Encryption – A Failure to Understand

Today in the Telegraph, Amber Rudd, the UK Home Secretary has written an opinion piece (subscription) trying once more to explain the Government’s views on encryption.

Broadly speaking, they’re very upset that it’s really hard to break into terrorist and ne’er do well’s encrypted messages over services such as WhatsApp. It would be much easier if such services didn’t employ strong end-to-end encryption.

While the message does seem to be slightly getting through that encryption actual has a lot of commercial uses, there does seem to be a real failure to understand that it’s actually really useful for everybody – including “real people.”

I’ve annotated some of the column:

Encryption plays a fundamental role in protecting us all online. It is key to growing the digital economy, and delivering public services online. But, like many powerful technologies, encrypted services are used and abused by a small minority of people.

Yes. This is all true.

The particular challenge is around so called “end-to-end” encryption, where even the service provider cannot see the content of a communication.

That’s kind of the point about encryption. If my messages are sitting unencrypted on some kind of central server at WhatsApp or wherever, then they’re vulnerable. We’ve seen a non-stop series of hacks and data leaks of all kinds from everywhere. Unencrypted data is essentially a vulnerability waiting to happen.

To be very clear – Government supports strong encryption and has no intention of banning end-to-end encryption.

Good.

But the inability to gain access to encrypted data in specific and targeted instances – even with a warrant signed by a Secretary of State and a senior judge – is right now severely limiting our agencies’ ability to stop terrorist attacks and bring criminals to justice.

Undoubtedly this is a significant challenge. But either you allow end-to-end encryption or you don’t. And if you don’t, the consequences are vast.

I know some will argue that it’s impossible to have both – that if a system is end-to-end encrypted then it’s impossible ever to access the communication.

That’s right. It’s impossible – at least without access to the devices at either end where the messages are unencryted.

But you either have end-to-end encryption. Or you don’t. The choice is binary.

That might be true in theory.

Not just theory.

Practice.

It’s mathematics.

In this kind of area, there aren’t shades of grey. It works or it doesn’t work.

But the reality is different.

No it’s not.

Real people often prefer ease of use and a multitude of features to perfect, unbreakable security.

Where to begin?

This is a false dichotomy for starters. WhatsApp offers all the features alongside end-to-end encryption. A priori, you can have both.

And who are “Real people?” Are they business colleagues dealing in commercially sensitive data or intellectual property? Or friends and family sharing banking details? People sending naked selfies to each other? People having affairs or relationships they’d like to keep private? People seeking support for sensitive medical issues? Conservative MPs plotting in WhatsApp groups who will be the next PM?

“Real people” actually like a bit of privacy it would seem. There are countless good reasons for this. And encryption allows this.

So this is not about asking the companies to break encryption or create so called “back doors”.

OK – good. Because that would be horrifically dangerous.

Who uses WhatsApp because it is end-to-end encrypted, rather than because it is an incredibly 
user-friendly and cheap way of staying in touch with friends and family?

Um. Quite a lot of people. Encryption makes our lives safer. WhatsApp has managed to be both incredibly user-friendly and provide end-to-end encryption.

Are you asking WhatsApp to remove that encryption then? Because it’s really not clear from any of this what you expect them and others to actually be doing.

Companies are constantly making trade-offs between security and “usability”, and it is here where our experts believe opportunities may lie.

Except in this instance there is no trade-off. It turns out that we can have both! So I’ll take both thanks.

So, there are options. But they rely on mature conversations between the tech companies and Government 
– and they must be confidential. The key point is that this is not about compromising wider security.

Er. Yes it is. You want encryption switched off. That compromises my own security, and that of millions of other users.

It is about working together so we can find a way for our intelligence services, in very specific circumstances, to get more information on what serious criminals and terrorists are doing online.

Let’s think this through. If Facebook switches off encryption in WhatsApp, then do you think it’s at all possible that terrorists et al might migrate somewhere else? And you do understand that encryption isn’t something you can stuff back in the bottle. It’s out in the wild. There are dozens, if not hundreds of messaging services. Many businesses can’t, or won’t, work without full encryption, so you can’t ban the tools. They’re used throughout the world.

I thought previously that it was technical naivety that has led a succession of Home Secretaries to spout nonsense about encryption. But I’m beginning to think that it’s almost purposeful.

The Telegraph piece does not make any sense. And it really doesn’t spell out what the Home Secretary would actually like these companies to do.

I suspect it’s to turn off encryption. But that would just leave the vast majority of users globally far less secure while any terrorist with a semblance of intelligence would move to another platform that does offer encryption.

We’re lucky enough to live in a democracy in the UK. Many people don’t. Encryption has proved vital to millions of people throughout the world. But it’s not just dangerous regimes, but personal data that people would just prefer not to share with anyone apart from their intended targets.

At this point, a failure to not understand this must be construed as willful.


Posted

in

Tags:

Comments

One response to “Encryption – A Failure to Understand”

  1. Emily Power avatar

    What exactly does she mean here? She has contradicted herself:
    She says, “So this is not about asking the companies to break encryption or create so called “back doors”.”
    But then claims “So, there are options. But they rely on mature conversations between the tech companies and Government 
– and they must be confidential.”

    And this comment:
    “To be very clear – Government supports strong encryption and has no intention of banning end-to-end encryption.”
    Imagine how banking / money transfers would have to work if e2e was “banned”. It’s like they’re using scare-tactics, ridiculous suggestions or threats so they can cause a furore, then slide some underhand policy or law into place, one which is deemed not as bad.

    They should have a body of experts involved, but it sounds like they don’t. Are they being thoroughly briefed by the NCSC on this stuff before making such statements? If they aren’t, then why? There’s a huge resource there.