Security community resists anti-encryption push as counter-productive

ANALYSIS Western governments have doubled down on their efforts to rein-in end-to-end encryption, arguing that the technology is impeding investigations into serious crimes including terrorism and child abuse.

In a joint statement (PDF) published over the weekend the Five Eyes (FVEY) intel alliance countries of Australia, Canada, New Zealand, the UK, and US were joined by India and Japan in calling for tech firms to “enable law enforcement access to content” upon production of a warrant.

The governments also want tech firm such as Apple and Facebook to consult with them on design decisions that might help or hinder this outcome.

The statement’s signatories call for tech firms to “embed the safety of the public in system designs, thereby enabling companies to act against illegal content and activity effectively with no reduction to safety, and facilitating the investigation and prosecution of offences and safeguarding the vulnerable.”

How might this work? GCHQ recently came up with a proposal for adding an extra party into an end-to-end encrypted chat via a “ghost” feature, a pointer to the sort of approaches intel agencies have in mind.

Security experts have pushed back against the proposals, arguing that they inevitably undermine the privacy and integrity of end-to end encryption – the current gold standard for secure comms.

An end to E2E encryption?

In end-to-end encryption systems the cryptographic keys needed to encrypt and decrypt communications are held on the devices of users, such as smartphones, rather than by service providers or other technology providers. Users therefore don’t have to trust their ISPs or service providers not to snoop.

Popular instant messaging apps WhatsApp, iMessage, and Signal have placed E2E encryption in the hands of the average smartphone user.

So if governments come knocking with requests for the keys normally necessary to decrypt encrypted communications, then there’s nothing to hand over.

Western government say they support the development of encryption in general, as a means to secure e-commerce transactions and protect the communications of law-abiding businesses and individuals – it’s just E2E encryption they have an issue with. Governments have long argued that E2E encryption is hampering the investigation of serious crimes, at least on a larger scale.

Malware can be used by law enforcement against individuals targeted in surveillance operations, a tactic which if successful gives access to content without needing to break encryption.

And police in countries such as the UK, for example, already have the ability to compel disclosure of encryption secrets from suspects.

As the anonymous privacy activist behind the Spy Blog Twitter account noted: “UK already has law for disclosure of plaintext material, regardless of encryption tech, but they want to do it in secret, in bulk.”

The tweet referenced the Regulation of Investigatory Powers Act 2000 Part III, which deals with the investigation by law enforcement of electronic data protected by encryption.

History repeating?

Security experts were quick to criticize the latest government moves as a push to mandate encryption backdoors, supposedly accessible only to law enforcement. Several compared it to failed government encryption policies of the 1990s.

These included efforts to control the US export of encryption technologies and attempts to mandate key escrow.

Katie Moussouris, chief exec of Luta Security and an expert in bug bounties, tweeted: “The 1st time they did this (look up crypto wars), it weakened e-commerce and all other web transactions for over a decade, enabling crime. I wish we didn’t have to repeat these facts.”

Encryption of any type can be viewed as a branch of applied mathematics but arguments that “anyone can implement encryption in a few lines of code” miss the point that what governments are seeking is to “make encryption tools inaccessible to the broader public,” according to noted cryptographer Matthew Green.

De-platforming communication platforms

One thing that’s different this time around compared to the first crypto wars is that governments have more levers to apply pressure on tech firms, including app store bans. Last month, for instance, the Trump administration threatened to ban TikTok in the US over supposed national security concerns unless owners Byte Dance sold the technology to a US firm.

Green noted: “The current administration has demonstrated that app store bans can be used as a hammer to implement policy, and you can bet these folks are paying attention.

“I also think that sideloading capability is likely to be eliminated (or strongly discouraged) in a regime where encryption bans are successful,” he added.

Cryptographer Alex Muffett expressed fears that the government proposals might eventually result in “non-compliant social networks [getting] banned under criminal law”.

“End-to-end encryption is a key tool towards securing the privacy of everyone on the planet, as the world becomes more connected. It must not be derailed, instead the police should be better funded for traditional investigation,” Muffett said on Twitter.

RELATED ‘Are we building surveillance into systems, or are we building in security?’