Last week, the UK government confirmed plans to force Internet companies to undermine security by weakening or backdooring encryption. As Privacy News Online reported back in March, the UK’s Home Secretary (Interior Minister) Amber Rudd refused to rule out this move when she called for the “necessary hashtags” to be used. But what was just a vague threat then has moved much closer to reality now that the UK government has held a brief and semi-secret consultation on the so-called “Technical Capability Notices”, which will enable it to demand compliance from companies. Now the Conservatives are saying that they will bring in the new powers as soon as they can after the UK General Election, assuming they are returned to office, as currently seems likely.
The fact that this story broke the day after the attack in Manchester is probably no coincidence. The UK government seems to have decided to exploit public outrage over the murder of so many young people to ensure that protests over the news that the long-threatened assault on encryption is happening would be muted. The implicit reasoning is that if the UK government had been able to read encrypted messages, the Manchester attack would somehow have been averted.
But as more details of the terrorist emerged, it became clear that there were at least five opportunities to have the stopped him, and none of them involved breaking encrypted messages. An article in the Daily Telegraph, a strongly pro-Conservative newspaper, reported:
“Counter Terrorism agencies were facing questions after it emerged [the bomber] Salman Abedi told friends that “being a suicide bomber was okay”, prompting them to call the Government’s anti-terrorism hotline.
Sources suggest that authorities were informed of the danger posed by Abedi on at least five separate occasions in the five years prior to the attack on Monday night.”
Abedi could hardly have been more explicit about his interest and support for terrorism if he had flown the black ISIS flag. It turns out he did that too, but the authorities once again failed to investigate:
“Abedi, who was born in the UK to Libyan parents who had fled Muammar Gaddafi’s regime, had shown signs of extremism including flying an Islamist flag from his Manchester home but not raised sufficient alarm to spark intervention by British security services.”
The obsession with breaking encryption shown by both the UK and US governments makes little sense when viewed against the facts of recent attacks. For example, the terrorists who killed 130 people in Paris in November 2015 used burner phones, not encrypted conversations, to evade detection. And even when terrorist do use encrypted channels, their opsec is so poor they get caught anyway, as ProPublica reported last year:
“In April, Italian police overheard a senior figure in Syria urging a Moroccan suspect living near Milan to carry out an attack in Italy, according to a transcript. Although the voice message had been sent through an encrypted channel, the Moroccan played it back in his car, where a hidden microphone recorded it.”
This raises an important point: that even when strong encryption is used, it is often possible to circumvent it in various ways. Recently, the well-known security expert Bruce Schneier co-authored a paper that looked at the many techniques that can be deployed in order to recover encrypted information. Those methods will be indispensable even if backdoors are forced on mainstream Internet companies. People wishing to preserve the privacy of their communications will easily find alternatives if they wish, for example VPNs or open source programs, whose security will remain at full strength whatever governments may decree.
It’s clear that forcing companies to undermine end-to-end encryption, or backdoor services and products, won’t provide the benefits that the UK governments claims as justification for this course of action. But doing so will have two very real, and very serious adverse effects for Britons.
First, everyone in the UK using products and services that have been weakened, or have backdoors, will be much more vulnerable to leaks of private information, and to attacks like WannaCry that use hidden flaws to spread. Although it is not clear at this stage how the British authorities will force Internet companies to weaken their services – whether by adding backdoors, reducing the size of crypto keys or whatever – it is certain that doing so will make them vulnerable to attacks by criminals and state actors. That inevitably means that UK citizens will be less secure than they are now – a rather ironic outcome given the claims that the move is to make people safer.
The other huge problem is that no country or major company will ever be able to trust British software again. The assumption has to be that the UK government has forced domestic high-tech firms to create backdoors that it can use at any time. Since the UK authorities will never reveal when and where they have obliged companies to weaken encryption, and the company officers will risk prison if they do so, it will never be clear when backdoors are present. For foreign purchasers of UK products, there will always be a lingering fear that the software has been compromised. Given the serious risks that such backdoored products represent for governments and companies, it is far safer to buy elsewhere.
Moreover, UK plans to weaken crypto will undermine the country’s high-tech industry at a moment when it is starting to experience problems thanks to the imminent Brexit, which is making hiring good engineers and attracting venture capital harder. Rendering British products difficult, or even impossible, to sell to key markets in the future is an astonishingly short-sighted move by the UK – and great news for software companies in the rest of the world.
Featured image by Alexander Kachkaev.