This is a republication of a post I originally wrote on August 31, 2023 over on my dedicated blog site that I am rolling into wonksecurity.com.

If there is one thing I am really getting tired of: it’s governments trying to destroy a pivotal part of the Internet in order to conduct even more surveillance on every person on the planet all through scare tactics and leftover animus from the 2015-16 Apple vs. FBI battle. Today’s reminder that countries are really bad at devising tech policy that doesn’t take the form of the mythical “Sledgehammer of Unintended Consequences,” comes from this excellent piece written by Tarah Wheeler and Geoffrey Cain in the Council on Foreign Relations.

This article titled, “There’s A Cop In My Pocket: Policymakers Need to Stop Advocating Surveillance by Default,” delves into some of the problems with proposed tech policies in the US, UK, and France and provides a great opportunity to share my own take on some of these proposed laws. Spoiler alert: As 1) a privacy and civil liberties advocate and 2) an expert on terrorism studies who thinks that sacrificing the rights and civil liberties of the many to combat the crimes of the few equates to counterterrorism mission failure, I’m not a fan of these laws or the arguments put forth by their proponents.

First, there’s been a lot of talk in recent years about criminals “going dark,” but not much consideration has gone into the fact that a lot of law abiding people all over the world originally led the development and adoption of these means of “going dark” to opt out of mass surveillance programs in the post-9/11 world, to evade censorship in repressive/authoritarian countries, and, of course, because they have grown tired of surveillance capitalism. Things like TOR, WhatsApp and Signal, ProtonMail, and all the VPN services advertised in YouTube videos all arose, in part, due to perceptions of privacy and civil liberty violations by governments and corporations. As these laws attempt to ratchet up the surveillance, what do you think will happen this time? New privacy-preserving technologies not covered by the laws will emerge, naturally–it’s a growing niche market, so the market will provide.

Second, I find myself increasingly torn on these types of laws between feeling like another page is being taken out of 1984 and feeling like laughing at the naivete of some of the politicians and their supporters. Allowing the state to turn on a person’s camera whenever they feel like it definitely has a 1984 element of the state always watching, but to think that only the state will be able to do it is truly amusing. I’ve been using computers long enough to know not to trust software companies to implement something securely the first or even twentieth time. If a camera can be turned on remotely by the French government, it will be turned on by others as well. No secret backdoor can stay secret forever, even if it is theoretically possible, especially when that backdoor opens up a bunch of juicy tidbits of information that criminals and rival governments can use.

Third, and building on my previous point, online platforms can barely police their services and remove nefarious actors. Are we really going to trust these same platforms to implement said backdoors on tight, legally mandated timelines? Does anyone actually think those backdoors won’t have implementation problems or bugs that inadvertently allow unauthorized access? (Spoiler alert: even Apple does not think such mass surveillance can be done securely without exposing user data to unauthorized access and said as much when discussing its reasons for axing a CSAM scanning tool for iCloud). Does anyone actually think the, no doubt, underpaid contractors that are hired to “review” the formerly encrypted messages won’t snap pictures to send to colleagues in internal group chats or that private messages won’t be used for more advertising and AI training? Does anyone think government will be able to hold onto the metaphorical keys to the castle in light of all the intelligence leaks, hacks, and technological misconfigurations that have plagued the U.S. over the last decade or so? The answers to all of these questions should be a resounding “no” if we are truly trying to combat criminal activity rather than creating more of it.

Ultimately, the Internet has been the digital wild west for several decades now, and trying to use a sledgehammer to fix some of the problems is not going to help. Greater surveillance will drive innovation to evade that surveillance from a population that is, in some ways, growing tired of being in a dystopian novel, and that innovation will outpace legislation. Worse yet, these legislative attempts to control the Internet and surveil populations in the name of security will only serve to surveil innocent people, result in likely disappearances from dissidents in authoritarian countries who are seeking to get news of their plight out to the world, and not really do much to curtail the criminal activity these laws are aimed at. As Bruce Schneier once said of looking for terrorist plots through data mining, “It’s a needle-in-a-haystack problem, and throwing more hay on the pile doesn’t make that problem any easier.”

Think about it for a second, if a criminal is already engaging in activity that flouts other laws, what stops them from simply rooting or jailbreaking their mobile device to use a newly developed end-to-end encryption platform that’s not governed by one of the big tech platforms? And when these same politicians eventually bring back their attempts to outlaw encryption entirely (because the FBI actually has to do some work instead of bothering Apple every 2 minutes), why would criminals be concerned about possessing illegal software when they already possess other illegal content? The only people that would be impacted are those who are trying to keep medical documents, tax returns, or other information containing PII safe from unauthorized access. And, of course, every legitimate business on the planet that processes financial, healthcare, legal, or other sensitive information. But let’s collapse the entire digital economy so we can monitor all of our citizens, because that’s a great idea!

Facetiousness aside, as the authors of the CFR article indicate, more sledgehammers will not address criminal usage of encryption and other technologies. Mass surveillance will not address these challenges, it will create security theatre, invade the privacy of innocent people, undermine trust in government, and more. All the while, criminals will continue to evolve and evade at everyone else’s expense. We must not have the digital version of removing shoes and full body scans at airports — those approaches do not keep people safe and neither will more surveillance and civil liberty violations. Moreover, we are in a period of unprecedented democratic backslide, meaning Western societies must be extremely cautious about extending new, unlimited powers to governments that are democratic today but may not remain so in the near future. Further mass surveillance powers to pursue legitimate criminals today could very well be used against racial and ethnic minorities or other marginalized groups if autocratic elements of society make their way into power in upcoming elections.