Ex-GCHQ Boss: Encryption Backdoors Are a Threat to All

Written by

Former GCHQ boss Robert Hannigan has argued that governments should never force tech companies to build encryption backdoors in their products and services as it will weaken security for the majority.

Speaking on BBC Radio Four’s Today program, Hannigan went further than he did when in charge at the spy agency by claiming explicitly that end-to-end encryption of the sort used by WhatsApp, iMessage and other platforms is generally a force for good.

“Building in backdoors is a threat to everybody and it’s not a good idea to weaken security for everybody in order to tackle a minority,” he said.

“The challenge for governments is how do you stop the abuse of that encryption by a tiny minority of people who want to do bad things, like terrorists and criminals. And you can’t un-invent end-to-end encryption … you can’t just do away with it, you can’t just legislate it away.”

The alternative route for the security and intelligence services is to “work with companies in a co-operative way to find ways around it”, by focusing on those individual suspects using the technology to hide their communications, he claimed.

“The way around encryption is to get to the endpoint – the smartphone or the laptop that somebody who is abusing encryption is using. That’s the way to do it. Trying to weaken the system, trying to build in backdoors won’t work,” concluded Hannigan.

His words will provide succor for privacy activists alarmed by what seems to be an increasing readiness by Western governments to undermine the very foundations on which their economy and national security is built in the name of fighting terrorism and cybercrime.

Provisions to force ISPs and network operators to provide access to all communications of suspects within one working day are included in the new Investigatory Powers Act, although the technical details are still being worked out.

It remains to be seen how the UK government could force US tech companies to comply, while banning their services outright would be similarly unworkable.

The main argument against modifying end-to-end encryption is that once a backdoor has been engineered, it will eventually fall into the wrong hands and undermine security for the countless consumers and businesses who rely on it.

What’s hot on Infosecurity Magazine?