On Sunday, United Kingdom Home Secretary Amber Rudd, who oversees internal security, immigration and citizenship issues for the U.K., said that the end-to-end encryption capabilities of Whatapp and other messaging apps are “completely unacceptable,” and that technology firms that offer communication systems must provide governments with the ability to access information that users encrypt. She pointed to the fact that Khalid Masood, the terrorist who murdered several people in Westminster last week, used Whatsapp just a few minutes before committing his heinous crime; according to the BBC, Rudd even summoned representatives of Facebook (which owns WhatApp) to discuss ways to ensure that security officers get access to data that they need.
Despite the fact that there are certainly terrorists who use Whatapp and other modern communication tools, Secretary Rudd’s approach is mistaken: encryption backdoors harm security, and demands that app providers cripple the protection of private citizen’s communications is a danger to freedom, not a mechanism of combating crime. As John Gunn, CMO at VASCO Data Security, put it “if backdoors are forced upon us, then two things will happen; criminals and terrorists will still keep their secrets using any one of the more one hundred third-party encryption products, and average citizens will be left more vulnerable to criminal and state-sponsored hacking.”
As I explained when various government officials made similar demands after the terrible Paris attacks in 2015, there are serious problems with giving backdoors to encrypted communications to governments. First of all, it is not clear that there are not much better things that governments could do to prevent terror attacks – efforts that would both be more effective at keeping people safe, and not compromise law-abiding citizens’ privacy; until those efforts have been fully implemented we should not be discussing backdoors. Furthermore, as I have pointed out previously, and as was made as clear as day by the recent CIA cyberweapons leak, governments simply cannot be trusted to properly protect cyberweapons; can you imagine the damage that could happen if cybercriminals or foreign spies obtained a government’s tools to decrypt encrypted chats? As David Meltzer, CTO at Tripwire, said “the same backdoor you create for the government inevitably creates the potential for misuse, abuse, and being exploited by others,” or as Paul Calatayud, CTO of FireMon, expressed it in a Snowden-reminiscent fashion: “what if a contractor working for a government decides to steal these keys and perhaps flee to Russia?”
In an article entitled The Government Wants to Weaken Your Encryption. Here’s Why it Shouldn’t – I explained many other reasons why governments should not weaken citizens’ encryption – please check it out the piece. The logic from 2015 remains true today.
As things stand now, Whatsapp and various other communication providers design their encryption systems to work in a way that (at least theoretically) prevents them from providing governments with backdoors – the providers themselves do not have access to people’s unencrypted data; all encryption and decryption takes place on people’s devices, with only secured data passing through communication servers. Hopefully, such a situation will remain legal throughout the Western world, and a de facto standard.
It is worth noting that while the UK has strong privacy protections, it did recently vote to leave the privacy-valuing European Union; where the dust ultimately settles in both regions vis-a-vis government surveillance laws is still to be determined.
It is also important to recognize that culture may play a role in the ultimate acceptance of government demands for access to private information – and that the United States and the United Kingdom – while similar in many ways – exhibit different underlying cultural concepts vis-à-vis the relationship between the State and its people.
For years, for example, residents of the United Kingdom were technically “subjects” not “citizens” – a concept that would be an anathema to most Americans. Likewise, the notion that a democracy’s Head of State should be an biologically-inherited position (thereby de facto guaranteeing that only members of one ethnic group ever serve as Head of State) and may only be held by someone who practices a certain religion seems incredulous and anti-democratic to many Americans – but it is the law in the UK. While these matters do not impact daily life, and play little direct role in actual governance, they do illustrate fundamentally different underlying approaches to the State and its relationship with its people – exhibiting clearly that matters that members of one democratic culture typically feel violate individuals’ rights can be accepted and respected by the majority of those in a free society somewhere else.
There is no reason to expect that privacy is any different. While time will tell what happens, it is certainly possible that we will see a lack of uniformity – some democracies may allow private citizens to encrypt with whatever tools they choose, while others may outlaw fully protected communications.