The war of governments on encryption is now ramping up on both sides of the Atlantic, fueled by either profound ignorance on the part of policymakers or a genuine desire to make the internet and mobile communications less secure for all users — including governments themselves.
On the weekend, Barack Obama, attending a major tech conference, said that law enforcement agencies had to be allowed access to all encrypted communications devices. The President cited the need to stop child pornographers and terrorists — continuing the long tradition that no politician can discuss electronic privacy without accusing defenders of helping paedophiles — and called tech industry supporters of encryption “absolutists”. Data, Obama said, was just another area where the community had to accept a trade-off between privacy and security. “This notion that somehow our data is different and can be walled off from those other trade-offs we make, I believe, is incorrect,” he said.
While he didn’t mention it, the immediate context for his remarks is the legal stand-off between Apple and the FBI over writing a backdoor to the operating system on the iPhone of one of the San Bernardino murderers in order to enable the FBI to “brute force” the password encrypting the phone. Problematically, though, the FBI’s case has been undermined by its admission that it badly bungled its handling of the phone — the FBI accidentally locked the phone itself in the aftermath of the attacks.
While Obama was selling the case for undermining privacy, another case emerged of law enforcement agencies pressuring IT companies to attack their own security. WhatsApp, a communications app owned by Facebook that is now end-to-end encrypted, is in a stand-off with the Justice Department over a case in which the latter is demanding access to messages as part of a criminal investigation (not related to terrorism). Government officials are said to be considering waiting until there’s a sufficiently high-profile terrorism case in order to launch a full-scale assault on WhatsApp. A Facebook executive in Brazil was recently arrested in that country for refusing to provide WhatsApp data.
Meantime in the UK, the Cameron government, in addition to dramatically widening the powers of security agencies to monitor citizens’ communications — including a data retention scheme for every citizen’s browsing history — will also establish a legal requirement for tech companies to defeat their own encryption on the orders of bureaucrats. As a “compromise” the government recently amended its bill to remove a requirement for companies to remove encryption even when it literally couldn’t be done.
Worryingly, if such laws were introduced here, they’d receive little critical scrutiny from Parliament’s Joint Committee on Intelligence and Security, which is now chaired by an open critic of any debate on security laws, Andrew Nikolic, and includes a former counter-terrorism policeman in its ranks. In the aftermath of the Paris terrorist attacks last year, Malcolm Turnbull — who is well known for using ephemeral and encrypted apps like Wickr and WhatsApp rather than SMSing, which he complains is poorly secured — flagged the government was looking at encryption, saying he had “asked that ASIO and other relevant agencies work with our international intelligence partners to address the challenge of monitoring terrorist groups in this new environment”.
Obama’s framing of the encryption issue is telling. In addition to the inevitable invocation of paedophiles, he has framed it as an issue of balance between privacy and security.
As Crikey has long explained, this framing is based on a lie that there is any balance between privacy and security. Politicians love to claim that a particular extension of national security powers “gets the balance right” (it’s probably the No. 1 cliche in the entire communications security debate). But the balance only ever tips further in favour of security every time laws are changed — there are very few cases of laws re-balancing back in favour of privacy, even when security threats are judged to have receded, and in Australia even draconian, sunsetted laws end up being extended. The rollback of NSA surveillance powers by Congress last year was an almost unique example of sunsetted legislation being substantially amended, although it is likely the NSA simply used self-serving interpretations of other legislation to continuing the bulk data collection it ostensibly lost the power to undertake.
But the concept of balance between privacy and security simply doesn’t apply when it comes to undermining encryption. As Apple, other tech companies and tech experts across the world have explained, the only balance is between more security and less security — for everyone. Creating backdoors into encryption, even if technically feasible, means malicious actors — criminals, foreign governments, corporate spies, domestic intelligence agencies with anti-democratic agendas — have more tools at their disposal to access data they shouldn’t have access to — whether it’s the data created by individuals, corporations or governments themselves.
In December, a prominent cybersecurity company revealed that “unauthorised code” had been inserted into an encryption product widely used by US government agencies including the Pentagon, most likely by exploiting deliberately flawed random number generation code that the NSA itself had developed. That the Pentagon was placed at risk as a result of the NSA deliberately undermining encryption tools is schadenfreude-worthy, but it also demonstrates the very real way in which this debate is not about privacy versus security, but about more security versus less security. And the Obama administration and the Cameron government are on the side of less security.