UK prime minister David Cameron recently did something he may come to regret if he manages to cling on to power past May. He called for communications providers to ensure that, if requested by a court of law, they can provide law enforcers with access to the content of encrypted comms. The reason he'll come to regret it is because it's an unworkable, ineffective and disingenuous plan which will cause tremendous damage to the UK's burgeoning IT industry and corporate security.
Let's go back to what Cameron said in his infamous speech following the Charlie Hebdo terror attacks in Paris: “In extremis, it has been possible to read someone's letter, to listen to someone's call, to mobile communications … The question remains: are we going to allow a means of communications where it simply is not possible to do that? My answer to that question is: no, we must not. The first duty of any government is to keep our country and our people safe.”
Not a chance
What this means, in effect, is services like iMessage, WhatsApp and others would either be banned in the UK, or their providers forced to include some kind of backdoor for security services in this country to access the content of specific senders' messages if requested by a court order. What do you think the chances of enforcing a full ban on some of the most popular and pervasive communications platforms in the UK are? And how about persuading the technology giants behind them to alter their technical underpinnings for just one market? I'll tell you the answer: precisely zero.
But Cameron's plans are not just unworkable, they're not even an effective way of stopping the terrorists. If the unbelievable happened and for some reason there was a ban on such services, anyone who wanted to would be able to download them from another country, via a VPN if necessary. To put that in perspective, not even China with its vast censorship apparatus, prevents the use of VPNs wholesale to access foreign sites.
Let's be clear, too, these plans as they've been laid out would also fail to stop most terror attacks because secret service agents would have to wait for a court order before they begin monitoring a suspect. It's unlikely, for example, that a fast-moving incident such as the Paris shootings could have been stopped in time. But this is why I think the plans are also disingenuous, because what is more likely is that with that backdoor access to such platforms, the authorities would do as they've shown themselves capable of before – mass and indiscriminate surveillance of the populace.
Farewell UK PLC?
It's not just the erosion of civil liberties we have to worry about, though. If you give the secret services backdoor access to encrypted comms, you're sending a hugely provocative message out to the cyber-underworld. It will surely not be long before the bad guys also manage to crack that backdoor, putting at risk corporate data everywhere. Innovation will slow and/or move offshore if firms don't believe they can keep their data secure in the UK. Then there's the prospect of yet more onerous legislation governing what corporates must disclose, to whom and when: another potentially business-unfriendly step which could be the last straw for many firms.
That's not to mention the damage that these plans would inflict on companies in the UK producing encrypted products and services. Is the government about to wipe out all the good work it's done building up Tech City and other start-up projects by pulling the rug out from under them? And as for the country's proud tradition of information security research and development – well, that could also take a tumble as the repercussions of the proposed laws sink in.
So do you want to take Britain back to the Dark Ages, Mr Cameron? Or can you accept that encrypted communications help businesses protect sensitive IP, reassure shareholders and regulators, and foster innovation? And that it's down to the security services to find a way to tackle the growing terror threat without infringing our civil liberties and harming UK PLC?
Contributed by Raimund Genes, CTO, Trend Micro