How would you like governments, their public servants and their hired contractors, to be able to break into any encryption you use online — your private messages, your internet banking, the internet-enabled toys your kids use, your car, your fridge, the lot — because “things need to change” in the fight against terrorism?
Some of you would be uncomfortable with that; others might accept it as a price worth paying to stop the kind of attacks we’ve seen repeatedly in recent months in the UK and on the weekend.
But how would you like it if terrorists themselves could break into encryption? Or organised crime? State-sponsored hackers from Russia, China or North Korea? Pedophiles? Because that will be the result if UK Prime Minister Theresa May gets her wish to “regulate the internet” and try to prevent the use of encrypted communications.
Ending soon: save 50% on a year of Crikey.
Just $99 for a year of Crikey before midnight, Thursday.
That’s not information activist fearmongering or libertarian privacy advocate talk, that’s simple mathematics.
Politicians like May, and many others, harbour a fantasy that there is some magic by which governments could be given secure access to encrypted communications by the manufacturers of encrypted applications and platforms. It’s the IT equivalent of insisting there’s no climate change or the world is flat — only they get away with it because most people don’t understand the basics of encryption. So here we are. As Labor’s Anthony Byrne predicted last month, the issue of backdoors is now back on the agenda.
That anyone could seriously suggest governments could be trusted to keep access to encrypted communications secure is laughable in the wake of not one but two massive releases of National Security Agency and CIA hacking tools in recent months. Hacking tools are backdoors of exactly the kind the likes of Theresa May want — only the latter would be developed by the software developers themselves, at virtual gunpoint, rather than by intelligence agencies or the people they buy them off. And they’ll be stolen, just as the NSA and CIA ones were, and as others have been. If we’re lucky, the thieves will release them publicly, to embarrass agencies. If we’re not so lucky, they’ll be sold to the people who are willing to pay good money for access to the world’s encryption systems. People who want to steal from banks. Pedophile rings. Other governments. Terrorists.
But it’s not merely that all of us will inevitably, mathematically, be less safe as a result, it’s that — like so many other surveillance measures — it will have minimal effect on terrorism. Terrorist groups will simply develop more of their own bespoke encryption apps — Al Qaeda has been doing that for years although, as expert Bruce Schneier points out, “homebrew” encryption doesn’t tend to be as good as publicly tested tools.
In any event, the actual process of achieving May’s fantasy is so profoundly laborious and damaging that it’s unlikely to ever proceed — exactly why threats to do so by her predecessor David Cameron didn’t.
There’s also the problem that, while the identities and histories of the perpetrators of the latest London attack aren’t yet publicly known, there’s a disturbing pattern of jihadist terrorists being shown to have already been on the radar of security agencies and even, in the case of Manchester bomber, the subject of specific warnings to agencies about the threat they pose, without action being taken. How will giving agencies access to encrypted communications improve security when they don’t act on specific warnings?
And let’s not forget the UK is already a surveillance state, thanks to Theresa May, who was Home Secretary for six years until July last year — she introduced not merely data retention but the retention of every citizen’s internet browsing history. The draconian surveillance powers imposed by May have failed to halt the current wave of attacks — possibly because May cut 20,000 police officers while in office, leading, police say, to an increased risk of terrorism.
In that context, May’s demand to “regulate the internet” looks a lot more like an attempt to cover her own grievous failings as Home Secretary rather than a sensible policy.