UK prime minster David Cameron is advocating that encryption services be banned as part of his ‘comprehensive’ crackdown on online encryption – what he terms ‘safe spaces’. This will form part of the ‘Snoopers Charter’ which he will reintroduce if the Conservative Party is re-elected later this year. But in doing this he reveals a profound ignorance of how the internet works. Technically what he advocates is not possible. Even if it was, the consequences of banning encryption would be disastrous for the world economy and, consequently, he would be responsible for the exposure of critical vulnerabilities in internet security, enabling identity theft on a scale never seen before, bank fraud, as well as widespread hacking. In short, in issuing his knee-jerk statement in the aftermath of the Charlie Hebdo killings, Cameron proves to everyone what an idiot he is. So let’s briefly explain why in lay-persons language. Examples of encryption technology that is not within Mr Cameron’s reach are also listed.
1. Threats to daily life
Privacy International has pointed out that Cameron’s proposals “not only threaten the very rights they’re said to be designed to protect, but begin from a fundamentally flawed premise – that such measures are even possible.”
Jim Killock, executive director at the Open Rights Group, added: “Cameron’s plans appear dangerous, ill-thought out and scary. Having the power to undermine encryption will have consequences for everyone’s personal security. It could affect not only our personal communications but also the security of sensitive information such as bank records, making us all more vulnerable to criminal attacks”.
Let’s expand on that…
Firstly, encryption is a cornerstone of world finance and political oversight. By weakening encryption in any form and to any degree, Cameron would unwittingly – and ironically – threaten the capitalist system, which relies on reliable networking and robust information exchange. Nearly every multinational, every small and medium sized business, every NGO, every local public authority, every academic institution, every health provider, every government department relies on encryption of one sort or another. Moreover, the systems and servers that hold or pass on this information use a variety of encryption technologies and are managed and owned by companies in different countries subject to different legislations and so to try and control this information flow under a UK legal regime – or even a joint UK-US regime – is not possible. To weaken that information, even in a limited way, would cause havoc. Also, weakening encryption or banning encrypted services within one country is technically not possible because of the globalisation of these services, many of which are not even provided by the more well known social media companies. In the unlikely event that a social media company was compelled to agree to UK (or even US) demands, technically it would be impossible to meet them without compromising the security of its users. Indeed, recently Google, alarmed by the Snowden revelations and desperate to provide assurances to its customers, proposed that websites that do not encrypt their traffic be marked as “insecure” by default.
Secondly, even if the UK was able to weaken encryption, the knock-on effect would see millions of users, not just businesses (which also extensively use social media), become far more vulnerable than they are now. Thus there will be more, not less paedophiles (who will become more expert at increasing their own security whilst exploiting their victims’ lack of security); more, not less, hacking (which, depending on the nature of the hacking, may be a good thing!); more, not less, financial fraud (not all financial transactions are banking based); and more, not less, identity theft. Millions of consumer transactions will be rendered vulnerable to hacking, as also SSOs (single sign ons) to corporate emails, logons to intranets and businesses general via industrial espionage.
Thirdly, there have been suggestions that the UK could ban encrypted apps, such as Whatsapp, Snapcat and Apple’s iMessage, which offer instant messaging services. The companies that own these products would hardly agree to co-operate with the UK Government, as to do so would show partiality – where next: agree to censorship measures for Russia?
Fourthly, if co-operation (front door access) with the communications providers proves to be a non-starter, GCHQ would simply fall back on their existing technologies and hack their way past the encrypted systems. That’s less of a problem with the ubiquitous Facebook or Twitter, or even the more commonly used cloud-based email services such as Gmail or Yahoo Mail – but the real targets of GCHQ probably don’t use these services, or if they do, have set up or use relay services or proxy identities to disguise their usage. Consequently back door decryption methods will simply annoy millions of people and consume billions of pounds/dollars in the process.
Fifthly, as for open source encrypted services – which is what the more intelligent targets use or will use – these will always prove difficult, if not impossible, to crack. To date, neither GCHQ or the NSA have been able to hack the OTR (Off-the-Record) systems. And both the open-source (i.e. non-propriety) Tor (if used the right way in conjunction with Tails) and PGP continue to cause these communications agencies major problems. And once one service is hacked another will simply appear to replace it.
2. Idiotic policy
Peter Sommer, an expert on cybersecurity at De Montfort University, commented: “…At the top [UK Government] there’s been a kind of idiocy exemplified by what happened in the basement of the Guardian, where there were obviously lots of copies of the Snowden material but they insisted on the destruction of a computer that might have been used for storing them.” The UK’s Information Commissioner added how it’s essential that citizens, businesses and such need to protect themselves – i.e. more, not less encryption is needed.
So why is Mr Cameron advocating these changes? There are two possible answers. The first is tied in with the current philosophy of the intelligence and security services – particularly GCHQ – namely, to increase, not lessen, the hay in the proverbial haystack where lies the proverbial needles (i.e. terrorists and their like). By adopting this approach the intelligence and security services will merely continue to not only alienate themselves further from the populace but will frustrate their own objective of successfully identifying targets. If Cameron is not an idiot, then he has been poorly advised. No doubt, Sir Malcolm Rifkind, who heads the UK’s intelligence and security services watchdog, will dutifully do the ‘Yes, Prime Minster’ thing and nod his agreement to this blatantly stupid proposal.
Decryption of (mass) social media, email and related services will not deter terrorists (or paedophiles, etc) but simply expand the total surveillance of citizenry.
3. Encryption technologies
See What is encryption (EFF guide, an explanation about encryption when communicating (includes how PGP works; How to send encrypted email and secure-messages and Freedom of Press guide to encryption.
Examples of encryption for instant messaging:
End-to-end encryption for VOIP:
- How to use TorCrypt
- Wikr (encrypted messaging)
- the pros and cons of Hushmail
- Detekt (free anti-surveillance software for PCs)
- Security in a Box
Also: Inside GCHQ (satire)