Law enforcement’s encryption dilemma


After the terrible mass murders in Dayton, Ohio, the FBI struggled for days to get into the mobile phone of the shooter to understand what happened and whether others had conspired with him. The same thing happened nearly four years ago after the horrific shootings in San Bernardino, Calif.

Federal law enforcement authorities in the U.S., as well as governments worldwide, face a continuing dilemma as a result of encryption, the everyday tool meant to protect our privacy.

When I was appointed the first United States Secretary of Homeland Security in the aftermath of Sept. 11, 2001, our country was confronting a new era of terrorism alongside an array of domestic and international threats. The challenges of fighting crime and terror have only grown — exponentially — as intelligence officials increasingly find themselves in the dark, often falling behind tech-savvy terrorists, even while the capability to combat these threats exists.

Counterterrorism requires prevention and preparedness. But today, identifying threats before they happen is nearly impossible, as extremist groups like Boko Haram and ISIL take advantage of smartphones with encrypted technologies to covertly plot their attacks.

Platforms like WhatsApp and Viber help smartphone users keep their personal data private but can also be exploited for nefarious purposes. El Chapo, the Mexican drug lord, operated undetected for years by running his cartel using encrypted messages. Bad actors have always gone to great lengths to operate covertly, but with our own counterterrorism strategies struggling to keep up, the gap is growing.

This phenomenon of “going dark” has rendered the traditional ways our security agencies operate — such as wiretaps and surveillance vans — ineffective. Government agencies could once monitor the movement of criminals and terrorists, who now stay off the radar with something as ubiquitous as a smartphone.

A joint statement from leaders in Australia, Canada, New Zealand, the UK, and the U.S., collectively known as the Five Eyes, outlines the “urgent need” for law enforcement to overcome this gap, explaining: “The inability of intelligence and law enforcement agencies to lawfully access encrypted data and communications poses challenges to law enforcement agencies’ efforts to protect our communities.”

Thankfully, newer technology gives hope that modern solutions can combat these modern problems.

Advances in lawful interception tools mean government agencies with a sworn duty to protect civilians can overcome encryption to access vital intelligence so criminals can’t plot behind an impregnable wall. These technologies can and have prevented tragedies, with the public undisturbed. Moreover, they are designed for careful, highly targeted and limited use, making surveillance less invasive but more effective than ever before. Without these sophisticated technologies the men and women meant to keep us all safe face nearly insurmountable hurdles.

Backends to encryption help law enforcement stop terror and crime, but in the wrong hands, these tools could be exploited to violate personal privacy or surveil people for reasons unrelated to public safety. But the regulatory field has managed to keep up even as law enforcement capabilities fell behind.

A legal and regulatory framework is crucial to ensure that those who develop this technology license it under clear standards and that users operate the technology as intended. It’s incumbent upon intelligence agencies, industry and lawmakers to work together so that these lifesaving tools will be used under the highest standards of respect for safety and human rights.

Numerous security experts have encouraged companies in this industry to implement standards according to the United Nations Guiding Principles on Business and Human Rights. This is no doubt a lofty benchmark, but by holding such a crucial industry to this standard, we can ensure that governments continue to keep their citizens safe while proactively addressing legitimate concerns on privacy and potential misuse.

We simply cannot ignore these crucial technologies because of privacy fears. There’s too much at stake. Governments can balance respect for privacy and human rights, while also cracking encryption in order to prevent terrorism and crime before it happens.

My number one priority when Secretary of Homeland Security is shared by my successors: to ensure that when terrorists plot their next 9/11, we are ready to prevent it.

Government agencies, major tech companies and the cybersecurity industry can successfully work together to provide law enforcement with the reasonable capabilities needed to keep innocent civilians safe from terror and crime.

Otherwise, the world’s most dangerous people may very well succeed.

Tom Ridge was the 43rd governor of Pennsylvania and the first secretary of the U.S. Department of Homeland Security. He is chairman of the Ridge Global Cybersecurity Institute and serves as a senior advisor to Israeli technology company NSO Group, which focuses on cyber intelligence and helps governments prevent and investigate terrorism and crime.