Western governments, notably the UK and the US, are pushing the software industry to open “backdoors” into our encrypted communications.
The argument touted by government agencies for nearly 20 years is that terrorists use strong encryption to hide their communications, therefore we should ban strong encryption.
British Prime Minister David Cameron has been outspoken in his desire for a such a ban.
And last week, US President Barak Obama’s chief of staff and a team of national security officials flew to Silicon Valley to meet with top technology companies Twitter, Microsoft, YouTube, Facebook, LinkedIn, Apple and Dropbox. It’s likely they discussed collaboration between the Silicon Valley and the US intelligence and law enforcement on “back-dooring” encryption.
In response to this push to undermine encryption, an open letter to governments, called “Secure The Internet”, was published this week. It is signed by more than 170 companies, organisations and individuals from around the world, including leading data security researchers.
The letter calls for all governments to reject back-dooring or the weakening of encryption products.
Encryption is used by most of us every day, typically with no conscious effort. If you log into your e-mail or bank site with an address starting “https://”, then you are using encryption.
It seems likely governments around the world are trying to either woo or cajole the tech industry and security researchers to “break” the software they build by installing backdoors or other holes for the government to access our communications effortlessly.
The problem with installing backdoors is that bad actors — organised crime, fraudsters, hostile foreign governments and the like — may also focus their attention on these security holes. Any universal “passkey” built into such a system would be immensely valuable, and worth spending enormous resources to capture, thus making those who had them significant targets for espionage.
The push to emasculate the strong encryption we use every day is akin to the government telling every citizen we can’t lock our front door, or maybe we can only use a weak little latch. It’s like requiring everyone to send our passwords to a central government office.
The aim should be to improve security on the Internet, not to break it. Governments colluding to break Internet security introduce the risk of breaking our evolving digital economy as well by undermining trust in businesses and banks. Imagine logging into your online banking or your insurance company, and not knowing if the encryption was secure.
The argument that terrorists might use encryption so we should ban it is without nuance and probably even effect. Terrorists might also use steak knives to commit crimes, but we don’t make steak knives illegal. Steak knives have other useful purposes in society. And, like strong encryption, these benefits greatly outweigh the very small risks.
Will it even work?
The Secure the Internet letter references the research paper authored by a who’s who of the world’s top computer security researchers.
The paper highlights the numerous problems with implementing such policies in practice. Many of these researchers were around when the first major push came from government to impose weakened encryption on the masses in the form of Clipper Chip in 1997.
They concluded “the damage that could be caused by law enforcement exceptional access requirements would be even greater today than it would have been 20 years ago”. Such schemes kill innovation. Indeed, the authors query whether Facebook and Twitter would even exist today if the previous scheme had been imposed.
Security agencies have a cornucopia of powers and resources to chase terrorists. At some point, that chase has to be about the mundane gumshoe work of gathering intelligence from human contacts, not just about sitting at a desk of computers scanning communications.
Realistically, back-dooring strong encryption software, which is what is being floated here, will not stop terrorists. They will simply find and use other channels, including secure software distributed via other countries that do not have such restrictive laws.
The desire to break the computer security of an entire population also hints at the more insidious aim of governments trawling all of our private communications.
With Edward Snowden’s revelations about exactly this, it is important to view this recent push to destroy the innocent citizen’s right to use encryption securely through this lens.
The contradiction of this push is that governments are trying to force our communications to be less secure while claiming to make us more secure.
If we want to retain our freedoms, we will also need to take some responsibility by changing our own mind-sets. We as citizens need to accept that there is some risk in an uncertain world. We cannot expect law enforcement nor intelligence agencies to provide 100% guarantees; it is both unrealistic and unreasonable.
The urge to “do something” after terrible attacks like those in Paris, should be spent fixing the underlying causes of terrorism, not creating legislative overreach designed to grab tomorrow’s headline.
Keeping the keys to our own house requires a balanced approach in all things.
- Suelette Dreyfus is research fellow, department of computing and information systems, University of Melbourne
- This article was originally published on The Conversation