Prime minister wrong on encryption say experts

News by Doug Drinkwater

Prime minister David Cameron's perceived criticism of encryption technologies has prompted a staunch defence from the information security community.

Cameron raised eyebrows earlier this week when, during a conference in the Midlands on 12 January, he suggested that end-to-end encryption was stopping MI5, MI6 and law enforcement from identifying and prosecuting terrorists.

“In our country do we want to allow a means of communication between people which even in extremis, with a signed warrant from the Home Secretary, that we cannot read?  My answer to that question is no, we must not,” said Cameron.

Some observers, especially in the media, have taken this to mean that Cameron would like to ban encrypted communications which security services cannot read even if they have a warrant, or introduce backdoors or be given the encryption keys. Such communications currently include the likes of WhatsApp, iMessage, FaceTime and Snapchat.

Cameron's thoughts appear to have been echoed in the European Union, with the interior ministers of 11 EU countries – including UK Home Secretary Theresa May – issuing a joint declaration on Monday, calling for internet service providers (ISPs) to “swiftly report and remove material that aims to incite hatred and terror.” Elsewhere the Belgian Justice Minister Koen Geens has separately said that local investigators should have access to Skype and WhatsApp interactions.

However, other politicians have joined information security experts in defending end-to-end encryption which has – in recent months – also been criticised by the FBI and Metropolitan Police.

Nick Clegg, the deputy prime minister and leader of the Liberal Democrats, said in a Radio 4 interview on Tuesday that allowing the government to record web browsing history and social media conversations of UK citizens is not a “proportionate” response to fighting terrorism.

"The irony appears to be lost on some politicians who say in one breath that they will defend freedom of expression and then in the next advocate a huge encroachment on the freedom of all British citizens,” Clegg added later that day.

The security community was also quick to respond, with ENISA issuing a report – entitled ‘Privacy and Data Protection by Design – from policy to engineering' suggesting that encryption should become further embedded in government policy. It also indicated that privacy technologies not utilising encryption receive little attention.

Meanwhile, veteran security researcher Graham Cluley accused Cameron of living in ‘cloud cuckoo land'. “Of course, if you spend any time thinking about it, you know that's crazy. Cameron is living in cloud cuckoo land,” he said in a blog post.

“Firstly, how would apps be outlawed? What's to stop any Tom, Dick or Harry downloading an app without a government backdoor from a website hosted overseas to run on his PC? What's to stop a terrorist or paedophile downloading the source code of a secure messaging app, and compiling it on their computer?

“The fact is that the only people who would be using the backdoored messaging platform would be the innocent, regular members of the public. Criminals would stay well clear and use alternative systems that guaranteed they didn't have the police and GCHQ breathing down their necks.”

Sean Sullivan, security advisor at F-Secure, said that Cameron's comments were surprising and detrimental not only to an open internet, but also to businesses who may well not be in the position to monitor online activity or to hand over encryption keys – especially if these are held by foreign software developers or even the alleged perpetrator. As an example, Edward Snowden's encryption key was managed by Texas-based Lavabit, before the company was shut down.

“It is an attack on privacy by design…it would affect the VPN services we launched with FreedomVPN. Commercial VPNs for consumers could be under scrutiny by secret services,” said Sullivan.  

He continued that compromising encryption protocols would be difficult in an age of open-source software and said that this has left ISPs in a tricky position; keen to maintain user privacy but also facing requests from law enforcement on blocking encrypted traffic.

Politicians, he believes, can't grasp the complexity of encryption.

“If law enforcement ask Facebook to give details of an account, they can facilitate that, but there's tons of other technology where that's just not practical,” he said. “A lot of technology is open source…and it can be extremely messy to regulate."

Sullivan added that an “arms race” is now on between states and those often scrutinised (dissidents, journalists and criminals) for encryption and -  pointing to recent terror attacks in Paris, Boston and London where the terrorists were known to authorities – doubts if extra surveillance will help anyway.

 “The internet is designed to be an open and trusted space where people can share information. It's a doubled-edge sword [with encryption] but it works in the benefit of humanity. We shouldn't give up on it because a fraction of a fraction of a fraction of people want to do people harm.”

Bob West, chief trust officer at CipherCloud, added in an email to SC that any attack against encryption would impact free speech and commerce.

“In the wake of the incomprehensible bloodshed at Charlie Hebdo, it's understandable to see government and law enforcement push for stronger monitoring capabilities. However, banning encryption is extreme and is a knee-jerk reaction. The broad application punishes everyday citizens along with those with ill intentions.  

"In addition to curtailing free speech, the very thing the terrorists want to achieve, restricting encryption and weakening the technology by using backdoors for government agency access, is a torpedo strike against trust and undoes decades of cyber-security advancements. In this age of government surveillance and epic security breaches, businesses and consumers have a legitimate need for security technologies that protect information and enable privacy.  As a free society, we need to balance the right to privacy along with national security.”

Bill Buchanan, head of the centre for distributed computing, networks and security at Edinburgh Napier University, said on The Conversation: “It's just impossible to ban. There is no way to define a law which constrains the use of encryption. Would it be only when used in certain applications (such as email), or by disallowing certain methods (such as the encryption program PGP)? Would using a Caesar code, a cipher nearly 2,000 years old, be illegal?

“Such a move would make the UK – or any country that followed suit – unsafe in which to do business. Free countries wouldn't consider switching off encryption due to the insecurity it introduces for both consumers and businesses.”

Cameron Burke, senior vice president at Cirius Messaging Inc agreed, in an email to SC, that the ramifications could be disastrous for businesses and consumers alike saying:

  • "This policy would put the UK out of touch with EU Data Privacy regulation that is leaning towards providing citizens with greater protection and control over their own information.
  • Implementing mandatory "back door" access to security technology inherently dilutes the value of these platforms and consumers and employees may turn to unregulated third-party apps that provide protection.
  • There is a risk that banking and financial services organisations, a key part of ?the UK's economy and major employer, will move their operations overseas due to lack of access to strong, off-the-shelf encryption technology." 

Burke adds, "At the end of the day, this is a pointless exercise as those parties who are the targets of government surveillance, such as terrorist cells and criminal organisations, would have no qualms about using "illegal" encryption solutions."

Cameron's comments come at a time where software developers and technology firms are being actively encouraged to support encryption. Google recently moved to end-to-end encryption with Gmail, and has started ranking HTTPS websites higher than those only with HTTP. Up and coming messaging apps like Telegram and WhatsApp have also sought to encrypt communication, with the latter recently moving to OWS' TextSecure for its Android application.  And it would seem no thought has been given to how payments and banking would work without encryption.

Topics:

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Upcoming Events