The impossible war on encryption
“Britain is not a state that is trying to search through everybody’s emails and invade their privacy,” according to Prime Minister David Cameron. “We just want to ensure that terrorists do not have a safe space in which to communicate.”
**Note this means the UK wants a backdoor to encryption – Highly dangerous!
Later this year the government intends to introduce legislation that will ensure that any form of communication, whether it’s an email, text message, or video chat, can always be read by the police or intelligence services if they have a warrant.
**Snoopers charter is back on the agenda…
Few would disagree with the idea that criminals shouldn’t be allowed to plot in secret. But in reality there are huge technical, legal, and moral problems with what the British government wants to do, setting it on a collision course with both the tech industry and privacy campaigners.
“We have always been able, on the authority of the Home Secretary, to sign a warrant and intercept a phone call, a mobile phone call or other media communications, but the question we must ask ourselves is whether, as technology develops, we are content to leave a safe space — a new means of communication — for terrorists to communicate with each other. My answer is no, we should not be,” the Prime Minister told Parliament recently.
**RIPA allows the police to write themselves a warrant – that is NOT the rule of law, or judicial oversight.
While it might seem straightforward, there’s every chance the government will not succeed in delivering such a plan.
Over the last two years, documents revealed by NSA-contractor-turned-whistleblower Edward Snowden have catalogued the scale of NSA and GCHQ snooping on our use of the internet. One small example: the intelligence agencies intercepted millions of webcam images, including sexually explicit ones, regardless of whether the people involved were intelligence targets.
In response, furious tech companies began to encrypt traffic – that is, scrambling it to make it impossible to be snooped on – as it travelled over the internet between their servers and their customers.*YAY!!
Such a use of encryption didn’t really present a huge problem for spies and police, because companies still have to decrypt the data when it reaches their own servers. They do this in order to sift through their customers’ emails and web browsing habits themselves, if only to hit them with more targeted advertising (which is why when you write an email about getting married you might start to see adverts for wedding venues). In this case, all the police have to do is apply for a warrant and they can get access to the messages they want.
But some tech companies – like Apple and the hugely popular WhatsApp messaging service – have gone further by using end-to-end encryption. It’s a subtle but vital difference, because it means the company itself never sees the message or has any way of decrypting it. There is never a readable version of the messages on a server somewhere; if police or intelligence agencies demand access, there is simply nothing for the company to hand over.
While this sort of security used to be rare, it’s now becoming commonplace, used for billions of messages sent using such services. As a result, intelligence chiefs are complaining that important sources of information are ‘going dark’, making it harder to track criminals and terrorists. As a result, the UK government is talking about new legislation to be introduced in the autumn.
There are plenty of reasons why the legislation designed to give it access to any message it wants won’t work.
It’s deeply unclear how the government will deal with encryption. In the most draconian scenario, the government could ban the use of encryption completely. Encryption underpins everything we do on the internet, so such a ban would, for example, let criminals read your credit card details as you shop online and leave your digitised medical records open to all.
The UK would immediately become the least secure place to do business in the world, and a target for every hacker on the planet. Consequently, a full-on encryption ban is unlikely.
Perhaps the UK government could force tech companies to stop using end-to-end encryption?
That might work for a UK-based service, but for international tech companies, the country is just one modest market among many. Many would either ignore the demand or pull out of the UK completely. Even if the UK government managed to force the big players to conform, there would still be plenty of smaller players who would cheerfully and loudly refuse. In any case, the code for encrypted messaging is freely available online and has been for decades: blocking access to it would be impossible. And there are even more complicated technologies, like steganography, that criminals can resort to if encryption is hampered.
Equally, there would be little to stop someone buying a smartphone abroad with strong encryption switched on. Would HM Customs be required to impound the smartphones of tourists to check if they had it enabled?
All of this likely means any legislation dealing with encrypted messages will struggle to be effective. But there are more troubling questions than the tactical issues of enforcement.
In this demand, the UK is out of step with its partners: Germany has a much different experience of the dangers of state surveillance and as a result positively encourages the use of encryption to protect personal information, even if it does make it harder to catch criminals. The US – where many tech companies are based – has not banned the use of encryption either and is unlikely to do so.
The countries that do place controls on encryption are uncomfortable bedfellows for a democracy. And if tech companies agreed to UK government demands, then other countries – Russia, or China perhaps – will feel emboldened and justified in asking for the same, making dissent even harder.
The way the UK government is behaving, Russia and China will seem like bastions of Democracy.