The ongoing war on encryption

security

Last year there was a highly reported public debate between the FBI and Apple regarding the encryption used to protect an iPhone belonging to the San Bernardino terrorist shooter. The FBI wanted Apple to unlock the phone, but Apple argued that doing so was not only difficult, but it would put in danger all other similar devices. The dispute made its way to the courts, where eventually the FBI withdrew after facing fierce opposition from the tech industry.

This is a debate that has two very clear sides. On one side, “law and order” types argue that security agencies should get unlimited access to technological communications even if these are protected by strong encryption, arguing that the public interest is to stop terrorists. On the other side is the entirety of the technical industry and community, who argue that any access to a device would endanger all other devices. Both opinions are irreconcilable. Talking about the case at the time, EFF commented:

“The power to force a company to undermine security protections for its customers may seem compelling in a particular case, but this week’s order has very significant implications both for technology and the law. Not only would it require a company to create a new vulnerability potentially affecting millions of device users, the order would also create a dangerous legal precedent. The next time an intelligence agency tries to undermine consumer device security by forcing a company to develop new flaws in its own security protocols, the government will find a supportive case to cite where before there were none.”

The debate is now underway once more in the UK with the heinous terrorist attack that took place last week against Westminster bridge which resulted in the death of five people. It was reported that the terrorist had sent an Whatsapp message just before committing the terrorist act, and the UK’s Home Secretary Amber Rudd has been criticising tech companies for not allowing police and security services access to encrypted communications. This has drawn ire from the right-wing press like The Sun and the Daily Mail, with angry calls against tech giants such as Google and Whatsapp to help in the efforts against terrorism.

The problem with many of the articles calling for an opening of encryption is that they are often written by people who are completely clueless about the subject matter, and do not even realise just how misguided the calls for an end to encrypted tools are. Take the pictured clip from the Daily Mail, which classes WordPress as an offending app that allows “extremists plot in secret”. WordPress is nothing more than a blogging and communications platform (this blog runs on WordPress), and it makes no sense whatsoever to class it as something that allows extremists to communicate.

We are often sold the need to end encryption, or to enable torture, on the premise that at some point we will need to access a terrorist’s personal communications due to a pressing “ticking bomb” scenario. It is important to remember that this type of attack has never taken place outside of a Hollywood movie.

Furthermore, the number of terrorists plotting in communication tools is dwarfed by the number of everyday common users, so when newspapers and politicians call for an end to encryption in those tools, what they are actually saying is that they will affect how normal people communicate, making millions vulnerable to hacking. Thankfully, parts of the media have responded to the misguided calls in a rational manner, Jonathan Haynes in The Guardian wrote:

“While you can legislate to only give state agencies access to terrorists’ communications, and with proper oversight and authorisation, you cannot actually build encryption that works like that. If you put a backdoor in, it’s there not just for security services to exploit, but for cyber-criminals, oppressive regimes and anyone else. So how do you allow security services access to terrorist communications? The UK government could conceivably ban messaging companies that offer end-to-end encryption from operating in the UK. However, it is not clear how you would enforce that – and indeed it would be the people who do not want to be monitored who would find ways to avoid it.”

And Will Gore wrote in The Independent:

“Equally though, the Government must recognise that this is 2017. Technological advances may pose new challenges to law enforcement, but they have also – in a great many ways – made the world a better, and in some ways safer, place. To imply that we can markedly reduce the threat posed by determined terrorists by making encrypted online messages accessible to the police may be neat. But it’s stunningly unsophisticated, technologically lazy and almost certainly wrong.”

This is the issue that we are presented with. Calls to have technology firms offer backdoor access to private and encrypted communications must be read as a call to endanger everyone’s communications by making them easier to read by hackers. Moreover, encryption is not proprietary, it is just a clever use of maths, and there is no way that governments will ever be able to ban that. If somehow an app is made vulnerable, terrorists will move to another method, and we the public will still be left vulnerable.

But you may argue that we should never give up, and that the fight against terrorism is a worthy cause. It certainly is, but we cannot give up our expectations of security on the assumption that somewhere a terrorist is using an encrypted tool to communicate with one another. There is little evidence that this is the case, and even strong evidence to the contrary. The Paris terrorists used unencrypted burner mobile phones to communicate, and also favoured face to face contact.

We cannot give away our rights based on fables and ignorance.

Leave a Reply