor and investigate terrorist communications without sacrificing the privacy and freedoms of the general public? That's is the "million-dollar question," says Damon Petraglia, director of forensic and security services for Chartstone and a member of the U.S. Secret Service Electronic Crimes Task Force.
"Encryption is this doubled-edged sword," says Petraglia. "It's really helpful for non-criminals" — journalists with confidential sources, for example, or human rights activists working under oppressive regimes — "but it also assists criminals in staying far below the radar."
What if the French or U.S. government went ahead with a plan to outlaw Tor? Would that be an effective way to smother terrorist chatter? Absolutely not, said Eva Galperin, global policy analyst at the Electronic Frontier Foundation, which fights to protect civil liberties online.
"The reason bad guys use Tor is because it works better than anything else," Galperin told Bloomberg Business. "But at the same time, if there was no Tor, bad guys would still find a way of maintaining their anonymity and everyone else would be left out in the cold."
In the U.S., the debate is less about banning networks like Tor than about forcing private companies like Apple and Google to providing "exceptional access" — otherwise known as a "backdoor key" — for law enforcement to decode and investigate encrypted messages. As it stands, text messages sent from an iPhone are protected by strong end-to-end encryption, which no "backdoor key" could open.
Security experts agree that engineering systems that allow backdoor keys would be a step backwards, and would ultimately do more harm than good.
"If there is a door, you can bet it will be accessed by hackers," says Marty P. Kamden, CMO of NordVPN, a company that hosts encrypted virtual private networks for individuals and companies. A recent MIT report came to the same conclusion, finding that allowing "exceptional access" by law enforcement "will open doors through which criminals and malicious nation-states can attack the very individuals law enforcement seeks to defend."
Even worse, says Dan York, DNS security coordinator for the Internet Society, is that the most sophisticated terrorists won't be affected by backdoor keys, because they're building their own encrypted systems and apps.
"Backdoors weaken the overall security of the system, because they will be discovered and compromised," York says. "Meanwhile, the terrorists will go off and use their own encryption, and they will wind up having better security than the rest of us."
So what's the solution? If people are unwilling as citizens to sacrifice a measure of personal privacy in the name of greater security, and don't want to give special access to law enforcement to pursue terrorist investigations, how can intelligence agencies like the FBI do their job?
"There are no silver bullets," York admits. The solution requires a lot of hard work and a lot of the "C" word: collaboration. "Each of us — individuals, law enforcement, governments — has a role to play in making the Internet more secure. It involves governments working with private sector, with NGOs, with academia, with the technical community, working with all of us collaboratively to ask, how do we raise the bar?"