Amber Rudd, the UK’s home secretary, has dutifully added her name to the growing list of British and US government politicians who’d like to see something done about “completely unacceptable” messaging encryption – and pronto.
Such calls have become a routine after tragic events: on this occasion it was a media report that Khalid Masood had sent a WhatsApp message two minutes before launching his terror attack in London on March 22.
Anyone involved in cybersecurity who heard the words “terror attack” and “WhatsApp” in the same story would have known by now what was coming next.
WhatsApp uses now fabled end-to-end encryption, which means that the police can’t access the message’s contents. Even working out who the recipient of that message is, on the basis of analyses of WhatsApp metadata, is uncertain.
WhatsApp is under no obligation to give police access to metadata but even if it did it wouldn’t extend much beyond the mobile number, receiving time-stamp and (possibly) a possible location. That’s a long way from having an account name and address as would have been the case with old-fashioned telephone numbers.
Like former prime minister David Cameron, who floated the idea of banning encrypted messaging apps two years ago, Rudd finds this aggravating, telling the BBC:
We need to make sure that organisations like WhatsApp, and there are plenty of others like that, don’t provide a secret place for terrorists to communicate with each other.
Exactly what she means by “make sure” is unclear. Rudd’s talk of future legislation to (one infers) force internet companies to offer ways around encryption is a bit rich coming from a government that recently handed itself sweeping power through Investigatory Powers Act (IPA).
As for the technical feasibility of installing a hypothetical backdoor, Rudd has as much chance of getting US firms to buy that idea as successfully hosting a mad-hatter’s tea party with a chocolate teapot.
There will be no backdoors because, as Naked Security has pointed out before, they are a fool’s gold of unintended consequences. The fundamental reality is that the internet is a delicate edifice built on encryption. If you turn off a bit of encryption in one place, the effects of that eventually ripple across everything.
If there’s a back door in a messaging app used by hundreds of millions, might the same apply to other applications or the many layers of encryption on which digital commerce and civil society depends? Frankly, why not?
What Rudd is unwittingly asking for is the right to kick an ugly hole in security itself. Apparently an avid WhatsApp user herself, ironically she’d be among the first to suffer the consequences.
It could also be that Rudd’s enthusiasm for attacking encryption is driven by politics and the need to sound tough. Citizens like messaging apps but so, outrageously, do terrorists. One might as well argue that terrorists also take trains and drive cars, but when tragedies occur, an explanation is needed and right now the encryption is under suspicion.
Rudd is taking on a lot here – even the US government is struggling to cope with an issue as complex as this. These calls from politicians aren’t going to stop any time soon.
Mahhn
Just Ban encryption and get it over with.
All banking will be done in person, since apps will be insecure. This includes all stock market and international finance too. There will no longer be private Email, Online purchases will 100% go away. This will be a boom to creating jobs. Oh yeah, no more credit cards! cash only world!. This will save the governments millions since they can just listen to phone calls, and not have to decrypt them. All wireless devices will need to be disconnected, since anyone can control them all day long. No passwords (used for encryption) will be on wireless anymore, and hey, even Domains will have to go away, since they work off of encrypted passwords. This will create tons of jobs. Bitcoin and all crypto currencies GONE.
If you have a password – you are a criminal.
Next up is “whispering” and any language besides the governments official one, since that is a method of encrypting data too.
All hail the all mighty and wise government – we are now free from technology!
SafeSwiss (@SafeSwiss)
As terrible and tragic as last weeks UK event were the Govt cannot use this as a mechanism to simply ban encryption, reality encryption is here to stay – What last weeks event’s have done is highlight the effectiveness of end to end encryption such as deployed by likes of Telegram Messenger, WICKR, SafeSwiss, WhatsApp along with a multitude of providers. This truly represents a true paradox between privacy & security. Modern crypto architecture ensures there can be no back doors as either these apps are encrypted or they are not, there can be no middle ground. The purpose of robust encryption is to prevent any possibility of third party access, Its misguided to think that Govt can be considered a trusted third party. Banning encryption will open doors to a multitude of malicious attacks from adversary’s everywhere.
Paul Ducklin
You are undermining the many arguments against Amber Rudd by claiming that this is an attempt to “ban encryption”. It is not.
After all, the UK mobile networks use encryption extensively, but are nevertheless required to provide a mechanism for lawful interception inside their services. (You could argue, if you wanted, that WhatsApp has an unfair competitive advantage because it neatly sidesteps this regulation while competing directly with the mobile networks to provide voice and messaging services. Ironically, WhatsApp effectively complies with “know your customer” principles by requiring you to sign up with a working mobile phone number in the first place. That’s neat, but it is at least arguably unfair.)
There is no technical reason at all why WhatsApp couldn’t be required to comply with the same laws as the mobile networks – there would still be encryption, just implemented differently. It’s not as though WhatsApp was originally implemented as a secure messaging service, after all. Indeed, its early attitudes to both privacy and crypto were lamentable. WhatsApp aimed to compete by being free, not by being secure, and part of keeping costs down was undoubtedly the lack of regulatory hoops (or spectrum bids) the company had to jump through:
https://nakedsecurity.sophos.com/2013/10/10/whatsapp-mobile-messaging-app-in-the-firing-line-again-over-cryptographic-blunder/
The question is whether it’s practicable and purposeful to try to regulate WhatsApp now, and in particular whether such regulatory pressure might end up making things worse.
We discuss this in more detail here:
https://nakedsecurity.sophos.com/2017/03/28/heres-why-what-the-government-wants-with-whatsapp-wont-work/
(The URL is a bit of a giveaway of our viewpoint :-)
Anonymous
When will we get an official that understand technology?
Mike
Theresa May was very careful to keep the only Computer Science graduate in parliament busy as the Secretary of State for Exiting the European Union, where he can’t get in her way.
Max
“One might as well argue that terrorists also take trains and drive cars,..”. Exactly. If we ban everything that a terrorist might use we might as well put our whole society on hold. I mean, seatbelts allow a terrorist to reach his destination safely, should he choose to take a car. How dare the automobile industry make it so easy for terrorists to go from A to B, in such a secure fashion. Whenever we choose to compromise our own security just to also implicitly make terrorists less secure, the terrorists win.