More and more countries are considering various types of bans on encrypted communications. Germany is thinking about it. So is the UK. Australia is actively pursuing it too.
Read on to hear why encryption bans are a bad idea.
Do You Mind If I Listen In?
In general, governments all around the world have painted encryption as a bad detrimental thing. They don’t seem to understand it and keep proposing measures that will weaken or outright break secure communications.
Several countries are seriously considering trying to ban encryption by making everyone’s security and privacy more vulnerable.
Encryption policy is kind of a binary choice – you can either have it or not. Measures to make it more crackable are by definition not effective even in genuine use cases. They also always assume the “bad guys” will never find their backdoors and secret interceptions.
Signals intelligence is valuable, but human intelligence and traditional investigative methods caught Bin Laden, Al Capone, and many others.
So why are governments all over the world so keen on the misguided idea of an encryption ban? Let’s look at a couple of examples.
“It’s no longer OK not to understand how the Internet works.”Aaron Swartz
British intelligence has made a proposal that would allow law enforcement to spy on encrypted messages (called a “ghost”). This would require making encryption less strong or back-doored – a serious threat to cybersecurity and personal privacy.
They outline their premise plainly in this article: Principles for a More Informed Exceptional Access Debate. It is full of poor logic, false comparisons, and misinformation. It does however contains lots of flowery statement like “We’re not talking about weakening encryption or defeating the end-to-end nature of the service”.
They Have No Limiting Principle
Investigative tradecraft has to evolve with technologyhttps://www.lawfareblog.com/principles-more-informed-exceptional-access-debate
I agree – it should. However, at what cost?
Terrorists use phones, email, cars, weapons, and everything else humans can use. Should we ban them? If not then why not? A big problem with the debate is that the side which wants mass surveillance seems to have no limiting principle about how far they will go.
To rid the world of good and services useful to the few terrorists in out midst would be to leave everybody worse off.
Platitudes of Concern
The internet cannot be allowed to provide a “safe space” for terrorists and therefore working cryptography must be banned in the UK…there should be no means of communication we cannot read.Theresa May – British Prime Minister
I swear I didn’t make that quote up – it is surreal to read – and at least is refreshingly honest.
Parents Governments Just Don’t Understand
Cory Doctorow makes his point: Theresa May wants to ban crypto: here’s what that would cost, and here’s why it won’t work anyway.
It’s impossible to overstate how bonkers the idea of sabotaging cryptography is to people who understand information securityCory Doctorow
What would it actually take in order to accomplish a ban on encryption? Doctorow explains further:
- A backdoor system where only the “good guys” have the keys means that effectively we have no security
- It may as well write it pre-broken from the start – in fact that’s literally how it would have to be – like writing bugs on purpose in your code.
- Effectively banning software vendors from making strong secure software
- FOSS solutions would also have to be blocked – now you are entering a level of government coercion little different from China
- Search engines would have to censor web pages carrying secure software – BTW some really big ones are in the US that you likely use daily.
- Deep packet inspection would be used by ISPs and others
- Borders become tricky – anyone visiting from abroad might have to leave their smartphones at the border until they leave
Tech Companies Are Against It
Major technology companies like Apple, Google, and WhatsApp have lined up squarely against this.
But as always is the case, the people who want these powers swear they will only be used for good and not evil. They always proclaim they need to surveil anyone they suspect of a crime. The same proffer is made: give us the power to peer into your personal communications and we will fight terrorism and child pornography and atrocity x, y, and z.
However, this is a misleading line of thinking.
Experts Around the World Are Opposed
Besides technology powers, there were other key people voiced against it. An open letter signed by stakeholders around the world explains the problem with an encryption ban – civil libertarians, human rights activists, major corporations (Apple, Google, Microsoft), and experts like Bruce Schneier (read his blog!), RMS, and Phillip Zimmermann.
As they point out:
“For GCHQ to achieve their goal, they must require service providers to secretly inject a new public key into the conversation, AND require messaging apps, service providers, and operating systems to change their software to break the encryption.”
Not to mention the possibility of introducing new vulnerabilities. Unless you are a software developer you cannot truly grasp how impossible it is to write bug free code.
This sort of nonsense is already in place in Syria, Russia, Iran. Let’s not follow suit and keep our freedoms instead. You see comrade – security services are really bad at overseeing their own behavior.
For example consider TSA. They required only the use of certain locks for your luggage. This is because they have a master key to open them. Do you want to guess what happened? Employees started stealing things!
The Mathematics Down Under
In this fast paced race to the bottom, Australia is leading the way for Western Countries. About 6 months ago, Australia passed a bill that would force technology companies to hand over encrypted data.
Think of the Children!
We will pass the legislation, inadequate as it is, so we can give our security agencies some of the tools they say they needLabor Party Leader Shorten
This reminds me of when the US congress passed the Patriot Act without even reading it…and this is no 9/11.
Australian leaders warned that national security was at risk because authorities were unable to monitor the communications of suspects. This is the same tired argument the FBI makes – they are still mad over the Crypto Wars of the 1990s.
Australia’s government has said the laws are needed to counter militant attacks and organized crime and that security agencies would need to seek warrants to access personal data. Sounds reasonable, right? Well in the US we have National Security Letters sent requesting data with a gag clause. The NSLs have to go through a warrant process – it is just rubber stamped by the same people asking for the data.
The laws of mathematics are very commendable but the only law that applies in Australia is the law of AustraliaAustralian Prime Minister Malcolm Turnbull
I would point you to the source of this quote but the Australian government took it down. The EFF wrote about it here. As is par for the course, they passed it at the last minute with a ton of non-related amendments that nobody really understood before voting on it.
Closing Remarks on Why Encryption Bans Are a Bad Idea
Strong encryption is what makes things like online banking, electronic health records, whistle-blowers, and persecuted people to be heard unfiltered. It is a staple of our modern lives.
If enough countries go down this path it could foster an international agreement banning strong encryption. Free speech means free speech. There are fewer places that allow anything close to this anymore. Those who oppose either don’t understand what it means or don’t care.
Don’t throw the baby out with the bathwater – I choose to err on the side of free expression – no matter how distasteful, vulgar, etc. Even if we assume all of the disadvantages here are legitimate, the question remains – Who Watches the Watchmen?
If you liked this post then you might also like my recent post about Surveillance in the Workplace – Care or Coercion?
Do you care about InfoSec and Privacy? Then YOU need to use a VPN.