Tech

Weaken Encryption in Any Way and it Will Be a Great Victory for All Terrorists

Playing a key role. Credit: Arno Hoyer/Flickr, CC BY 2.0

Playing a key role. Credit: Arno Hoyer/Flickr, CC BY 2.0

David Cameron is continuing with his quest to ensure that UK security services can read any message online. And he has been quite clear on this. At the beginning of 2015, he rejected the idea that we should “allow a means of communication between people which we cannot read”.

The latest push for more powers came yesterday morning from Andrew Parker, the MI5 director general, who gave a Radio 4 interview to argue the case for more access to information. It is notable that when the home affairs select committee, on which I used to serve, wanted to question him, that was refused. A cynic would suggest that the home secretary wanted to use his media interviews for good PR purposes, rather than to actually answer challenging questions.

Parker has argued that internet companies should pass information on to the UK security services about communications that might cause concern. Of course, this is far more easily said than done, and too much poor quality information can also be a huge problem. The security services were aware of Michael Adebolajo and Michael Adebowale before they murdered Lee Rigby in Woolwich, but failed to act on the information.

It is also hard to see how we reach an agreement that says these conversations should be provided from US companies to the UK when we say it might be concerning to the state, but not also allow such information to be provided to Russia or China, when they allege wrongdoing.

But in any event, internet companies simply do not have access to a huge range of online conversations. Services such as WhatsApp and Apple’s iMessage are encrypted in such a way that the providers themselves cannot simply read the message. They cannot pass the information on even if they thought it was sensible and legal to do so, because they do not have it.

So for Cameron’s vision to become reality, where every message can be read by the security services, there are only two options. The first is to make these encrypted services illegal. This seems like a rather draconian step, and largely unenforceable. Would we really criminalise the millions of people who use these services in the UK? What do we do about people who visit the UK and send a text message home, as they do in their own country, forgetting that iMessage is illegal here? And of course genuine criminals will easily be able to use these technologies, or build them themselves. It is not at all hard to create a secure system using public and private keys.

In any event, we rely heavily on encryption to keep us (relatively) safe online. Internet banking relies on secure encrypted communications, as do many other transactions. Banning encryption means banning security, making the internet better for cybercriminals and worse for the rest of us.

The other option is to try to have it both ways, and to argue for a backdoor in secure communications systems. This would be a way for the security services to have a special way to undo encryption, essentially using a special master password. So, the idea goes, we can all communicate safely and securely, but the agencies can read what we say if they have to.

The problem with a master key is ensuring it stays safe and secret. If someone were able to find out what the key is, then the secure system is completely broken. How sure are we that such a master key would never be lost? It would be a hugely tempting target for any criminal, terrorist, or foreign power, and having something that you think is secure but is actually wide open is extremely risky.

This was demonstrated recently with a security disaster involving the US Transport Security Administration. They want to be able to search through people’s luggage, if they think there is contraband inside. But sometimes people quite reasonably want to lock their luggage, so that people cannot just take things from it. So a system was created with TSA approved locks, so that TSA officials can unlock them using a master key. In theory, no one else can, so your luggage is safe.

You might ask: what if someone got hold of these master keys? But the TSA had an even bigger disaster to come. In a piece in the Washington Post praising their work, someone foolishly posed with a set of master keys. The photo was of a high enough resolution that people can now 3D print copies, and use them to open any TSA approved lock. The backdoor is wide open, and security breached.

This fate can happen to any backdoor system, and probably will. That is why the US National Security Council has been quite clear in their draft options paper. In a leaked report, they said (p. 1):

I hope David Cameron and Theresa May will listen to expert advice such as this. Banning encryption or weakening it through compulsory backdoors will simply make us all less safe online. We would become far more vulnerable to criminals of all sorts: a great victory for terrorists of all kinds.

Julian Huppert is a Lecturer at the University of Cambridge. He also sat on the Joint Committee that scrutinised and heavily criticised the Draft Communications Data bill and was made the 2013 ISPA “Internet Hero of the Year” for his work in killing that Bill. He tweets @julianhuppert.

This article was originally published on openDemocracy.