The Snooper's Charter is a tricky subject, not least because of its double standards

Brian Chappell looks at why the backdoors of the Snooper's Charter are so repugnant to tech firms and how it can't be reconciled with the government's own directive to businesses to protect people's personal data.

Brian Chappell, director, technical services EMEAI & APAC, BeyondTrust
Brian Chappell, director, technical services EMEAI & APAC, BeyondTrust

The concept of someone holding information that's not accessible to the government isn't exactly a new concern. Yet the advent of impossible-to-break ciphers and digital transmission across national networks leads to governments asking a fundamental question - How do we protect the country and the people when we aren't privy to all the messages being sent? Of course, we expect the government to protect its citizens but this IP Bill allows the government access to any and all of its citizens online personal data; and is calling for tech firms to create backdoors to facilitate this snooping which brings about lots of questions in terms of privacy and the perception of UK businesses.

Why would any business hand over its intellectual property?

There is an aspect of this argument where you can claim that anyone not doing anything illegal has nothing to be concerned about but when you are a company with intellectual property to protect, the idea that there is a backdoor into your encrypted internal communications that any legitimate (or disgruntled) government employee can use would be an anathema to you. Your company is doing no more than protecting its most valuable asset.

Is it a double or triple standard now?

The logic is even more convoluted when governments are pursuing companies for not properly protecting the personal information of the citizens they deal with on one hand and on the other are asking tech firms to provide mechanisms to circumvent that same protection when it suits them. And with the only amendment to the bill so far being one to protect politicians from being spied on, it really is only when it suits them, which doesn't seem entirely fair or just.

In no way do I condone the protection of those groups who use encryption to make secret their intent to do harm, at the same time governments can't demand encryption and secure transmission while requiring mechanisms to bypass it.

I'm sure governments would baulk at the idea that other governments can demand backdoor access into their communications, whatever the reason. However, that's just a logical extension of the premise. All-in-all, it's the double, or even triple standard, that leaves me deeply troubled by the underlying notion that government transmissions must remain secret but everyone else is fair game.

Encryption: it's an all or nothing thing

Encryption needs to be 100 percent secure otherwise there is no point in using it. Once a backdoor is available to legitimate authorities, it will become available to illegitimate groups and the encryption will be rendered useless. This chain of events is almost certain as even the most highly secure technologies and organisations can be breached as evident by the Snowden revelations and WikiLeaks disclosures.

Will it hurt British business?

By forcing UK tech companies to create these backdoors, it calls into question whether all technology coming out of the UK will, by default, be a tool of surveillance on the very businesses or people buying that technology. At this stage, it becomes difficult for UK tech firms not to be treated as pariahs on the global scene. And that in turn begs the question of whether tech firms would chose to leave these shores and set up shop in a country without aspirations of creating a Big Brother style surveillance state.

The reality

Governments can't have their cake and eat it. There needs to be clearly defined boundaries that governments have to respect. And yes it'll be harder for governments to track criminals and other maleficent elements but cracking communications isn't the only mechanism open to them.

I'm not saying that, where they can, companies should not assist law enforcement agencies. That's helping to protect their customers as well as the populace in general but demands to provide deliberate weaknesses or backdoors into security mechanisms in the belief that they're containable is simply naïve and makes a mockery of the very privacy standards they demand we deploy to protect peoples personal information.

Contributed by Brian Chappell, director, technical services EMEAI & APAC, BeyondTrust