The Online Safety Bill has once again raised the prospect of the UK banning end-to-end encryption in messaging and other digital services enjoyed by tens of millions. With large fines promised for non-compliant providers, there’s a real chance they could pull their services from the country. As a result, UK users will be left less secure and with less choice, while those who want to hide their tracks will gravitate, as they always do, to unregulated offerings.
The government’s demands are either disingenuous or shockingly ill-informed.
No Cake to Eat
The government and many of its peers worldwide think they can have their cake and eat it. They continue to signal their support for strong encryption as an “existential anchor of trust in the digital world.” And they continue to state how they don’t want to do anything that will “materially weaken or limit security systems.” Yet, in the same breath, they demand that tech providers do the impossible and provide effective backdoors for law enforcement, which won’t impact the overall security of a messaging or similar service.
Experts have repeatedly pushed back against this “cakeism” stance. Some of the world’s leading lights in cryptography famously slammed a similar request by the FBI a few years ago. They are right, of course. Building a backdoor into software is extreme folly. The message to the criminal and nation-state hacking community will be clear: ‘We are building a deliberate weakness into our system that allows us to spy on users without them knowing.’
It’s naïve in the extreme to believe there’s a safe way of doing it. Whatever mechanism is used would be open to abuse either by hacking or, more likely, by social engineering or an insider breach. The value of knowing how to access that backdoor would be significant. And unlike a typical vulnerability, a backdoor can’t be easily fixed.
There are also practical considerations. Who would pay for maintaining the security of the backdoor? Would each country have a separate version? If WhatsApp, Signal and others leave the UK as they say they would be forced to, we will all be less secure. Not only will the government have failed to have its cake and eat it, there will be no cake left for anyone.
The Global Picture
We can’t forget also that there’s a global dimension to this. These apps are international, and we risk isolating ourselves with services that only work in the UK because other countries will not want to use a compromised app. On the other hand, if the tech firms give in and provide a backdoor to the UK, you can bet that more authoritarian regimes than ours would want their own. How would the UK ensure China or Russia wasn’t using the same backdoor to spy on its UK citizens and government/business users?
The bottom line is that only a small share of end-to-end encrypted users use the technology to hide criminal activity. Asking for a backdoor is akin to demanding all cars have remote kill switches installed so the police can step in if they think a vehicle is being misused. This whole policy is about making life easier for law enforcement. But remember, they can already request message metadata, which can greatly help with investigations. And they can still deploy hacking tools to hijack individual devices and the messages they send.
Tech vendors typically cooperate extensively with law enforcement agencies. Yet they quite rightly push back against compromising the safety and security of 99.9% of users for the opportunity to monitor a few. Encrypted underground services like EncroChat and Sky ECC, used by tens of thousands of criminals globally, show that those in the know will always be able to stay hidden. Punishing the majority of consumers and blameless businesses to make life easier for police is not just senseless; it is reckless.
Image credit: Alex Photo Stock / Shutterstock.com