The UK government’s take on end-to-end encryption shows a lack of understanding of cyberspace and how the technology works
The controversy of encryption with today’s digital products and services has popped up again. Last year, the biggest battle was between the FBI and Apple; the two were in dispute over the unlocking of an iPhone belonging to a deceased terrorist responsible for several deaths in San Bernardino (read more).
The facts of that case closely resemble the happenings in the UK which have taken place recently. On Wednesday 22nd March, Khalid Masood carried out a vicious attack on members of the public, as well as killing police officer Keith Palmer, in Westminster, London. Mr Masood was then shot dead at the gates of Parliament by armed police.
Later on that evening, Theresa May, the prime minister, made a speech and then the next day statement to the House of Commons, condemning the atrocities and emphasising the importance of standing tall in the face of terrorism.
There has been plenty of talk and debate about what happened, and within those debates, the technology companies were, inevitably, in the spotlight. In an interview with Andrew Marr, the Home Secretary, Amber Rudd, said there must be “no place for terrorists to hide” and advocated that intelligence services must have access to encrypted messaging services. The Secretary of State was making particular reference to messaging service WhatsApp, which uses end-to-end encryption which ensures that only the sender and recipient can see and access the messages communicated between the two, excluding third parties from access to such information.
It is completely understandable why Amber Rudd has promoted such a stance. So far, the investigation looking into the events in London has revealed that a message was sent on WhatsApp by Mr Masood before carrying out his attack. Being able to see what was said could go some way in revealing the mentality of the Mr Masood, and may help to prevent future attacks. Thus, being able to intercept and collect these communications, legally with a warrant, as Amber Rudd argued, is needed for intelligence and security agencies to do the necessary work to keep the country safe.
Facing the Realities
However, the Home Secretary, in this argument, has misinterpreted the environment that is cyberspace and how encryption actually works, as well as other MPs who have promoted a similar stance.
What Amber Rudd is asking of these technology companies, including WhatsApp, is essentially some kind of backdoor. The encryption technology used by many companies only give the sender and the intended recipient of the information being communicated the unique keys needed to encrypt and decrypt such packets of data as it travels across the internets (read more). It thus exempts third parties, whether that be hackers or governments, from being privy to this information.
Nevertheless, there are some ways in which the government could be able to access such information with the help of the technology companies. One way involves providing a copy of the private keys used by the sender and recipient to allow the government to become third party recipients of some sort of the information being sent between two or more people.
The problem with this, however, and indeed most other ways of getting around encryption, is that if hackers were ever to get a hold of these keys, then user data would be in the hands of malicious actors seeking to do harm and cause damage. Governments, like anybody else online, due to the open structure of the internet, are also vulnerable to attacks. The breach of the United States Government Office of Personnel Management in 2015 is just one of the many examples of public authorities being subject to the dangers of cyberspace.
There also needs to be consideration of the market incentive of these technology companies and the technology industry as a whole. Data protection measures are often an important selling point for many technology companies, big or small. When consumers can be assured that their data is being protected they are more likely to provide it. This is especially the case after the Snowden revelations and the rise in reported data breaches at various companies across the world. Plus, if WhatsApp were to be made to provide access to data for the government, it is likely that another company will provide encrypted messaging services, filling the void in the market for consumers. Terrorists and other criminals will likely jump from service to service with ease and the problems here are never resolved.
Furthermore, if WhatsApp provided access to a UK government, what would stop a Russian government from ordering similar requests, or even a Chinese government, both of which have poorer human rights records than the UK. The geopolitical consequences, thus, could be severe.
More Talk, More Action
The important notion that Amber Rudd and others have seemed to forgotten is that the internet is a largely borderless and unregulated area. In its beginnings, governments and regulators alike failed to anticipate the immense growth and impact of the internet and everything else stemming from it. The internet was built with privacy safeguards and security parameters considered only after-the-fact. As a result, hardly any effective legislation exists to cope with the array problems it presents, and the application of old laws, tailored to older technologies, are scarcely applicable today. Even when new laws are passed, the pace of technological innovation and the ever-changing technology industry means laws can become outdated very quickly.
But that does not mean nothing can be done. Indeed, one welcomed remark by the Home Secretary on Sunday was the intention to gather technology companies to try to work through some of the problems in play. In the meantime, encryption, and issues it presents, will remain, until governments and the private sector are able to find some reasonable solution.
Keys under doormats: mandating insecurity by requiring government access to all data and communications, Harold Abelson et al, Journal of Cybersecurity (2015)