UK home secretary Amber Rudd faced a barrage of criticism after she warned social media and companies - ahead of attending the inaugural Global Internet Forum to Counter Terrorism in San Francisco - that the Government may introduce laws to clamp down on extremist content if companies do not take action themselves.
She drew particular criticism from civil rights groups and the tech industry for her comment, reported in the Telegraph, that "real people" don't need end to end encryption and that messaging apps like WhatsApp should ditch it and do more to help the authorities deal with security threats. This ‘help' is understood to mean backdoors for the authorities – as well as not allowing suspected terrorists access to their services.
If the tech companies chose to cooperate with government authorities around the world, they would undermine their own services, but this could be done without breaking encryption, such as clandestinely putting new sign-ups from government blacklists on a different service – but of course, for some governments, organising a protest is terrorist activity, thus legitimate rights organisations could and would be denied secure communications.
During her US visit it is understood Rudd will be calling on Google, Facebook, Twitter, Microsoft, WhatsApp and Apple with the same message.
Amber Rudd is wrong, real people do want encryption countered Alan Duric, CEO and co-founder, Wire, commenting in an email to SC, “real people and businesses not only want the high level of security offered by E2EE, they need it, and are demanding it, and these demands will only increase as technology advances.”
He went on to outline encryption's benefits as far-reaching and essential in a world where most of our business and personal communications happen online. “In addition,” he says, “the volume of digital threats is increasing; Google saw a 32 per cent increase in the number of website hacks in 2016. Such breaches have enormous ramifications for both businesses and consumers, with investors losing £42 billion from hacking attacks on UK businesses since 2013.” And it is this which he says has fuelled a surge in demand from businesses for end-to-end encryption (E2EE).
In addition Duric notes that end-to-end encryption will be a vital tool for companies next year when the new General Data Protection Regulation (GDPR) comes into force in May 2018, noting, “This will require companies to enforce greater levels of protection on their customer data, and securing communications channels is a vital part of this process.”
Rafael Laguna, CEO at Open Xchange also argues that the benefits take priority, saying “We do not believe that encryption should be considered a safe space for terrorists. Rather we should emphasise the vitally important role encryption plays in securing critical national information. This reality is well known but easily crowded out by scare-mongering rhetoric. No matter how much 'tough talk' there is, the inconvenient truth is that encryption make us all safer.
“UK politicians show a worrying lack of foresight in their bid to rush through legislations that clearly lacks a balance between privacy and security. Failure to protect users' privacy rights will result in lost revenue for digital service providers as consumers look elsewhere in the global marketplace for services that protect their data.”
Lee Munson - Security Researcher at Comparitech.com concurs: "If normal people do not need end to end encryption, I'd love the Home Secretary to explain who such people are.
“From family conversations to the exchange of authentication information, lovers' secret words to each other to family photos, everyone should expect and demand privacy when communicating online.
“For businesses, the need for secure communication is even more important, given the amount of sensitive information almost every organisation has under its control.”
Simon Migliano, head of research at Top10VPN.com emailed SC to join a chorus of those questioning whether the intended outcome could be achieved saying, “Amber Rudd and Theresa May's stubborn belief that you can somehow introduce "backdoors" into encrypted services and still remain secure defies belief. The lack of understanding about encryption is not just embarrassing, it's dangerous.
“Once an exploit exists, it's only a matter of time until it leaks, as we have seen to our cost. Does Amber Rudd want to give criminal hackers yet more ways to cause mayhem?
“These actions could not only give criminals easier access, but will also be a grave risk to the economy. End-to-end encryption is part of our daily lives, we use it to secure our banking, online shopping and sensitive business activities. Bringing in back door encryption undermines security in these areas.”
Migliano agreed, observing, “Worse, and what has privacy advocates tearing their hair out, is that it wouldn't even stop terrorism. It will just encourage them to use other methods and communicate through alternative channels to go undetected. There's no reason today's would-be terrorists couldn't build their own custom app to communicate in secret.”
Munson also supported this view, saying, “As for terrorists, the banning of encryption in popular apps is immaterial - new apps, outside of British jurisdiction, will enter the market to fulfil that need in the blink of an eye.”
He asks, “So come on Amber Rudd, stop and think and tell us how such a policy can be enforced and who wins and who loses from it. And, while you are at it, please tell the British people who the special people are who DO need end to end encryption."
Mark James, security specialist at ESET is less trenchant, but still concurs, saying, “When it comes to terrorism whatever we can do to stop or limit it has to be the right thing- providing of course that what we do is going to stop or hinder it. Is asking messaging apps to stop end-to-end encryption going to stop terrorists using it? Honestly no. There will always be something to use or some means to send information that others can't read; for the average public person encryption may not be needed but for some it's a necessity; their circumstances may require the ability to send messages from one source to another without the concern of it being compromised either for security or safety reasons.
“The bad people we have to deal with in our lives will use whatever they can to do what they think is right- buying guns and explosives without the proper reasons is banned or illegal, does that stop them? Agreed they can't pop down to the local convenience store. but that does not stop them from acquiring them if they need too.
Andrew Clarke - EMEA Director at One Identity takes a different tack, pointing out that even with encryption, tools such as WhatsApp can aid governments to determine who is talking to one. “...despite the actual message being encrypted, the metadata is not, meaning information about sender/receiver is available Removing encryption from WhatsApp, means people would just move to another tool that did encrypt and maybe did not share metadata.
“The impact is that the government would have access to less information than it does now. The best outcome of this discussion would be to encourage providers of messaging services to collaborate such that any suspect users or content can be identified across the platforms to limit their overall impact. By putting identity management at the core of the argument, we can provide a much more controllable environment."
James also points out a potential threat to revenues saying, “ one thing is for sure- companies that provide social media applications or services require only one thing – “Socials”. The more people that use a platform the more likely it is to succeed. You might have the best messenger application in the world that “ is incredibly user-friendly and a cheap way of staying in touch with friends and family, but if none of your friends and family are using it then it's just an unused icon on your smart phone or desktop."
So do the public even care? Not according to a poll by Cable.co.uk where two thirds of those polled said that intercepting communication between terrorists was more valuable than privacy, and more than half said they would feel safer if WhatsApp and other messaging services were unencrypted.
Brian Lord OBE, managing director of risk management firm Protection Group International and former GCHQ Deputy Director for Intelligence and Cyber Operations is one of the few commentators contacting SC that appeared sympathetic to the government, commenting,
‘‘Terrorist attacks and criminal activity can never be stopped completely, but making it harder to commit such acts is the responsibility of everyone: state, industry and public alike.''
He adds, “The privacy versus security debate raging around WhatsApp's encryption, and the policies and practices of other tech companies, is simply a contemporary iteration.
Lord also observes that, “Consumers' voracious appetite for new technology growth, and the diluting nature the Internet has on international borders (for good and bad), means the solution cannot be a purely technical one. The challenge is major re-calibration: socially, politically and commercially (and ultimately legally) to what 21st Century “digital normality” looks like.
He also notes that different countries will have very different “national security” criteria and that some will “certainly be wholly unpalatable and unacceptable to standards imposed elsewhere in the world.” Yet he describes it as “not a sustainable position” for a global telecommunications provider/enabler to ignore all the security implications of their products and services, and that they cannot, “seek institutional policies and agnostic infrastructure that simply abrogates them from managing these 21st Century dilemma.”
Lord says that it is the organisations' behaviours, not the technology, that obstruct safe exploitation of available technology and calls on Governments and the private sector to work together to strike a balance which likely, “won't be quite what the Home Secretary or global tech giants want. It will be somewhere between the two, in a way that actually reflects the modern society we're living in.” Unfortunately a balance achieved in a Western democracy may be more palatable than say one ‘imposed' in China or Russia where VPNs are currently being banned.
For Laguna the solution is legal, suggesting, “The UK needs a new data protection law, one that is works in our new data age. This will ensure the very best standards for the safe, flexible and dynamic use of data and make the UK a global leader in the ethical and effective regulation of data.”