Encryption has to be one of the most misunderstood technologies in mainstream use these days, writes Mike Gillespie of Advent IM.
I want to sidestep some of the recent hysteria and look at the WhatsApp storm objectively, as once again, we are assailed through the media, with soundbites telling us the best way to secure our nation is to remove encryption because terrorists use it. Yes, they do and they use a great deal of other technologies too, and like encryption they are technologies that many of us use (whether we are aware of it or not) on a daily basis. Services and applications we interact with frequently often make use of technology that protects us from criminal invasion or impact, though we may not be immediately aware of that fact, apps such as the messaging service WhatsApp. The company uses its end to end encryption as a selling point and since its introduction of this technology, and the increased privacy it offers, its uptake has increased dramatically. It would be folly to assume all these new users are terrorists, though of course there is always the potential that some may be. Whilst the Home Secretary has now retracted her original comments, it appears we are still facing calls from some quarters for its encryption to be removed. Every terrorist incident generates strong emotional responses, and we have seen similar media discussion, normally between politicians and journalists about weakening encryption.
After the virtual disappearance of BlackBerry Messenger (a very popular and secure messaging tool that was similarly dogged by controversy because of its security, yet loved by millions), there was a bit of a mainstream void. There were a few options for secure messaging, but WhatsApp, now owned by Facebook, offered phone calls, video and messaging as well as the ability to send files and pictures, securely. All of this based off your own existing address book and all done on any available Wi-Fi network, including the numerous hotspots, whether at home or abroad. No wonder it gained such popularity, especially with young people as they can save their contracted (and potentially parent-paid) text and call allowance for when they do not have a Wi-Fi connection.
The argument has been made that, because of its strong encryption, WhatsApp will be used by criminals and terrorists and that these communications are not visible to police and the Security Services. This is true. However, removing or weakening encryption on these services will also expose legitimate users, enabling them to be exploited by criminals. We can acknowledge that some of the users of encrypted services will be terrorists and this needs to be built in to our approach as does the protection of personal privacy. This is precisely what our National Cyber Security Strategy is seeking to address.
[from the National Cyber Security Strategy]
‘Encryption is the process of encoding data or information to prevent unauthorised access to it. The Government is in favour of encryption. It is a foundation stone of a strong, internet-based economy: it keeps people’s personal data and intellectual property secure, and ensures safe online commerce.
‘But as technology continues to evolve, we have to ensure that there are no guaranteed ‘safe spaces’ for terrorists and criminals to operate beyond the reach of the law.
The Government wants to work with industry as technology develops to ensure that, with a robust legal framework and clear oversight, the police and intelligence agencies can access the content of the communications of terrorists and criminals. Existing legislation allows for the communications of criminals and terrorists to be intercepted when a warrant is in place. Companies have a duty to give effect to such a warrant, providing the requested communications, to the relevant authority. When served with a warrant, companies are asked to remove any encryption that they themselves have applied, or that has been applied on their behalf, so that the material provided is in readable form. The law stipulates that companies are required to take reasonable steps to give effect to a warrant, and any assessment of reasonableness will include an assessment of the steps a company is required to take to remove encryption.’
So it is clear that there is a process in place with judicial oversight and of the highest quality in relation to security services accessing the communications of terrorists, which does not require the sacrifice or personal privacy of ordinary citizens. In fact, the use of encryption as part of strengthening our sovereign capability is also underlined in the Strategy:
‘Cryptographic capability is fundamental to protecting our most sensitive information and to choosing how we deploy our Armed Forces and national security capabilities. To maintain this capability, we will require private sector skills and technologies that are assured by GCHQ. This is likely to require work to be done in the UK, by British Nationals with the requisite security clearance, working for companies who are prepared to be completely open with GCHQ in discussing design and implementation details. The MoD and GCHQ are working to establish a sound understanding of the long-term cost implications of maintaining such sovereign cryptographic capabilities, based on prevailing market conditions and in cooperation with those companies currently able to provide such solutions. We have the confidence that the UK will always have political control over those cryptographic capabilities vital to our national security and, therefore, the means to protect UK secrets.’
Along with the need for a clear layer of governance over how we handle the requirement to review certain communications, the other balancing act in play is that of UK plc’s commercial viability, and particularly post-Brexit, we need to ensure we have the best possible positioning as a secure place to do business and grow. Our use and championing of secure technologies and practice through the Strategy is vital to realise this objective.
[from the National Cyber Security Strategy:]
‘The UK aims to safeguard the long-term future of a free, open, peaceful and secure cyberspace, driving economic growth and underpinning the UK’s national security. To do this we will …. Promote the resilience of cyberspace by shaping the technical standards governing emerging technologies internationally (including encryption), making cyberspace more ‘secure by design’ and promoting best practice; work to build common approaches amongst like-minded countries for capabilities such as strong encryption, which have cross-border implications.’
So the strategy highlights the need for secure default settings. Once you start to introduce back-doors you set a precedent to the erosion of personal privacy and the establishment of non-trust by contributing to a mind-set that says encrypted technologies are bad, not to be trusted and those that use them are not pro-society, which is patently untrue. It’s the thin end of the wedge and we have already seen Virtual Private Networks (VPN) come under fire as they obscure the location and identity of users. We need to remember that this technology, and other like it, is what allows reporting from some of the most repressed and undemocratic places on earth and allows whistle blowing of some corrupt and genuinely not pro-social activity to be revealed and dealt with.
Process and policy has been set by the strategy. Allowing knee-jerk reactions and sound-bites to overshadow our sensible and rational strategy, is a road to nowhere and one we would find hard to reverse and replace. You do not make things stronger by weakening them, this applies to technology like WhatsApp and the internet and society alike.
For UK Government cyber strategy visit https://www.gov.uk/government/policies/cyber-security.