Prime minister wrong on encryption say experts
Prime minister David Cameron's perceived criticism of encryption technologies has prompted a staunch defence from the information security community.
British PM off-key on encryption, say experts
Cameron raised eyebrows earlier this week when, during a conference in the Midlands on 12 January, he suggested that end-to-end encryption was stopping MI5, MI6 and law enforcement from identifying and prosecuting terrorists.
“In our country do we want to allow a means of communication between people which even in extremis, with a signed warrant from the Home Secretary, that we cannot read? My answer to that question is no, we must not,” said Cameron.
Some observers, especially in the media, have taken this to mean that Cameron would like to ban encrypted communications which security services cannot read even if they have a warrant, or introduce backdoors or be given the encryption keys. Such communications currently include the likes of WhatsApp, iMessage, FaceTime and Snapchat.
Cameron's thoughts appear to have been echoed in the European Union, with the interior ministers of 11 EU countries – including UK Home Secretary Theresa May – issuing a joint declaration on Monday, calling for internet service providers (ISPs) to “swiftly report and remove material that aims to incite hatred and terror.” Elsewhere the Belgian Justice Minister Koen Geens has separately said that local investigators should have access to Skype and WhatsApp interactions.
However, other politicians have joined information security experts in defending end-to-end encryption which has – in recent months – also been criticised by the FBI and Metropolitan Police.
Nick Clegg, the deputy prime minister and leader of the Liberal Democrats, said in a Radio 4 interview on Tuesday that allowing the government to record web browsing history and social media conversations of UK citizens is not a “proportionate” response to fighting terrorism.
"The irony appears to be lost on some politicians who say in one breath that they will defend freedom of expression and then in the next advocate a huge encroachment on the freedom of all British citizens,” Clegg added later that day.
The security community was also quick to respond, with ENISA issuing a report – entitled ‘Privacy and Data Protection by Design – from policy to engineering' suggesting that encryption should become further embedded in government policy. It also indicated that privacy technologies not utilising encryption receive little attention.
Meanwhile, veteran security researcher Graham Cluley accused Cameron of living in ‘cloud cuckoo land'. “Of course, if you spend any time thinking about it, you know that's crazy. Cameron is living in cloud cuckoo land,” he said in a blog post.
“Firstly, how would apps be outlawed? What's to stop any Tom, Dick or Harry downloading an app without a government backdoor from a website hosted overseas to run on his PC? What's to stop a terrorist or paedophile downloading the source code of a secure messaging app, and compiling it on their computer?
“The fact is that the only people who would be using the backdoored messaging platform would be the innocent, regular members of the public. Criminals would stay well clear and use alternative systems that guaranteed they didn't have the police and GCHQ breathing down their necks.”
Sean Sullivan, security advisor at F-Secure, said that Cameron's comments were surprising and detrimental not only to an open internet, but also to businesses who may well not be in the position to monitor online activity or to hand over encryption keys – especially if these are held by foreign software developers or even the alleged perpetrator. As an example, Edward Snowden's encryption key was managed by Texas-based Lavabit, before the company was shut down.
“It is an attack on privacy by design…it would affect the VPN services we launched with FreedomVPN. Commercial VPNs for consumers could be under scrutiny by secret services,” said Sullivan.
He continued that compromising encryption protocols would be difficult in an age of open-source software and said that this has left ISPs in a tricky position; keen to maintain user privacy but also facing requests from law enforcement on blocking encrypted traffic.
Politicians, he believes, can't grasp the complexity of encryption.