The publication of the Home Secretary’s draft Investigatory Powers Bill - due to pass into law by the end of the year - has intensified a debate that has been simmering for some time: Should communications providers be legally forced to break their own security when required, even if they must fundamentally change the way their encryption works in order to comply?
Navigating this challenge is a complex task, not least because of the way encryption works across many of the world’s most popular communications platforms. Services such as iMessage use end-to-end encryption, where the people sending and receiving messages hold their own public and private keys.
Whatever is encrypted with a public key may only be decrypted by its corresponding private key and vice versa – so only those involved in a particular conversation can decrypt the messages that pass between them. The service providers themselves operate with ‘zero knowledge’ of the private user keys, or what is being communicated, and merely facilitate the conversation.
Because of this, the only way for them to obtain the level of access required by law enforcers would be to weaken encryption or change the way the keys are stored or exchanged. There is no way for the mediator to simply decrypt content and hand it over; they would have to re-work the system, creating a backdoor of sorts.
The revised bill, published last week, comes as Apple’s CEO, Tim Cook, fights a court order to build an encryption backdoor to access an iPhone linked to the San Bernardino terrorist attacks - the implications of which, he argues, are “chilling”. Here are a few points to highlight the profound impact that weakened encryption could have on UK business:
Encryption underpins nearly everything
Encryption isn’t just for hackers, terrorists and data thieves. Though you may not know it, encryption provides the secure backbone to just about every platform for collaboration, connection and communication that exists today.
From a business perspective, encryption enables organizations to work across enterprise boundaries in the cloud, sharing commercially sensitive or legal documents more securely. The same is true for many other everyday processes: with online banking for example, encryption scrambles the messages we exchange with our banking server, keeping our personal details safe, and ensures that the messages we send via messaging platforms remain private.
If service providers operating in the UK are legally obliged to weaken encryption to allow greater surveillance of internet users, the security of a whole range of communication platforms could be compromised, making the private data of individuals and businesses at every level more visible and vulnerable.
In turn, the trust that we put into the internet (or at least those providers we know to be subject to this legislation) could be severely diminished, impacting global trade and collaboration, and threatening our economic growth.
Weakened encryption could create an exodus of service providers from the UK
The risk to corporate and personal data has never been so great, due to an ever-growing range of new threats to contend with. Security is therefore the number one concern for service providers and their customers. If, because of proposed new legislation in the UK, they are unable to provide the type of secure service their customers want and expect, they may withdraw to jurisdictions outside the scope of the bill to do so.
The potential exodus of technology companies providing vital internet services could cause huge disruption to British businesses and individuals who rely on those products, and poses a real danger to the country’s thriving technology sector, wider economy, and international competitiveness.
Of babies and bathwater
It’s not just service providers. Taking a broader view, the nature of the internet is such that businesses and individuals who don’t want to be subject to new rules in the UK are free to use services run from other countries – perhaps ones that strike a different balance between individual privacy and government control.
Weakening UK based encryption will therefore not make criminal messages more easily readable – people with something to hide can simply move to one of the many alternative secure services available to them from jurisdictions unaffected by UK legislation.
Organizations have a duty to protect the information that is in their care – whether that is their own intellectual property, industrial secrets, market moving data or the personal information of their customers and staff. Innovative technology companies have delivered powerful solutions to help protect this vital information that must often be shared securely across geographies and jurisdictions and sometimes with external partner organizations.
Technology now exists to enable strong encryption to travel with documents wherever they need to go – the documents are able to ‘phone home’ to ask if the reader is allowed to see their contents and can be effectively told to self-destruct by their owners. Other new technology solutions allow an organization to take over the management of their own encryption keys for content stored with a service provider - a model known as ‘Customer Managed Keys’.
It is not wise to insist that UK companies cannot benefit from this type of encryption innovation where other countries can – nor would it be beneficial for the UK to be seen as a low encryption, low privacy zone for doing business.
As the encryption debate rages on, it’s abundantly clear that more security, not less, is key to protecting the future growth of the internet and every industry that relies on it. Let’s hope that the Home Secretary champions the interests of British business, collaborates with global technology providers to ensure an agreeable outcome for everyone and remembers not to throw out the baby with the bath water.
Listen to a session on "Privacy, Encryption and the "Snoopers Charter': Implications for Data Security" in the Infosecurity Magazine Virtual Conference, Tuesday 15th at 3.55pm GMT here