Governments, criminals and personal privacy - the question of encryption
Two recent events have highlighted the issue of whether service providers should be forced to find a way to give government agencies access to encrypted, private communications says Richard Anstey.
Richard Anstey, CTO EMEA, Intralinks
The UK Home Secretary published a revised draft of the Investigatory Powers Bill, or “Snoopers' Charter”, which included particular focus on encryption. At the same time, Apple's CEO Tim Cook publicly challenged a US court order to unlock an encrypted iPhone linked to the San Bernardino terrorist attacks - which they subsequently did - with some help from an Israeli company.
Addressing these issues, however, is far from straightforward, given the way many of the world's most popular communication platforms employ encryption. For example, Apple's own iMessage uses end-to-end encryption, in which both the sender and receiver hold their own public and private keys. Anything encrypted using a public key can only be decrypted by the respective private key so the messages can only be decrypted by the parties involved in that particular conversation.
The iMessage service provider, in this case Apple, merely facilitates the conversation, operating with “zero knowledge” of the private user keys or what is being communicated. There's no way for the facilitator to simply decrypt the message and hand over its contents. For law enforcement agencies to gain privileged access would require the service provider to weaken the encryption or change the way the keys are stored or exchanged, effectively creating a backdoor.
In the internet we trust
Encryption lies at the heart of practically every collaboration, connection and communication platform in use today. It enables us, as consumers, to shop online or pay our monthly bills at the click of a button, assured in the knowledge that our personal details are safe. Businesses are able to work across enterprise boundaries in the cloud, securely sharing commercially sensitive documents.
If UK-based service providers were forced to weaken encryption to enable greater surveillance of internet users, however, it would lead to the security of several communication platforms being compromised. The private data of countless individuals and businesses would be left more vulnerable, and the trust we put into the internet could suffer.
These implications appear to have been overlooked in the proposals outlined in the Snoopers' Charter, which moves to force providers covered by the legislation to take ‘practical' steps to provide a bypass mechanism to their encryption schemes.
Unable to continue providing their customers with the level of privacy and security they expect, service providers may withdraw from the UK to jurisdictions outside the scope of the bill, to the detriment of the British technology sector and the wider economy. Indeed, a potential exodus of technology companies providing vital internet services could cause significant disruption to those British businesses and individuals that rely on their products.
Looking beyond just service providers, it's also worth considering that any business and individuals who may not want to be subject to new rules around encryption can simply switch to services run from countries elsewhere that might strike a different balance between individual privacy and government control.
It's clear, therefore, that weakening encryption won't make criminal communications any more readable. In fact, those with something to hide can simply move to any one of a number of alternative services available to them from jurisdictions unaffected by UK legislation.
For freedom and security
In the current environment, where protection of privacy is of prime concern, businesses need to implement solutions that will ensure the confidential data they control remains secure across all the countries and jurisdictional boundaries in which they need to operate.
State-of-the-art Information Rights Management solutions can enable content to effectively protect itself – to travel with its own encrypted shell that can phone home and check the credentials of whoever tries to read it. As companies and individuals become more aware of the need to protect their information, there has been a rise in requests for businesses to control their own encryption keys even for content and applications hosted with a SaaS provider in the cloud (a model known as “Customer Managed Keys”).
The revised Snoopers' Charter and the Apple case have highlighted the issues surrounding encryption, and what's clear is that more security, not less, is needed to protect the future growth of the internet and the industries that rely on it.
The way forward requires collaboration between governments, global technology companies, and the wider business community. Decisions made now will have profound consequences, and care must be taken not to erode the trust in services provided within our domestic markets and not drive them abroad. More importantly, any new legislation must be sure to strike a balance between freedom and security.
Contributed by Richard Anstey, CTO EMEA, Intralinks