The Obama administration’s central strategy against strong encryption seems to be waging war on the companies that are providing and popularizing it: most notably Apple and Google.
The intimidation campaign got a boost Thursday when a blog that frequently promotes the interests of the national security establishment raised the prospect of Apple being found liable for providing material support to a terrorist.
Benjamin Wittes, editor-in-chief of the LawFare blog, suggested that Apple could in fact face that liability if it continued to provide encryption services to a suspected terrorist. He noted that the post was in response to an idea raised by Sen. Sheldon Whitehouse, D-R.I., in a hearing earlier this month.
“In the facts we considered,” wrote Wittes and his co-author, Harvard law student Zoe Bedell, “a court might — believe it or not — consider Apple as having violated the criminal prohibition against material support for terrorism.”
FBI Director James Comey and others have said that end-to-end encryption makes law enforcement harder because service providers don’t have access to the actual communications, and therefore cannot turn them over when served with a warrant.
Wittes and Bedell argue that Apple’s decision to “move aggressively to implement end-to-end encrypted systems, and indeed to boast about them” after being “publicly and repeatedly warned by law enforcement at the very highest levels that ISIS is recruiting Americans” — in part through the use of encrypted messaging apps — could make the company liable if “an ISIS recruit uses exactly this pattern to kill some Americans.”
The blog compares Apple’s actions to a bank sending money to a charity supporting Hamas — knowing that it was a listed foreign terrorist organization.
“The question ultimately turns on whether Apple’s conduct in providing encryption services could, under any circumstances, be construed as material support,” Wittes and Bedell write. The answer, they say, “may be unnerving to executives at Apple.”
One way to avoid such liability, Wittes and Bedell argue, would be to end encrypted services to suspected terrorists. But, they acknowledge, “Cutting off service may be the last thing investigators want, as it would tip off the suspect that his activity has been noticed.”
In a hearing on July 8 before the Senate Judiciary Committee, Justice Department officials insisted that companies need to be able to provide them with unencrypted, clear access to people’s communications if presented with a warrant.
The problem is that eliminating end-to-end encryption or providing law enforcement with some sort of special key would also create opportunities for hackers.
Within minutes of the Lawfare post going up, privacy advocates and technologists expressed outrage: Chris Soghoian, principal technologist for the American Civil Liberties Union, called it a continuation in Wittes’ “brain-dead jihad against encryption,” while Jake Laperruque, a fellow at the Center for Democracy and Technology, wrote that Wittes’ post “equates selling a phone that’s secure from hackers with giving money to terrorists.”
If Apple and Google were to cave under the pressure of being likened to terrorist-helpers, and stop making end-to-end encryption, that could be the start of a “slippery slope” that ends the mainstream availability of strong encryption, said Amie Stepanovich, U.S policy manager for Access.
But even so, strong encryption will always exist, whether produced by small companies or foreign outlets. Terrorists can take their business elsewhere, while normal Americans will be left without a user-friendly, easily accessible way of protecting of their communications. “These tools are available and the government can’t get to all of them,” says Stepanovich.
Wittes, while couching his post as hypothetical, left little doubt about his personal sentiment. “All that said,” he and his coauthor wrote, “it’s a bit of a puzzle how a company that knowingly provides encrypted communications services to a specific person identified to it as engaged in terrorist activity escapes liability if and when that person then kills an American in a terrorist incident that relies on that encryption.”
The authors didn’t say what exactly they wanted Apple to do instead. Wittes tweeted after publishing the post that he is “not sure at all that Apple is not doing the right thing by encrypting end to end.”
Correction: An earlier version of this article misquoted Wittes’ tweet, mischaracterizing its meaning.