Online security

Government must prove plans to control encryption work, says former cybersecurity chief

The government has been challenged to explain how it can “clearly and transparently” allow law enforcement and intelligence agencies to access encrypted communications while maintaining communications security.

Ciaran Martin, founder and former CEO of the National Cyber ​​Security Center at GCHQ, and now a professor at the University of Oxford, said it should be up to the government to define detailed technical options for review and debate on its plans for monitoring encrypted communications.

His comments came amid increasingly polarized arguments between the Home Office, which contends that end-to-end encryption allows people to broadcast images of child abuse or terrorist content, and cryptographers who warn that weakening encryption will compromise everyone’s security.

Interior Minister Priti Patel has pointed the finger at Facebook, asking it to abandon plans to extend end-to-end encryption of its WhatsApp service to Messenger and Instagram, on the grounds that the encryption would help criminals.

But Martin said at a conference hosted by the Bingham Center for the Rule of Law, that the use of end-to-end encryption should be allowed unless a technical compromise can be found that is acceptable to the technology industry and crypto experts.

“If an appropriate technical compromise solution that commands the confidence of experts and industry cannot be achieved, then security must prevail and end-to-end encryption must continue to develop, legally unimpeded for the industry. improving our digital homeland, ”he said.

Responsibility lies with the government

The government argues that the tech industry should allow government access to encrypted messages, while demanding the highest levels of cybersecurity.

“However, it is certainly the responsibility of government, and not industry, to set out clearly and transparently how they think these two seemingly irreconcilable goals can be achieved in the same regulatory package?” Martin said.

Tech companies and cryptographers claim government demands are simply not possible – the government is indeed trying to argue against the laws of math.

If the UK and US governments can read the encrypted messages, criminals or hostile nation states like North Korea or Russia potentially can.

Extensive proposals to find a compromise, including proposals by Ian Levy, technical director of the National Cyber ​​Security Center to use “virtual crocodile clips” to eavesdrop on encrypted communications, have failed to convince skeptics , said Martin.

Apple’s plans to introduce “client-side analysis” technology to detect child abuse images before they are encrypted have sparked a backlash from the world’s top crypto experts and Internet pioneers and have now been suspended.

An expert report has identified more than 15 ways in which states or malicious actors and targeted attackers could transform technology to harm others or society.

Martin spoke skeptically of the Home Office’s program known as the Safety Tech Challenge, which offers a prize to companies that can implement end-to-end encryption “without opening the door to higher levels. sexual abuse of children ”.

If anyone can develop the innovative technology envisioned by the Home Office, he or she will likely be worth much more than the £ 85,000 promised by Her Majesty’s Treasury.

“The government still has a long way to go to convince people that it has not just launched a competition to develop the digital age equivalent of alchemy,” he said, in a reported speech for the first time in Prospect magazine.

He said much of the public intervention at ministerial level over the past three years appears to have been spent “yelling at Facebook,” which has been slower than other tech companies to implement the end-to-end encryption on its platforms.

The prospect of Facebook fully encrypting its services has alarmed organizations such as the National Society for the Prevention of Cruelty to Children (NSPCC), which reported in 2019 that half of online abuse reports came from Facebook platforms. In the United States, the figure is closer to 90%.

Home Secretary Patel, along with other interior ministers from the Five Eyes countries, wrote an open letter the same year to Facebook CEO Mark Zuckerberg, urging him not to introduce encryption of end to end.

But Martin said it was unreasonable to conclude that Facebook accounts for the vast majority of child sexual abuse online. The numbers simply reflect the fact that Facebook has yet to implement end-to-end encryption.

“The harsh reality is that these policy interventions require, in fact, that a very large, increasingly unpopular company not do what most of its competitors have already done,” he said.

“Of all the legitimate complaints we can have about Facebook’s business practices, catching up with the rest of the industry on what has become the widely accepted best practices for messaging platform security is definitely not the top of the game. listing.

Powers of government

The Investigative Powers Act 2016 gives the government the power to issue technical capacity notices (TCNs) to require communications companies to remove encryption or provide communications in intelligible form, where applicable.

Martin said the government needs to be transparent and honest with the public about its approach to encryption.

“If end-to-end encryption is to pose such a threat to public safety that its implementation and use must be restricted by law, then the government must be absolutely open about what it means,” he said. he declared.

This means the government should make the public understand that digital protections will not be as good as they could be otherwise, but the greater good requires law enforcement to be able to access encryption.

There should also be more openness about what type of technical capacity advice is needed, why and how it is applied.

“If we’ve learned anything from Snowden, it’s that the state needs to seek informed consent for what they’re doing in this space. Relying on the general feeling of ‘those who have nothing to hide have nothing to fear’ is a terrible idea, ”he said.

Encryption cannot be removed

Martin said the digital security revolution brought about by encrypted services such as Signal cannot be ruled out, “Canute like”.

“It’s hard to see a blanket ban on end-to-end encrypted services, and it’s hard to see an increasingly security and privacy-conscious population doing anything but flocking to them, the bad minority. like the good majority, “he said.

The challenges for law enforcement are real, he said. adding that he had no doubts that if Facebook moved to end-to-end encryption, it would make the job of law enforcement more difficult.

But he said the widespread use of encryption is the last cycle of a cat-and-mouse game between technology and law enforcement.

Technology is changing, criminals are using new technology, the good guys are catching up, technology is changing and the cycle begins again.

“Seen in this light, end-to-end encryption is just another practical operational issue, not a question of principle,” he said.

Even in the aftermath of NSA whistleblower Edward Snowden, governments have not “become obscure”, they have “become unequal”. They had access to a lot of data, but not all the data they needed or had access to before.

Often, but not always, there are other ways for law enforcement to get the information they need.

For example, in 2015 the FBI attempted to coerce Apple into unlocking the San Bernardino terrorist’s iPhone, but after a lengthy legal battle, the FBI managed to gain access to the phone in a different way.

“Would it really have been better,” Martin asked, “if the US government had won and forced Apple to do something that could potentially compromise all of its phones? “

He suggested that both sides in the end-to-end encryption argument approach the problem with “fairness” and “generosity of spirit”.

“Instead of translating the good intentions and the vital work of law enforcement and intelligence services into offensive accusations that they are ‘playing the child abuse card’, why not redouble our efforts to help offenders get away with it. to keep pace with the new technological system?

Source link