Encryption protects us, so maybe it’s time for us to protect it. But no answer to the encryption debate is without a downside.
With a certain amount of inevitability, governments on both sides of the Atlantic are taking another swing at one of the technologies they really love to hate — encryption.
Late last month, US attorney general William Barr warned that the use of end-to-end encryption — which he described as ‘warrant-proof’ encryption — “allows criminals to operate with impunity, hiding their activities under an impenetrable cloak of secrecy.”
Similarly, the UK’s new home secretary Priti Patel has more recently criticized the use of end-to-end encryption by messaging services like Facebook’s WhatsApp.
“Where systems are deliberately designed using end-to-end encryption which prevents any form of access to content, no matter what crimes that may enable, we must act,” she said.
“This is not an abstract debate: Facebook’s recently announced plan to apply end-to-end encryption across its messaging platforms presents significant challenges which we must work collaboratively to address,” Patel added.
Patel didn’t indicate how the government would act, beyond asking Facebook and other tech companies “to work with us urgently on detailed discussions”.
Governments have regularly called on tech companies to give up encryption in recent years, to little effect.
By Steve Ranger
SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)
As Labour’s shadow home secretary Diane Abbott told ZDNet: “The new home secretary repeats the errors of some of her predecessors. She seems not to understand that a general access to encrypted communications by the police and security services would effectively end those communications, because no-one could trust them.
“We know this government doesn’t like evidence, but they really do need to understand that only a targeted, court-approved access by law enforcement and other agencies will work. If the home secretary’s line is pursued, the criminals and terrorists could simply be driven underground and all the rest of us will lose the right to privacy.”
Indeed, the UK government theoretically already has the powers it needs to demand that tech companies strip the encryption from their messaging services.
Under the controversial Investigatory Powers Act passed back in 2016, the government can require tech companies to remove ‘electronic protection’ — encryption — from messages in serious cases.
But in reality, that legal power is significantly limited, which is why the government hasn’t used it. First, many of the biggest messaging companies are based in the US, which means they aren’t particularly worried about what politicians in one medium-sized foreign market think.
Second, these companies are increasingly making security, usually underpinned by a commitment to end-to-end encryption, part of their marketing.
That’s because consumers are becoming ever more aware of the benefits of security. For tech companies, offering customers the privacy of end-to-end encryption is now a competitive advantage.
Indeed, it’s worth remembering this recent vogue for encryption only came about because of extensive US government overreach and snooping in the first place.
These trends make it much harder for tech firms to compromise on encryption: no company wants to offer a service that’s known as ‘the one the government can spy on easily’. On top of this, if you don’t trust a tech company anymore (and plenty don’t), then knowing it can’t read your messages might make you feel slightly more comfortable using that service.
Beyond this is the technical issue, which is that these messaging companies have now designed their systems around end-to-end encryption. Breaking that model at the behest of one or two countries would be vastly expensive and weaken security for all users around the world.
SEE: Can Russian hackers be stopped? Here’s why it might take 20 years (TechRepublic cover story) | Download the PDF version
An alternative is to provide a separate, less secure service for some nations, which would likely be shunned.
Tech companies get demands from all sorts of regimes to turn over customer communications. Some do, some don’t – but if liberal democracies start insisting on getting this data, it’s very hard for a tech company to turn down demand from repressive states as well.
Legislation and enforcement
To stop the use of end-to-end encrypted messaging would require tough legislation not just in the UK, but also at least in the US (which has limited enthusiasm for such a move) and in Europe (which has very little inclination either). And then pretty much every other government in the world.
Such a concerted effort is high unlikely — and, even then, you’d only prevent the majority of law-abiding citizens from using encrypted services. But who would enforce it, and at what cost?
For those who did not want to be monitored, for whatever reason, services would always be available — either home-grown or international. There are a few slightly more elegant solutions to the problem, but they are limited in scope.
So why do politicians keep bringing this up? The cheap shot is to say they do it for the easy headlines. But the truth is, the costs of encryption are real — police cannot spot criminals or terrorists plotting — and should be acknowledged. No answer to the encryption debate is without downsides, and we need to remember and admit that.
We are living in a time of unprecedented erosion of privacy. Some of that we are doing ourselves: we’re carrying smartphones that can report where we are and what were are doing to an array of corporations in real time, and filling our homes with cameras and microphones that outdo Orwell’s telescreens.
Some of the privacy erosion is being done to us — the introduction of facial recognition systems across cities is the latest way that technology is chipping away at our privacy (and just arrived: facial recognition that can spot fear). Encryption may be one of the few forms of protection left open to us.
As one privacy advocate once put it to me, we are in a golden era of surveillance and the state has most of the picture of our lives — the battle now is to protect those last few pixels missing from the image.
It’s hard to see anything in the decades ahead other than the continued erosion of privacy by the technology around us. Whenever we give up another fragment of privacy, we should not expect see it returned to us again. Don’t give up those last precious pixels without thinking long and hard.