Skip to content
Naked Security Naked Security

Lawyer suggests tying access to encryption to verified ID

The lawyer leading a government review into terrorism law has suggested that we be forced to prove who we are before we're allowed access to encrypted accounts - but it's an idea that's fraught with problems

Encryption has become one of those uncomfortable itches that nobody in the British government or its platoon of advisers seems quite able to scratch.

But every now and then, somebody feels compelled to try, the latest example of which emerged last week in comments made by Max Hill QC, who is leading the Independent Review of Terrorist Legislation (IRTL).

We only have the Evening Standard’s presentation of his comments plus a few follow-up observations by Hill to go on, but what he seemed to be saying was the following:

Social media accounts are used for direct communication and to spread terrorist propaganda, much of which uses encryption and is therefore difficult to monitor. The solution is to force all users to prove who they are before they get access to accounts with encryption privacy turned on.

In his words:

A discussion I have had with some of the tech companies is whether it is possible to withhold encryption pending positive identification of the internet user.

If the technology would permit that sort of perusal, identification and verification, prior to posting, that would form a very good solution… and would not involve wholesale infringement on free speech use of the internet.

According to Hill, this ID checking could be done in “nano-seconds” and at a cost that is reasonable for tech companies to bear given the profits they make.

Before dissecting how this might work – or not – let’s give Hill credit for opening his mouth in the first place. A lot of people will ridicule the proposal but it’s better to hear what people in influence think about the subject in order to expose its flaws before it influences policy-making.

Hill’s idea of identity checks sounds different from the home secretary Amber Rudd’s interest in bypassing encryption through technical means, but arguably all it’s doing is translating one problem (encryption privacy) into a new one (assessing identities).

The problem is that no such system of identity exists on the internet, let alone one that works in real time. Even making this work in one country, the UK, or on one platform, Facebook, sounds difficult.

And who would be the gatekeeper for an approved identity? The tech companies? A government appointee? ISPs? The latter already face a complicated challenge to implement age verification for UK citizens who wish to access porn from 2018 and that’s a relatively straightforward problem by comparison.

Then, as with the debate over bypassing encryption, there’s the problem of displacement, as Hill acknowledges:

It would not be an effective solution to the problem of online extremism simply to drive the criminal publishers of that material into dark spaces which neither the police nor anybody else can reach.

Even if an identity system could be invented, there’s the likelihood that criminals would simply game it by using bogus or stolen identities.

This is because the internet is a system that thrives on its lack of identity checking. This has negative consequences – criminals impersonating people and stealing their identities – but in other instances, protecting oneself from the growing number of nosy, censorious governments, say, it is fundamental.

Surely it is not identity that should be at issue but online behaviour. Funnily enough, that was supposed to be another thing tech companies promised earnestly to filter in real time despite having failed to do so.

Why tech companies have struggled with this is a matter of conjecture. But until they can control what goes on inside their own platforms, withholding encryption for the badly behaved sounds like another example of fixing the symptom, not the cause.


6 Comments

Anonymity is also what protects a lot of internet users from trolls … If you must use your real identity not only can they bully you on the web but they can find where you live …
People who intent to hurt other people will always find a way around any regulation.

Being anonymous is less protection when you think you can safely say anything, and then get outed. False sense of security is a go. (still better than no anonymity, admittedly)

Giving someone in power for speaking out is fair – as you say, it at least allows us to know what they don’t understand.
Since the e-Passport machines work for me less than 30% of the time, and are usually out of order at my local airport, then I am cynical about ability to prove ID. Of course, we could have solved the problem with an ID card – our refusal to have a system is why we cannot be part of Schengen, and be borderless (the upside is that in the Schengen area you must carry photo ID at all times and can be randomly stopped for identity checks – something that might be more effective in fighting terrorism than Border Farce).
So what would happen to all the corporate “like us on Facebook” accounts? Without ID, companies would not be able to set them up. This would not help Facebooks advertising revenue, so don’t see this happening.

As I recall, the ID card scheme in the UK was fraught with complexity and expense, which is why the idea was abandoned. There were also numerous ways thieves could steal or borrow them.

Worth remembering that the Klan resurgence in the 1940s was halted by an anonymous whistleblower who found that law enforcement were more interested in silencing him than addressing his evidence, so he went public anonymously.

Unambiguously authenticating a registered user is easy (we do it all the time). The loophole is in the registration, where there’s no guarantee that a user is registering a real person.

Comments are closed.

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?