In the wake of the recent Paris tragedy there have been calls for the UK to pass the Investigatory Powers Bill (aka the Snoopers’ Charter). This bill contains vague language that would require tech companies and ISPs to make accommodations for surveillance, and keep more extensive records of web traffic for the government.

Parisian citizens hold a vigil the night of November 14th.

A Comedy of Errors

Building working encryption is hard. So hard, in fact, that crypto libraries are riddled with errors even without subterfuge from governments. When governments interfere in crypto and mandate weaker security, the consequences can be dire and span decades.

Consider the case of the US government in the 1990s. In an attempt to bolster eavesdropping capabilities, the government classified cryptography as a munition (this is still true!), and banned the export of cryptography with strong keys.

This is silly, because you can’t ban mathematics.

Nevertheless, the practical repercussions were severe. Recently, a vulnerability was discovered in which an attacker can force a computer to downgrade the security of its connection. Why? Because browsers still support the weakened “export-grade” cyphers mandated by the US Government in the 90s.

Requiring companies to weaken security will not just grant access to law enforcement. It will make everyone more vulnerable, and introduce flaws that could haunt us for decades. The only real beneficiaries are foreign companies, which will replace Western security vendors, and foreign governments, which will have an easier time committing dragnet surveillance against US and UK citizens.

Don’t Double Down

In the wake of the Charlie Hebdo attack earlier this year, France considered new surveillance powers and then passed several. These draconian new powers allow the government to monitor phone calls and emails without a warrant. French laws already make great concessions in the name of surveillance, yet these powers were insufficient to stop the Paris attacks. What failed?

The Charlie Hebdo attacks made international headlines, and resulted in increased French surveillance powers.

A closer look suggests that French intelligence was not the problem: dragnet surveillance is inadequate to stop terrorism in general. Consider a historical incident: the 2009 case of the Underwear Bomber. The attacker’s father notified authorities of the risk, but the sheer scale of a dragnet operation prevented a response. An explicit warning failed to stop the attack. We cannot expect dragnet surveillance to protect us.

France bolstered its intelligence operations in the wake of Charlie Hebdo, and yet could not stop the Paris attack. There is no historical reason to believe more surveillance will prevent future attacks, and France should not double down on a failed solution.

The Path Forward

In the wake of a great tragedy, a moment of political expedience for surveillance has arrived. The UK is seeking to take advantage with its Snoopers’ Charter, and the US is not far behind.

Do not be fooled by those who would sacrifice the security of our people and businesses in the name of surveillance. The path forward is difficult to find, but we can be sure of this: the solution is not an ineffective dragnet program. The solution is not weakened encryption.

Continue to support our essential freedoms, and take note: the greatest risk to our security is not terrorism, but our own fear.