It’s not that the UK government doesn’t like, or intends to ban, end-to-end encryption, UK Home Secretary Amber Rudd wrote in The Telegraph on Monday.
It just wants to break it a little. It’s OK, Rudd says: “real people” couldn’t give a rat’s rear about perfect security.
Real people often prefer ease of use and a multitude of features to perfect, unbreakable security. So this is not about asking the companies to break encryption or create so called “back doors”. Who uses WhatsApp because it is end-to-end encrypted, rather than because it is an incredibly user-friendly and cheap way of staying in touch with friends and family?
Rudd didn’t name the “experts” who are telling the government that it’s a good idea to compromise end-to-end encryption.
Rudd’s article was published to coincide with the first meeting of the Global Internet Forum to Counter Terrorism: a forum of “the world’s most powerful technology companies” called together in March, to figure out how to turn the tide on “do-it-yourself” jihadism.
The tentacles of Daesh… recruiters in Syria reach back to the laptops in the bedrooms of boys – and increasingly girls – in our towns and cities up and down the country. The purveyors of far-Right extremism pump out their brand of hate across the globe, without ever leaving home.
The latest rumblings about encryption – in particular, that of WhatsApp – is a continuation of the backlash that followed the Westminster attack in March, in which four people died and dozens were injured. According to reports, Khalid Masood had sent a WhatsApp message two minutes before launching the terror attack in London on 22 March.
The British government has been scathing in its condemnation of social media platforms for what it considers feeble attempts to combat hate speech: Yvette Cooper, a member of the opposition Labour party, recently told a committee of MPs that YouTube’s enforcement of community standards was “a joke”, and that Twitter and Facebook “are incredibly powerful organisations… it’s time they used more of that power, money and technology to deal with hate crime and keep people safe”.
The UK certainly isn’t alone in its impatience with online hate speech and terrorism propaganda. German police have raided homes over Facebook hate speech, and its lawmakers recently passed laws to levy huge fines on social media companies if they don’t take illegal material down promptly.
But besides extremist content, WhatsApp – with its end-to-end encrypted messaging – is a particularly sharp thorn in governments’ sides.
The Facebook-owned company has repeatedly explained that it can’t hand over user messages even if it wanted to, given that it doesn’t store them. Nonetheless, Brazil has blocked the service – repeatedly – a – and gone so far as to throw a Facebook exec in jail over encrypted messages during a court case about an alleged drug trafficker.
At any rate, exactly how would crippling end-to-end encryption in WhatsApp accomplish anything in the war against terror? Terrorists can always just shift to a different encrypted messaging service, after all. Worse still, they might go off and build their own encrypted platform, thus stymying law enforcement’s efforts further still.
Security expert Troy Hunt, for one, pointed out the irony of Rudd’s claim that nobody really cares about encryption (or that it requires some kind of trade off with usability) by tweeting out a list of links to sites used by Rudd that embrace the use of encryption:
Here’s @AmberRuddHR encrypted site https://t.co/zIsz46ms9W
Encrypted Wiki https://t.co/IVO2Swazkq
Encrypted tweets https://t.co/x4Cs8AYSjD https://t.co/W7nLf9eNdC— Troy Hunt (@troyhunt) August 1, 2017
Naked Security has explained that deliberately programming weaknesses so as to sidestep security when it’s inconvenient can have some truly nasty, unintended consequences.
…like these, put out by Naked Security’s Paul Ducklin back when the FBI was demanding that Apple create an iPhone backdoor so it could get into a locked iPhone belonging to a killer in the San Bernardino terrorist attack:
- Programming a hard-wired, “secret” password into authentication software so that there is always a guaranteed way in means that, well, there’s always a guaranteed way to let in the wrong people, and sooner or later, they’ll find it.
- Vendor-stored passwords are a breach waiting to happen. At any time, some or all of the password database could be stolen in a breach, sold off by crooked insiders, or acquired by court order. You simply can’t tell what security you have, if any.
- Weakened encryption systems get weaker over time as computers get faster. Cracking times fall year-by-year until they’re within reach of the average cybercrime gang, and ultimately even of a determined loner at home.
The call to fight terror is emotionally fraught, and it’s not to be dismissed lightly. Rudd’s righteously passionate about her entreaties that law enforcement be empowered to investigate, and to prevent, violence.
Weakening security won’t bring that about, however, and has the potential to make matters worse. That’s why Sophos has for years joined with Google, Apple, WhatsApp, Microsoft and other internet companies to say #nobackdoors.
“Real people” want their data to be safe. “Real people” are harmed by real breaches. “Real people” need to understand the real dangers of intentionally weakening security.
Mark Stockley
The big problem with these kind of statements, for me at least, is the lack of clarity. In one paragraph the home secretary seems to be saying that she doesn’t want to break encryption… but who really wants encryption anyway? Which sounds a lot like no encryption at all.
I assume that’s deliberate and I suspect that this is sabre rattling aimed at the big tech companies – “if you don’t do something about this we might just do something drastic”.
I reject the idea that you can have features or encryption but not both, or that people don’t care about encryption in WhatsApp. True, I don’t use my car because it has an air bag but I would use a different car if it didn’t.
RichardD
“Hunt’s article was published …”
Shouldn’t that be “Rudd’s article”? It’s quite tricky to get Amber and Troy confused! :)
Mark Stockley
Fixed, thanks!
Mike
It’s at least nice when politicians come with their own alert levels.
Paul Ducklin
“Real people often prefer ease of use and a multitude of features to perfect, unbreakable security.”
People surely prefer both, given that ease-of-use and encryption are not mutually exclusive.
Mike
The fake either-or choice is a favourite of UK politicians. A few years ago the country was plastered with billboards featuring a newborn baby and the words “She needs a maternity ward, not a new voting system.”
Joe
I think I am real; I voted in the last election – I think that was real (unfortunately). And I give a bit more than a “rats rear” (which is surely unparliamentary language).
If the Government wants us to adopt electronic communications / commerce / government, surely they need to understand that security is a qualifying condition.
I need to know that I can send a confidential letter to my solicitor
I need to know that I can transfer funds securely
I need to know that my communications with government will not be intercepted
“Bad folks” (© G W Bush) have a nasty habit of hanging around “backdoors”.
Bad folks include; unscrupulous competitors, opponents in legal cases, thieves, unethical market researchers, nosey-parkers and blackmailers, “those who want to influence elections”, etc.etc.
I fear commercially sensitive information falling into the competition’s hands
I fear my bank accounts and credit cards being compromised
I fear future electronic votes being tampered with
If you have something to fear, you have something to hide – by means of strong encryption. By definition backdoors are incompatible with strong encryption.
Anna Nyms
I’m not sure Amber Rudd really knows what encryption is or does she live in Disneyland? Does she want everyone to see and access her private financial information and medical information, private phone calls, etc? Without encryption, her personal information would be an open book. Let the individual decide how much privacy they need. Some people don’t care and others are more careful about how much personal information is available in public. What about protection from stalkers and abusive spouses that some women need?
brianc6234
Those people probably haven’t been hacked or had their personal information stolen. Once that happens they’ll want good security.
Encrypted
Real ppl don’t need real security???
Bullshit!
Amber Rudd should try to use the internet without any encryption.
SMTP, IMAP, http (especially online banking, well bank usually force to https version).
No https, no ssl/tls.
See what will happen to her.
Foolish!!!
Dave Peterson
Yes, real people… those with a functioning brain want unbreakable encryption.
Criminals are unlikely to have the resources ( computing power ) needed to crack modern encryption.
Not sure which is scarrier… A government that wants easy access that incresses risk to it citizens or one too stupid to not have other means to identify and track security risks.
Lisa… I Enjoy your articles … please keep them coming
Matt Parkes
Another case of another politician who knows nothing about the technologies she is talking about and stupidly relies on pre written scripts written for her by so called advisers who also sadly know nothing either – the blind leading the blind and this is dangerous and at the very least unhelpful. Yes we need a solution to the spread of hate speech and terrorist communication but backdoors in encryption is not the answer, good intelligence is and having the resources and people in place at the big companies on the front line is one way of helping combat such practices. What other methods should be used are for the security services to come up with, I am not in that industry. Here’s hoping common sense prevails in the end.
Tim Lovegrove
This is a typical politician ‘nudge’ – “real” people don’t really care about end-to-end encryption, and you’re a “real” person, aren’t you? So support what I’m saying because you’re part of that group of “real” people, and the rest of them don’t care about encryption, so why should you?
Nudging is fine when it’s used for good purposes, but this is trying to advance a flawed, poorly understood argument by appealing to equally poorly advised people who don’t understand the importance of the technology.
Tim Boddington
I’m a real person and I want encryption. #nobackdoors.
Mark
Does she truly believe this or is this just political spin? How many real people will simply fall for this propaganda and “agree” that what’s important to them is that their email works? Or that theycan get to FaceBook easier? Or that they can get free WiFi everywhere to save on their data charges? And of course they will all agree that we need to catch and stop those preaching hate. My cynicism says that Central Gov are just using this spin tactic as a way to “sell” their rediculous back door security policies because they want to cut down the bad press. I mean, how many “non-techy” news sites actually will criticise Rudd’s report?