nav search
Data Center Software Security Transformation DevOps Business Personal Tech Science Emergent Tech Bootnotes BOFH

'Real' people want govts to spy on them, argues UK Home Secretary

Magical thinking meets willful ignorance at closed meeting

By Kieren McCarthy, 1 Aug 2017

Analysis UK Home Secretary Amber Rudd kicked off a firestorm in the tech community Tuesday when she argued that "real people" don't need or use end-to-end encryption.

In an article in the Daily Telegraph timed to coincide with Rudd's appearance at a closed event in San Francisco, Rudd argued: "Real people often prefer ease of use and a multitude of features to perfect, unbreakable security."

She continued: "Who uses WhatsApp because it is end-to-end encrypted, rather than because it is an incredibly user-friendly and cheap way of staying in touch with friends and family? Companies are constantly making trade-offs between security and 'usability,' and it is here where our experts believe opportunities may lie."

The reference to "real people" struck a nerve with a host of security experts, sysadmins, privacy advocates and tech-savvy consumers who took to Twitter to point out that they were real people, and not ISIS sympathizers – as Rudd implied in her piece. Rudd essentially declared that people who use strong encryption are not normal, not real people, which is a rather dangerous sentiment.

More broadly, her argument is an effort to square the circle on the issue of encryption: where tech companies and security experts say they cannot allow access to encrypted messages without compromising the entire system; and politicians and the security services argue that they need to be able to gain access to all communications for national security reasons.

Magic

The politicians' argument has long been disparaged as "magical thinking" by the tech industry (and some federal agency representatives): simply wishing something to be true does not make it possible.

"This is not about asking the companies to break encryption or create so-called 'back doors'," Rudd argued, while failing to recognize that any method of breaking encryption on demand is, by definition, the introduction of a backdoor. She added:

I know some will argue that it's impossible to have both – that if a system is end-to-end encrypted then it's impossible ever to access the communication. That might be true in theory. But the reality is different.

"There are options. But they rely on mature conversations between the tech companies and government – and they must be confidential. The key point is that this is not about compromising wider security. It is about working together so we can find a way for our intelligence services, in very specific circumstances, to get more information on what serious criminals and terrorists are doing online."

What Rudd appears to be arguing for is encryption on people's devices, but with tech companies providing and storing the encryption keys so they can decrypt messages when ordered to do so by the authorities – or perhaps provide some sort of secret backdoor access so investigators can leaf through decrypted chatter remotely on suspects' devices. The existence of these skeleton keys, or secret back passages, would undermine security and privacy for everyone.

And the reference to conversations having to be confidential – well, that was borne out by the fact that the first meeting of the "Global Internet Forum to Counter Terrorism" was kept entirely secret – with limited details only put out the day before. Even the location of the meeting was kept secret.

We asked to attend and were told: "The event isn't open to the press at the request of some of our participants." Some tweets from inside the event by the organizers provide a very limited window into discussions.

Remember Snowden?

What Rudd's argument fails to acknowledge, however, is the entire reason that the encryption debate took off in the first place: mass surveillance carried out by the National Security Agency (NSA) that was revealed in confidential documents released by Edward Snowden back in 2013.

Lest anyone forget, Snowden revealed that not only were the US authorities monitoring every phone call made in the US, but they had tapped the internet's backbone and tech giants' data centers without letting them know.

Many of those programs have since been declared illegal, but the enormous breach of trust felt by the US tech companies that had been working with the authorities to provide legal access to communications resulted in immediate efforts to encrypt all data and so cut off the NSA's data firehose.

The tech companies also responded to massive consumer demand for more secure systems when the extent of government spying became clear. The earliest and most high-profile shift was when Apple updated its mobile operating system to provide true end-to-end encryption, meaning that it was unable to read its own users' messages.

That move was swiftly followed by others, including Facebook-owned WhatsApp, after competitors like Signal suddenly appeared on the market and picked up tens of thousands of new users almost overnight.

Rudd's argument essentially boils down to asking everyone to forget about the fact that the US government illegally hoovered up and stored everyone's personal communications, and then let them do it again. Because terrorists.

A solution

Not that such an approach is impossible: companies like Facebook, Google, Apple and so on could redesign their systems to make it possible to decrypt them. They could even avoid the problem of a simple backdoor by using constantly changing encryption keys – so long as they keep a copy of those keys.

When the authorities then turn up and ask for specific messages from specific users to be decrypted, the company in question could match the messages with the encryption key used in each case. That would certainly provide additional layers of security and make it much harder for a malicious third party to gain access to messages.

But – and it is a very big "but" – the issue is over whether the companies, and ordinary citizens, trust the security services not to abuse the system. And there is a wealth of evidence to suggest that any such trust would be misplaced.

As we know from the Snowden documents as well as efforts from politicians such as senator Ron Wyden, the authorities have repeatedly developed secret and transparently flawed legal justifications to extend their powers far beyond what the law explicitly states.

For example, the ability to collect the details of every single phone call made over Verizon and AT&T's networks was eventually achieved through the issuance of a single piece of paper, renewed in secret every three months.

And despite Congress' best efforts, the US security services are still refusing to say how many US citizens' details are held in a vast database that was created illegally through misinterpretation of the FISA Act, a piece of legislation specifically tailored to gather information only on non-citizens. Congress started asking for the figure seven years ago.

The governments on both sides of the Atlantic do of course have good and valid reasons for wanting to be able to access encrypted communications, especially given the spate of recent terrorist attacks.

But the reality is that the security services have become addicted to the easy search capabilities that come from mass surveillance, rather than the much harder task of pinpointing and targeting individuals.

And there is no evidence that they are willing to let that position go. Especially when they can work the political systems and use the terrorism threat to push through legislation that restores their ability to spy on anyone at will. ®

The Register - Independent news and views for the tech community. Part of Situation Publishing