Hated encryption bill should prompt U.S. intelligence reform

You don’t need anything decrypted to see that nobody likes the Compliance with Court Orders Act of 2016, the draft encryption bill released two weeks ago. Coauthored by Senators Richard Burr and Dianne Feinstein, the bill would allow courts to order companies to break encryption on communications and devices for law enforcement purposes.

There are plenty of reasons to dislike it. Here are mine, along with some thoughts about what the bill reveals about our government’s approach to intelligence.

1. The proposed bill won’t work as a deterrent to unlawful activity. Terrorists, drug dealers, malicious hackers and other “bad guys” are going to continue to encrypt their communications, because by definition they’re not worried about breaking the law. The result is that the bill would essentially hobble the law-abiding with bad security while keeping criminals untouchable.

2. The bill will drive up the cost of communications even as it undermines data security. Under its provisions, as a service provider I now have to maintain a (costly) log of historical information so that if the government requests such data, I can provide it. By keeping such records, I expose every client in my data center to the risk of a security breach. Bank of America, Target, and the U.S. government couldn’t stop these security breaches, so it’s likely we’ll see more of them if the bill wins traction.

Fortunately, that’s unlikely to happen, as it’s clear to most everyone that the bill doesn’t work. What the bill does do is reveal a misunderstanding of the diversity of modes of communication used today, particularly by younger demographics.

The bill covers data exchanged via voice, email, chat, and some forms of video communication but leaves out other important mediums like image-based communications and collaboration tools such as web and video conferencing. For a simple example of how prevalent and easy image-based communication is, watch just about any college football game. You’ll see that plays are called by a person on the sideline holding up a poster with four meaningless — but memorable — pictures on it. The specific combination and location of images quickly conveys to the players what play has been called.

The bill’s omission of image-based and other important communications shows that it is clearly a creation of the over-40 set. As such, it reflects something of an over-40 mindset, which holds that the most important information is transmitted primarily over phone and email. In our efforts against the terrorist plots of today, in which perpetrators are overwhelmingly young people using social media and other new communication technologies, this strategy seems doomed to fail.

In the big picture, most of us likely agree that it’s critical we evaluate the trade-offs we are willing to make in order to help our government protect us while still retaining our rights. But end-to-end encryption is a genie out of its bottle, and it will be hard to stuff back in.

Rather than trying, we need to answer the key intelligence questions that the rapid rise of consumer communication technologies has forced. Have we developed the technical expertise and capabilities to handle the new style of communication favored by young people? Have we built the machine learning and AI tools necessary to discover repetitive pattern and other information that might be embedded in images and other command and control type messaging systems? With the proliferation of so many forms of communication in recent years, is it even realistic to expect that we can sit on Twitter, Facebook, Telegram, Threema, Kik, Wickr, and SureSpot — all favored by ISIS — and get the intelligence we need to build an effective anti-terrorism strategy?

I suspect that part of the way forward is a return to some of the human intelligence approaches that we’ve pulled away from over recent decades in our focus on signal intelligence. Technological might is without a doubt a crucial piece of the counter-terrorism and crime-fighting puzzle, but diplomatic activity, outreach programs, and other on-the-ground strategies are more than passing complements. The botched bill may have exposed Congress’ poor grasp of technology, but it also hints at the limits of that same technology and, if nothing else, may be useful as a push on the intelligence community to craft a new vision for itself.