The UK sustained the worst terrorist attack since July 2005 last week in Manchester. The government is now pressing harder to remove end-to-end encryption from apps like WhatsApp. In this post, I address the dire consequences that has for not just businesses but us as private citizens as well. In addition, we will see how the lack of technical details in the debate and makes it an irrational one, based mostly on emotion not on fact.
Yesterday on the BBC’s The Marr Show, Home Secretary continued to force her inept agenda by again calling for backdoors in encryption which isn’t really encryption at all. To be fair to Marr, he did say such a ban would “devastate the internet economy” referring to banking and e-commerce. But the issue is he is like many journalists in the focused media – where many voters form their views – are seldom from technical backgrounds and therefore are unable to push politicians on the technical implications.
This difficulty doesn’t just exist for cybersecurity but also other technical topics like the safety of genetically modified food or the clear pattern on evidence on human-accelerated climate change. In reality there simply isn’t a debate for some subjects and we’ll find out why by looking at the basics of encryption.
What is End-to-End Encryption?
Apps like Facebook Messenger and WhatsApp employ end-to-end encryption. This is the act of encoding a message using a key and that message, provided it works as intended, can only be read the recipient decoded with the same or a linked key. When the message is read without a valid key it is unreadable.
And there lies the problem. If the government are given exceptional access with backdoors, it becomes a precious gift for criminal hackers.
Backdoors Endangers Cybersecurity, Minimal Effect on Wrongdoers
It’s not such much a proposal anymore as the Investigatory Powers Act has received royal ascent and is therefore now law. But now comes the technical implications of implementing that law. Those implications are within “Investigatory Powers (Technical Capability) Regulations 2017” whose leaked draft heavily suggests the use of backdoors:
“To provide and maintain the capability to disclose, where practicable, the content of communications or secondary data in an intelligible form and to remove electronic protection applied by or on behalf of the telecommunications operator to the communications or data, or to permit the person to whom the warrant is addressed to remove such electronic protection.”
Backdoors in encryption are much like master keys. They are used by an entity, friend or foe, to access the contents of a message. A password is just another name for a key. So imagine a password being able to unlock any message. Suddenly, what mathematicians and security experts have spent decades to secure is no longer.
A 2015 paper, “Keys Under Doormats” by a group of acclaimed researchers highlights the complications with exceptional access:
“Designing exceptional access into today’s information services and applications will give rise to a range of critical security risks. First, major efforts that the industry is making to improve security will be undermined and reversed. Providing access over any period of time to thousands of law enforcement agencies will necessarily increase the risk that intruders will hijack the exceptional access mechanisms. If law enforcement needs to look backwards at encrypted data for one year, then one year’s worth of data will be put at risk. If law enforcement wants to assure itself real time access to communications streams, then intruders will have an easier time getting access in real time, too. This is a trade-off space in which law enforcement cannot be guaranteed access without creating serious risk that criminal intruders will gain the same access. Second, the challenge of guaranteeing access to multiple law enforcement agencies in multiple countries is enormously complex. It is likely to be prohibitively expensive and also an intractable foreign affairs problem.”
But maybe this is why the draft bill is vague in nature. And why the government only sought the advice of handful of telcos, six from government agencies and a board chairman in a private consultation that ended on 19 May.
Martin Kleppmann, a cybersecurity researcher at the University of Cambridge in his submission of evidence to Parliament last year, attacked the original bill:
“I suspect that all the vagueness about concrete technical measures is deliberate, because it allows the government to deal with the technical details within a particular technical capability notice, which would be under a gag order, and thus avoid any public scrutiny by the infosec community.”
Strong encryption standards like the cipher AES-256, a way of encrypting data, used in millions of cloud services and apps are public. The passwords or keys are kept private and impossible to reverse calculate. This scrutiny is why we are relatively very secure with banking and our personal documents in the cloud.
It is also quantum-safe. This means the early quantum computers in the future will still take much longer than the age of the universe to break. I explained the maths regarding speed of cracking passwords in my previous post.
We’ve Been Here Before
Hackers have used backdoors to disturbing degrees as noted in the aforementioned paper. In one example, for a decade, insiders at Telecom Italia enabled wiretapping of 6,000 people that included business and political leaders, journalists, and judges between 1996 and 2006. During that period no business, journalism nor government activity could be guaranteed free and private.
Another example. From 2004 to 2005, 100 senior members of the Greek government including the Prime Minister as well as the heads of National Defence and Justice, and others had their mobile phones tapped. Vodafone Greece purchased a switch from Ericsson but a firmware upgrade enabled wiretapping abilities. But they didn’t pay for them and thus had no access. However, that didn’t stop a still unknown group from conducting illegal surveillance.
No government can possibly say without lying this wouldn’t happen again. They cannot guarantee no citizen would be blackmailed nor have their identity stolen. These master keys could be leaked that would create misery for millions. For instance, the ransomware attack on NHS and many other computers around the world was derived from the WannaCry worm – stolen from the National Security Agency (NSA).
After all, the vulnerability was known nearly two months before the attack in the Windows operating system and yet the government failed to act. How can it be trusted with such access and at the same time guarantee safety when it cannot keep safeguard against known threats like WannaCry?
But what if government continues to disregard these clear and present dangers? Terrorists and criminals who are the targets of the legislation can simply use VPNs to re—route and encrypt their traffic through another server, often through another or more countries.
Tor is such an example than provides easy access to the dark web – home to mail order illicit drugs, weapons, child pornography and other illegal content – closed off from the public internet and has done so for nearly 15 years. VPNs aren’t the only way. Anyone can implement AES-256 or another strong cipher into their own apps – it is very easy even for a non-programmer.
Although we should hope for a public consultation where more intelligent and opposing views can be made known, I wouldn’t hold your breath. The government is keen to force this through.
In the probably event identity and banking information is stolen in the event of a leak, the law’s sponsor Amber Rudd will most likely resign and collect a large pension on taxpayers’ money dime. We’ll all be left with the repercussions of business and personal reputations lying in ruins with yet more taxpayers’ cash needed to fix it.
And of course it won’t be the government’s fault. It’s always someone else’s.