In another front in the debate between technologists and law enforcement over the spread of encryption, French lawmakers this week will consider a law to force companies to decrypt customers' communications if presented with a warrant.
It’s just one of several measures introduced to the French legislature in the response to the brutal Islamic State terrorist attack on Paris last November that left 130 people dead and dozens more wounded. And now, the deadly Brussels airport bombings last week are adding new fuel to the political firestorm over encryption.
"Those who strike us use the Dark Net and exchange encrypted messages to access weapons they acquire to hit us,” French Interior Minister Bernard Cazeneuve said at a press conference last week.
While there's no evidence that the Brussels bombers plotted the recent attacks using private chat apps or other secure communication tools, the encryption issue has become indelibly linked to the broader debate in Europe, the US, and South America over how to balance individual liberties with matters of national security and law enforcement.
In the Apple v. FBI case over the San Bernardino, Calif., shooter's iPhone, for instance, US officials claimed it needed Apple's help unlocking the phone to determine if it contained additional evidence or ties to coconspirators. In Brazil earlier this month, a judge jailed a Facebook executive because the company didn't hand over WhatsApp data on suspects in a drug case. And in Britain, lawmakers are considering a bill that would force companies to create special access to data for law enforcement agencies.
But while many national security hawks want technologists to poke holes in encryption systems to enable greater government surveillance, the tech community, civil liberties advocates, and many rights groups are pushing back hard. They say that any efforts to create a workarounds for encryption – or so called backdoors – would only harm digital security for all consumers, putting them at greater risk from malicious hackers and hostile governments.
"If this position that the FBI is holding prevails, if you can force companies to decrypt communications, it's going to have global implications," said Javier Pallero, a Latin American policy analyst at the advocacy group Access Now. "It's going to break the Internet."
That argument, however, has not stopped governments in Europe nor the White House from advocating for the development of some mechanism that could give law enforcement access to encrypted data if officials obtain a warrant.
In France, the amendment that lawmakers will debate is part of the omnibus Digital Republic bill that passed the lower house of France’s parliament earlier this year.
"Manufacturers of IT equipment — phones, tablets, computers — are gradually moving toward individual encryption of devices out of a desire to protect their users' personal data," the amendment reads. "This move is virtuous for protecting personal data. However, it has a downside when faced with the need for the protection and security of the state."
As it’s currently written, the amendment doesn’t contain any provisions for cases where it’s technically impossible to decrypt data — as is the case with many encrypted messaging services such as WhatsApp. Companies that fail to comply could face up to five years in prison and a roughly $400,000 fine, according to Estelle Masse, a policy analyst at Access Now.
"There is a general lack of understanding from French parliamentarians regarding the functioning of encryption," said Ms. Masse. "Many make the wrongful assumption that every company has some sort of 'magic key' or 'magic software' to bypass encryption without undermining it."
If passed, it's unclear how French courts will interpret the amendment, according to Philippe Aigrain, a French security expert and cofounder of the advocacy group La Quadrature du Net. He worries it will scare companies operating in France off of providing strong encryption altogether.
"One can imagine that the fear of possible incriminations would be a powerful factor for some players at least to include backdoors or provide themselves weak security services of which they possess (and would reveal) master keys," Mr. Aigrain said.
In December, French authorities told the Washington Post that the terrorists behind the Paris attack used WhatsApp to plan their assault. But investigators have been unable to find any of the attackers' electronic communications, leading them to believe the attackers used encryption, according to a recent report in the New York Times.
Still, critics say that absence of evidence is not necessarily evidence of encryption. Authorities know the Paris attackers used unencrypted burner phones and borrowed phones from their hostages, the Times reported.
“It is remarkable that at every new bombing or attack, there are claims that the authors used encryption even when all evidence is contrary, such as was the case in the Nov. 13 attacks in Paris, where the terrorists exchanged unencrypted [texts],” said Philippe Aigrain, a French security expert and cofounder of the advocacy group La Quadrature du Net.
For example, at a campaign event at Stanford University last Wednesday, one day after the attacks in Brussels, Democratic presidential candidate Hillary Clinton repeated her call for greater cooperation from Silicon Valley and proposed a national commission on encryption, according to the LA Times.
"Impenetrable encryption provides significant cybersecurity advantages, but it may also make it harder for law enforcement," Ms. Clinton said. "ISIS knows this."
The French Senate’s scheduled to vote on the new encryption regulations on April 5 – the same day government lawyers will file a status report in the FBI’s case against Apple. No matter how these skirmishes end, one thing’s certain: The crypto war is far from over. That has Pallero of Access Now worried.
"We in Latin America have a saying: You can't have bread and cake at the same time," he said. "It's security everywhere or security nowhere. There's no middle ground."