Government badly needs a new message on encryption
It is a truth universally acknowledged that encryption technology is “helping criminals” commit their crimes.
Well, perhaps not universally acknowledged.
But it seems to be pretty well accepted at the top of the Home Office, where successive ministers have taken a stand against the security technology.
During their stints as home secretary, both Amber Rudd and Sajid Javid expressed their belief that encryption is a tool highly valued by perpetrators of crime – as it makes life easier for them, and harder for law enforcement. Both Rudd and Javid called on tech firms to take action – although precisely what action was never entirely clear to this reporter.
In her first few days in post, the new home secretary Priti Patel has taken perhaps the firmest and clearest stance on the matter yet. Following a meeting with her counterparts from the other members of the Five Eyes intelligence alliance – the US, Canada, New Zealand, and Australia – the ministerial quintet issued a joint statement effectively demanding that tech firms install so-called back doors in their technology that would permit the government to access data.
“Tech companies should include mechanisms in the design of their encrypted products and services whereby governments, acting with appropriate legal authority, can obtain access to data in a readable and usable format,” the ministers said, in a joint statement.
Reiterating the notion that encrypted messaging makes it easier to engage in illegal acts, Patel added her own comment that “tech firms should not develop their systems and services, including end-to-end encryption, in ways that empower criminals”.
Patel, and her predecessors, are right – encryption technology does help criminals.
And, while she is getting tough on the tools of their trade, the home secretary might also wish to crack down on some other important weapons in the villain’s arsenal.
Lockable front doors definitely help criminals. Curtains, too.
If we could only see into everyone’s house all the time, it would be a lot easier to know when someone inside was committing a crime.
Mobile phones have also been a massive boon for crime-committers, as have many forms of sporting equipment, garden implements, and kitchenware. Which is to say nothing of the helpfulness of pens, paper, packaging, foodstuffs, luggage, computers, toiletries, and children’s toys.
But just because, for example, a baseball bat can be used to cause harm does not mean the government should be granted conditional access to the email account of anyone who is part of an office softball team.
Nor should authorities be allowed to compel locksmiths to provide a key to every front door in the land – in case any of us is at some point believed to be engaged in something illegal behind ours.
The same is true of encryption.
It helps criminals because it helps everyone. And compromising it will necessarily compromise us all.
As the name suggests, end-to-end encryption works on a basis that is holistic and all-encompassing. Creating any kind of entry point – whether a back door, a side gate, or a basement window – will weaken the technology, and possibly even render it useless.
It will leave our data at greater risk of attack and will actually make us all more vulnerable to crime.
The government may be the only ones given keys to the back door. But, whether in the physical or cyber realm, criminals tend not to bother with keys anyway. If there is a door in our encryption – where previously there was a brick wall – it will make it significantly easier for people to break in.
In, effectively, pitting privacy concerns against public safety, Patel (pictured above left) is creating a false dichotomy.
And it wouldn’t be the first of these we’ve seen from her department.
In the rollout of the settlement scheme for EU nationals, the Home Office has faced repeated calls to introduce physical documentation for citizens granted settled status. Select committees from both Houses of Parliament have counselled the department that, in persisting with a digital-only status, the government is risking a repeat of the harm caused by the Windrush scandal.
Declining to issue physical documents will mean that Europeans in the UK – particularly the elderly and the vulnerable – are at risk of being unable to prove their status, MPs and Lords have warned. This could mean their being denied healthcare and other public services – or worse.
In responding to these concerns, the Home Office has consistently stuck to its position that digital systems are more secure than those based on paper.
But no-one has suggested otherwise.
In pitting privacy concerns against public safety, Patel is creating a false dichotomy.
Pointing out that paper is more easily corruptible than a piece of data on a government server does not exclude the fact that getting rid of those pieces of paper could endanger the people to whom they are issued.
They are two, separate – albeit somewhat overlapping – problems. Noting the existence of one does not solve the other.
Of course getting rid of encryption will make it easier to catch criminals in the act, just as getting rid of paper documents will make it harder to steal, lose, or forge them.
Similarly, if the government wants to eradicate the £1bn-plus of damage caused across the UK each year by potholes, it could simply close the country’s entire road network.
A slightly disproportionate plan, perhaps, but little more so than some other solutions currently being put forward in the name of making us safer and more secure.
Patel and her predecessors are among a growing number of politicians to speak out against encryption. But their ideas are no less flawed with each repetition.
It is time for a new message.
The spread of online misinformation during the Covid-19 pandemic has exacerbated a public health crisis. PublicTechnology digs into a recent parliamentary inquiry to find out...
Ciaran Martin believes major security incident is still more likely to come from ‘unintentional consequence’, rather than attackers’ expertise
Liam Fox’s systems were accessed by suspected Russian hackers, it has been reported
The invalidation of the EU-US data-protection agreement could have major ramifications for UK organisations’ legal responsibilities