Organized criminals as well as ordinary citizens have cause to guard their privacy with encryption. With governments increasingly resorting to digital surveillance, people on both sides of the line between right and wrong are using it.

Encrypted message (Photo:OCCRP)

A drug mule brings a package to a prearranged spot. He texts the dealer to confirm that a Bitcoin payment has been made into a digital account and then drops off the drugs. The person picking up the package confirms to both, again via text message, that everything went according to plan.

Meanwhile, a team of police officers surveilling the drug dealers attempts to intercept their messages — but they see only rows of letters and numbers that make no sense.

Now scale that up to a million-dollar drug cartel network that three national intelligence agencies have been trying to dismantle for years. That’s the case of Phantom Secure, a Canadian telecommunications company that supplied criminal gangs with phones outfitted with special software to evade law enforcement.

It modified Blackberry phones to ensure that signals would be routed only through servers based in countries considered uncooperative with foreign law enforcement, such as Panama and Hong Kong.

The firm issued these phones only through a strict referral system. All new clients had to be recommended by existing ones. The company could remotely wipe any phone it suspected of being a breach in the network, for example if it was being used by a police informant.

It’s easy to see how this sophisticated software facilitates crime of international proportions and why law enforcement agencies would like to ban it, or at least to control it.

But Phantom Secure was simply using technology available for free on the Internet.

VPNs bounce messages from one server to another, zig-zagging them across the world before the recipient gets them, thereby hiding the sender’s identity and origin.

PGP encryption, originally designed to protect people’s privacy, turns the sender’s message into senseless symbols, with only the intended recipient able to turn them back into the original message.

It’s called end-to-end-encryption, and it’s what makes secure online banking and shopping possible even for those who never heard of it.

Activists and investigative journalists rely on encryption as well. It protects those who live under oppressive regimes that spy on their citizens and jail them for criticizing the government. Or kill them.

It is easy to see how this sophisticated software promotes safety, trade, and democratization.

But these advantages must be balanced against more nefarious uses.

Striking a Balance

“We now observe the use of encryption in criminal communications across all threat areas and across all levels within criminal hierarchies,” said the UK’s National Crime Agency in a 2018 assessment of serious and organized crime.

“Encryption built into mainstream products will continue to expand and will offer criminals enhanced protection by default, rather than design,” the report warned.

In 2017, British Prime Minister Theresa May and her predecessor David Cameron called for bans on all applications that use end-to-end encryption.

Former UK Home Secretary Amber Rudd also called for companies to scrap end-to-end encryption.

“I don’t need to understand how encryption works to understand how it’s helping the criminals,” Rudd said.

Officials in the United States have been no less wary of the increasing availability of encryption.

Former FBI director James Comey told the Senate Judiciary Committee in May 2017 that criminal suspects are increasingly using encryption. Of the more than 6,000 phones FBI investigators seized from October 2016 to April 2017, nearly half were encrypted and investigators could not access their content.

“That means half of the devices that we encounter in terrorism cases, in counterintelligence cases, in gang cases, in child pornography cases, cannot be opened with any technique,” Comey explained. “That is a big problem.”

Following a mass shooting in 2015 in San Bernardino, California, that left 14 people dead, the FBI petitioned Apple several times to allow it to access data on the perpetrators’ locked iPhones.

Apple said no. Protecting its users’ privacy is more important than anything else, the company argued.

Then the FBI attempted to force Apple to create a general key investigators could use to open encrypted phones and computers seized from criminal suspects.

The tech company cited the US Constitution and remained firm in its refusal.

It’s not that tech companies don’t see the problem, said Tim Cook, Apple’s CEO in an MSNBC interview. “It is a thorny issue from a law enforcement point of view,” he said.

But the software the FBI was asking for, a “master key” that would let police open anything, is potentially dangerous, as it could be stolen and misused, Cook said.

“You should not be able to compel somebody to write something that is bad for civilization.”

Once that “master key” exists, anyone who finds it could essentially grant themselves a top-level government security clearance with no limits. Neither governments nor companies can guarantee that malicious third parties won’t obtain access.

Privacy activists agree. End-to-end encryption protects a citizen’s reasonable expectation of privacy, and a backdoor like a master key would grant anyone the ability to forever monitor anyone whose device they have access to.

In his recent book, “A Higher Loyalty,” Comey admits that it’s difficult to find a balance between protection of privacy and the needs of law enforcement, but stressed that tech companies refuse to recognize the gravity of the problem.

“The Silicon Valley types don't see the darkness — they live where it's sunny all the time and everybody is rich and smart,” he wrote.

When Big Brother Has the Keys

And what about oppressive regimes?

In this era of cyber-espionage, authoritarian laws on citizen surveillance, and digital arms dealers selling spyware to dubious regimes, the right to privacy is not simply a question of hiding a potentially embarrassing browser history. It’s also about protecting the lives of those who sacrifice their safety to uncover the crimes of oligarchs and dictators.

Data leaks have revealed that EU-based companies Gamma Group and HackingTeam have few scruples about their buyers; they’ve sold advanced spyware to Bahrain, Egypt, Kazakhstan, Sudan, and Turkmenistan — hardly countries with stellar records on digital privacy and human rights.

An incredible amount of economic and political power supports the multi-billion dollar commercial spyware industry in which corporations like these thrive.

But when citizens have sued governments for privacy breaches, the judiciary has responded with ambivalence.

In 2017, the Citizen Lab, a Toronto think-tank, released a report detailing how an American citizen born in Ethiopia tried to fight back, filing a lawsuit against the Ethiopian government in a US federal court after he found it had spied on him using spyware from an Israeli company.

The court ruled that the US had no jurisdiction to determine whether this was a crime.

How Can Citizens Protect Themselves?

Only through encryption, experts say.

“The idea of banning encryption is ridiculous,” said Smari McCarthy, a cybersecurity expert and member of the Icelandic Parliament. He believes that only criminals and governments would profit from such a ban.

And there are deeper legal issues, said McCarthy, who previously worked with OCCRP. “Banning encryption is equivalent to waiving the requirement for a warrant, because not only can governments, and indeed anybody, monitor communications then, but they will be very tempted to do so,” he said.

“Such temptations exist today, as the massive illegal surveillance efforts already made by the UK, the US and others show,” he added.

Raphael Vinot, an information security expert with the Computer Incident Response Center Luxembourg, a government-driven initiative dealing with computer security, agrees.

The criminalization of encryption would do very little to deter criminals, who don’t care whether something is legal or not.

“Criminals don’t really follow the law. It wouldn’t affect them at all,” he said.

“Banning encryption would hurt journalists,” he told OCCRP. It would leave them and activists with an impossible choice: staying safe or staying legal.

Philip R. Zimmermann, the creator of PGP, summed it up on his website: “If privacy is outlawed, only outlaws will have privacy.”

Vehement opposition to both the regulations in the UK and to the FBI’s request for a master key led to both sides dropping their demands, leaving the issue as unsettled as before.

Meanwhile, law enforcement agencies are still relying on old methods to fight increasingly sophisticated crime.

The FBI eventually spent US$ 900,000 to hack the San Bernadino shooter’s $350 iPhone 5. And in the Phantom Secure case, the agency was forced to use informants to collect evidence to justify the arrest of the company’s owner and CEO Vincent Ramos.

In early October, Ramos pleaded guilty to leading a criminal enterprise that distributed heroin, methamphetamine, and at least 450 kilograms of cocaine by supplying traffickers with encrypted communications devices designed to thwart law enforcement.

He agreed to pay a $80 million fine, give up tens of millions of dollars’ worth of bank accounts, houses, a Lamborghini, cryptocurrency accounts, and gold coins, the Department of Justice announced.

Ramos’ guilty plea “is a significant strike against transnational organized crime,” said John Brown, FBI Special Agent in Charge of the San Diego Field Office, in the a statement by the Department of Justice.

“The FBI and our international law enforcement partners have demonstrated that we will not be deterred by those who exploit encryption to benefit criminal organizations and assist in evading law enforcement,” he declared.