There are few things scarier these days than a politician stepping in front of a microphone, taking a deep breath and opening his mouth to pontificate on security. A long list of American elected officials have reinforced this, and on Monday, UK Prime Minister David Cameron jumped to the head of this undistinguished line with his dangerous statement that encrypted communications shouldn’t be allowed.
Cameron, speaking in the wake of the terror attack in Paris last week, said at an event Monday that the UK government can’t allow any form of communication that can’t be read.
“Are we going to allow a means of communications which it simply isn’t possible to read?” Cameron said, according to the New York Times. “My answer to that question is: ‘No, we must not.’ “
There are so many problems with what Cameron said that it’s hard to know where to begin. But let’s take it from the top. The government of a free country should not be in the business of allowing or disallowing any form of communication. Those are decisions that should fall to the users and the market, based on the technical and commercial merits of the service. Parliament and Congress have plenty of other things to occupy themselves, and having one of these bodies try to decide whether a given messaging service or Web site doesn’t meet with their approval is not just a waste of time and resources, but scary.
There are so many problems with what Cameron said that it’s hard to know where to begin.
Tweet
The second issue is Cameron’s use of the word “read”. What he’s suggesting here is that the government should have the ability to not just intercept, but decrypt any form of communication that passes through the country’s networks. Thanks to the Snowden leaks, we know that Britain’s GCHQ intelligence service has the ability to intercept essentially whatever traffic it wants through a variety of methods. But in order to decrypt traffic from secure messaging services–apps that have gained huge amounts of popularity in the last couple of years–the UK would need to mandate some kind of backdoor, an idea that’s not just offensive to users but inherently dangerous.
As security experts have said for decades now, a backdoor intended for one will end up being be used by all. Attackers and security researchers are really good at finding unintentional weaknesses in software, so just imagine how much fun they’ll have looking for a backdoor that they know is there.
“There are enormous problems with this: there’s no back door that only lets good guys go through it. If your Whatsapp or Google Hangouts has a deliberately introduced flaw in it, then foreign spies, criminals, crooked police (like those who fed sensitive information to the tabloids who were implicated in the hacking scandal — and like the high-level police who secretly worked for organised crime for years), and criminals will eventually discover this vulnerability. They — and not just the security services — will be able to use it to intercept all of our communications,” author Cory Doctorow points out in his essay on Cameron’s proposal.
Aside from the specter of attackers identifying and exploiting an intentional backdoor, there is the problem of trying to bend software makers to the will of the government. Even if by some miracle the backdoor proposal succeeds, the government still would face the hurdle of getting software makers such as Apple to prevent secure communications apps from showing up in their app store. Apple does what Apple wants and generally not much else. And, as Doctorow says, how would Cameron address the global open source community, which produces much of the secure communications software?
These kinds of systems just flat don’t work.
“It won’t work. The basic problem with these proposals is they work against regular people who don’t care. But to make it work, you have to close the loopholes,” cryptographer Bruce Schneier, CTO of Co3 Systems, said in an interview. “If you can’t do that, you don’t hurt the bad guys, you only hurt the good guys. It plays well on TV to someone who doesn’t understand the tech. Everything works against my grandmother, but nothing works against professionals.”
Someone, or several someones, is giving Cameron terrible advice on this subject and it’s clear that he hasn’t thought through the technical and social implications of what he’s proposing. Security and privacy are properties of free and open societies, not threats to them.