It seems that in the aftermath of almost every major catastrophe comes a reaction from government to increase measures to enhance public security. The atrocities of 9/11 resulted in unparalleled security measures ranging from increased airport checking procedures to face recognition devices, and from random searches of Internet content by intelligence officers to the use of wiretaps and the ability to intercept e-mail.
Fast forward almost a decade and a half and the abhorrent Charlie Hebdo shootings have brought about an equally resolute response from UK Prime Minister David Cameron. His vow to deny terrorists any “safe spot to communicate” has, however, met fierce resistance and provoked strong reaction, not only from those within the political arena but also those from within the IT community.
So what is all of the fuss about? What is the Prime Minister proposing that has caused such a strong response? Essentially, David Cameron has announced a plan to revive legislation that would enable the UK government to ban applications that use end-to-end encryption to ensure user security. Depending on the specific wording, the law could then extend to almost any encrypted service that the government finds worth targeting.
The backlash to this proposition is duel-fold. The IT community view this as a somewhat retrograde step. Given the increased reliance on encryption from a range of online businesses in 2015, technology pioneers such as Phil Zimmermann, creator of the e-mail encryption software PGP, and now president of secure communications firm Silent Circle, view the Prime Minister’s plans as somewhat ‘absurd’ and, moreover, unworkable. Secondly, the political arena view the proposition as a thinly veiled attempt to win votes in the upcoming election, with a perceived ‘tough on terrorism’ stance being one that would surely garner support.
In Mr Cameron’s recent speech he stated that there should be no “means of communication” which “we cannot read”. However, in an era where communication takes many forms, just how realistic is this proposition?
Security is critical and companies are using encryption in a serious way. In fact, the industry trend is leaning toward increased encryption as opposed to the alternative. You only have to look at established brands such as Google and Apple who are promising to do more to ensure that encryption is used as default on their services. The recently released iPhone 6, for example, is encrypted by default and the change to Apple’s infrastructure means that Apple itself cannot access the data on consumer’s phones and therefore it would be impossible for it to hand over any data from the iPhone 6’s iMessage Service.
This military-style lock down of devices is quite possibly the very thing that terrifies government and this could have huge implications for the app industry. ‘New’ apps such as WhatsApp and Snapchat allow people to converse with relative immunity and anonymity by keeping their services encrypted. What David Cameron is proposing would mean having ‘backdoors’ or intentional flaws built into apps which would allow the government to view suspicious content if it needs to.
The obvious flaw in this plan is that this ‘backdoor’ would no doubt present opportunities for malicious entry. Taking this one step further, if this rule was implemented nationally, how would it work on an international basis? Would those based in the UK be forced to avoid software developed outside of UK jurisdiction? Additionally, would visitors to these shores be forced to have all messages to and from the UK made available for scrutiny?
Should David Cameron get his wish and this legislation be passed and come into effect, wouldn’t the likes of WhatsApp and iMessage then need to make wholesale changes to their services, with the inclusion of ‘backdoors’ to make sure that they comply with the new law? If that was the case, and the organisations behind these services stuck resolutely to their stance on the need for their end to end encryption to remain in place, isn’t there the very real possibility that many of these organisations would choose to simply cease to offer their services to UK users as opposed to complying?
The dissolution of end to end encryption could also serve the death toll for internet banking. A recent survey by BBA and EY showed that mobile and internet banking is now being used for transactions worth nearly £1billion per day, however, how many would feel comfortable knowing that application security had been compromised to allow a middleman from the government to ‘wiretap’ communications?
I read a fantastic quote which said “Outlawing the use of encryption would be like imposing a ban on envelopes and forcing all correspondence sent via the Royal Mail to be in the form of postcards.” In the modern era where encryption forms the backbone of online security and allows for the safe transfer of sensitive information it seems impossible for any law which lessens its effect to be workable.
The privacy versus security debate has raged for generations and online privacy, security and freedom controversies are now a staple in media headlines. The Charlie Hebdo shootings have rekindled the age-old question of how much freedom, liberty and privacy we should give up in order to be kept safe. However, the IT community seem to be speaking in unison on this topic. Removal of end to end encryption would not only be potentially unworkable and somewhat detrimental to the status quo, it would also expose users to a greater threat from the very people the government seems to want to protect them from.