.comment-link {margin-left:.6em;}

Tuesday, October 03, 2017

Why the Home Secretary's self-confessed ignorance is more dangerous than she understands

It is possible that my expectations of government ministers are too high. I have always inhabited a world where policy should be based on some evidence, some understanding of the facts, even if in the end one defies commonsense and shoots off onto an incomprehensible tangent.

The admission from the Home Secretary that she doesn't understand the technology powering WhatsApp but that she wants to change it anyway, is especially disturbing given the consequences for the privacy and security of our information, the protection of trade and even the administration of law and order.

The Independent reports that Amber Rudd has repeatedly suggested that she could ban or significantly alter the way that apps like WhatsApp and iMessage use encryption, a key technology that keeps messages secure.

Experts say that the government doesn't fully understand the effects of those proposals, and that they could have far more disastrous effects than anticipated. The response of the Home Secretary is that she doesn't "need" to understand encryption "to understand how it's helping [...] criminals", and that she would work with the security services to "combat" the use of the technology. It is when Ministers resort to rhetoric like this in defence of their proposed legislation that we realise how much trouble the country is in.

The consequences of Amber Rudd's approach are illustrated by this blog. In it Bruce Schneier explains that Encryption keeps us safe. It protects our financial details and passwords when we bank online. It protects our mobile phone conversations from eavesdroppers. It protects our data, our money and our privacy:

Encryption protects the identity of dissidents all over the world. It's a vital tool to allow journalists to communicate securely with their sources, NGOs to protect their work in repressive countries, and lawyers to communicate privately with their clients. It protects our vital infrastructure: our communications network, the power grid and everything else. And as we move to the Internet of Things with its cars and thermostats and medical devices, all of which can destroy life and property if hacked and misused, encryption will become even more critical to our security.

Security is more than encryption, of course. But encryption is a critical component of security. You use strong encryption every day, and our Internet-laced world would be a far riskier place if you didn't.

Strong encryption means unbreakable encryption. Any weakness in encryption will be exploited -- by hackers, by criminals and by foreign governments. Many of the hacks that make the news can be attributed to weak or -- even worse -- non-existent encryption.

Mr. Schneier goes on to explain (and this is particularly important for Amber Rudd to understand) that that there is no way to give security forces a backdoor that enables them to access encrypted information without weakening the encryption against all adversaries. He says it is not possible to build an access technology that only works with proper legal authorisation, or only for people with a particular citizenship or the proper morality. The technology just doesn't work that way:

If a backdoor exists, then anyone can exploit it. All it takes is knowledge of the backdoor and the capability to exploit it. And while it might temporarily be a secret, it's a fragile secret. Backdoors are how everyone attacks computer systems.

This means that if the FBI can eavesdrop on your conversations or get into your computers without your consent, so can cybercriminals. So can the Chinese. So can terrorists. You might not care if the Chinese government is inside your computer, but lots of dissidents do. As do the many Americans who use computers to administer our critical infrastructure. Backdoors weaken us against all sorts of threats.

Either we build encryption systems to keep everyone secure, or we build them to leave everybody vulnerable.

If Amber Rudd does not understand that in trying to enhance our security by removing or undermining encryption she is also undermining national security and the whole basis of our internet-focussed economy, then she needs to stand down and let somebody else have her job who knows what they are doing.
Comments: Post a Comment



<< Home

This page is powered by Blogger. Isn't yours?