It’s not that the UK government doesn’t like, or intends to ban, end-to-end encryption, UK Home Secretary Amber Rudd wrote in The Telegraph on Monday.
It just wants to break it a little. It’s OK, Rudd says: “real people” couldn’t give a rat’s rear about perfect security.
Real people often prefer ease of use and a multitude of features to perfect, unbreakable security. So this is not about asking the companies to break encryption or create so called “back doors”. Who uses WhatsApp because it is end-to-end encrypted, rather than because it is an incredibly user-friendly and cheap way of staying in touch with friends and family?
Rudd didn’t name the “experts” who are telling the government that it’s a good idea to compromise end-to-end encryption.
Rudd’s article was published to coincide with the first meeting of the Global Internet Forum to Counter Terrorism: a forum of “the world’s most powerful technology companies” called together in March, to figure out how to turn the tide on “do-it-yourself” jihadism.
The tentacles of Daesh… recruiters in Syria reach back to the laptops in the bedrooms of boys – and increasingly girls – in our towns and cities up and down the country. The purveyors of far-Right extremism pump out their brand of hate across the globe, without ever leaving home.
The latest rumblings about encryption – in particular, that of WhatsApp – is a continuation of the backlash that followed the Westminster attack in March, in which four people died and dozens were injured. According to reports, Khalid Masood had sent a WhatsApp message two minutes before launching the terror attack in London on 22 March.
The British government has been scathing in its condemnation of social media platforms for what it considers feeble attempts to combat hate speech: Yvette Cooper, a member of the opposition Labour party, recently told a committee of MPs that YouTube’s enforcement of community standards was “a joke”, and that Twitter and Facebook “are incredibly powerful organisations… it’s time they used more of that power, money and technology to deal with hate crime and keep people safe”.
The UK certainly isn’t alone in its impatience with online hate speech and terrorism propaganda. German police have raided homes over Facebook hate speech, and its lawmakers recently passed laws to levy huge fines on social media companies if they don’t take illegal material down promptly.
But besides extremist content, WhatsApp – with its end-to-end encrypted messaging – is a particularly sharp thorn in governments’ sides.
The Facebook-owned company has repeatedly explained that it can’t hand over user messages even if it wanted to, given that it doesn’t store them. Nonetheless, Brazil has blocked the service – repeatedly – a – and gone so far as to throw a Facebook exec in jail over encrypted messages during a court case about an alleged drug trafficker.
At any rate, exactly how would crippling end-to-end encryption in WhatsApp accomplish anything in the war against terror? Terrorists can always just shift to a different encrypted messaging service, after all. Worse still, they might go off and build their own encrypted platform, thus stymying law enforcement’s efforts further still.
Security expert Troy Hunt, for one, pointed out the irony of Rudd’s claim that nobody really cares about encryption (or that it requires some kind of trade off with usability) by tweeting out a list of links to sites used by Rudd that embrace the use of encryption:
Here’s @AmberRuddHR encrypted site https://t.co/zIsz46ms9W
Encrypted Wiki https://t.co/IVO2Swazkq
Encrypted tweets https://t.co/x4Cs8AYSjD https://t.co/W7nLf9eNdC— Troy Hunt (@troyhunt) August 1, 2017
Naked Security has explained that deliberately programming weaknesses so as to sidestep security when it’s inconvenient can have some truly nasty, unintended consequences.
…like these, put out by Naked Security’s Paul Ducklin back when the FBI was demanding that Apple create an iPhone backdoor so it could get into a locked iPhone belonging to a killer in the San Bernardino terrorist attack:
- Programming a hard-wired, “secret” password into authentication software so that there is always a guaranteed way in means that, well, there’s always a guaranteed way to let in the wrong people, and sooner or later, they’ll find it.
- Vendor-stored passwords are a breach waiting to happen. At any time, some or all of the password database could be stolen in a breach, sold off by crooked insiders, or acquired by court order. You simply can’t tell what security you have, if any.
- Weakened encryption systems get weaker over time as computers get faster. Cracking times fall year-by-year until they’re within reach of the average cybercrime gang, and ultimately even of a determined loner at home.
The call to fight terror is emotionally fraught, and it’s not to be dismissed lightly. Rudd’s righteously passionate about her entreaties that law enforcement be empowered to investigate, and to prevent, violence.
Weakening security won’t bring that about, however, and has the potential to make matters worse. That’s why Sophos has for years joined with Google, Apple, WhatsApp, Microsoft and other internet companies to say #nobackdoors.
“Real people” want their data to be safe. “Real people” are harmed by real breaches. “Real people” need to understand the real dangers of intentionally weakening security.