Those reasons why breaking encryption is a bad idea
In today’s news cycle we hear of UK governments plans to force tech companies to break encryption.
The thinking goes like this, any communications app with over 10,000 users should hand over the keys to the UK government because the police would like the ability to see messages between terrorists and would-be terrorists.
While this looks like an “easy win” for an underfunded digital forensics team there are more than a few flaws:
If the UK government has access then what’s to stop the Russian, North Korean, Chinese, Argentinian, Maldivan etc. etc. government have access too?
How will this affect dissidents who we might see as “the good guys” but would be seen as political terrorists by others. Chinese artist Al WeiWei is lauded in the west but is seen as a threat to Chinese security. Should Facebook et al. allow the Chinese access to his private messages?
China isn’t the worst government to consider, think about the effect of giving government’s access to private communications would have on minority parties in Zimbabwe, where democracy and fair play is certainly not a given (opposition leader is beaten and jailed while Mugabe unveils bid to be president till 2014).
A back door left open will let anyone in.
How quickly we forget, it was just over a week ago that hospitals in the NHS came to a standstill because a crack in the Windows security architecture, discovered by the NSA, the US government’s National Security Agency, was used for ransomware by thieves who has stolen knowledge of the crack.
The NSA it seems were keeping knowledge of the crack to themselves, in order to use it for spying. As a result Microsoft lambasted the NSA agency for stockpiling exploits, instead calling for everyone to work together to report flaws as soon as they are found.
We all need communication privacy.
We sometimes forget that we take private communications for granted. Those that assume that “if you have nothing to hide, you have nothing to fear” seem to forget that the people listening in, aren’t all good guys.
Take this conversation:
Hi Mum, we’re going to be out for the day, can you pop in and feed the guinea pigs…
Sure, darling, I’ll pop in after tea.
Unfortunately there’s a very useful keyword for your local burglar in there “out for the day”. With automatic search tools he can scan communications to find people “out for the day” and pop in to steal their jewellery. With encryption broken it won’t just be celebrities getting caught out on social media — John Terry’s mansion burgled while footballer posted holiday pictures on social media).
Communications servers can be spun up and spun down faster than you can find them
By going after the social media firms the government is chasing the communications servers. The problem here is that the service they offer is more a marketing and user experience rather than a technical one.
Creating communications servers is really straightforward, technology like XMPP is in the public domain and designed to be spun up by anyone.
If you wanted to create your own mini version of Slack, HipChat, Facebook or Twitter just for your small group of activists you could do so with a few short commands typed into a server console.
I once had a server hacked for the sole purpose of providing a hacking community with their message board for a few hours.
The hackers used an automated sniffer to find a vulnerable server, uploaded a “rootkit” and installed their communications server. All within seconds. My IP address was shared to their previous message board and they moved their conversation to my server while their previous server was wiped clean.
Undoubtedly at the same time another server was being broken into, a new message board spun up and before long the hackers would soon move on to a new server. On mine they left a few traces of their activity but that was it.
So is there any merit to the proposals at all?
Well, one positive effect of the proposals might be displacement.
Just as a CCTV camera moves crime outside the area that the camera looks at, so this would force criminal communications off the big apps onto ephemeral networks so making their communications a little harder. Why should terrorists be able to “like” each other’s posts and use a nice User Interface after all— force them to use ugly old ICQ and learn the old technology the hard way!
Additionally this displacement would provide a clear step that would-be terrorists would have to take as they got more entangled in the brainwashed mesh. They would need to move onto the “dark web “ by switching to developer mode and installing a homegrown app on their phone. Just as today content pirates install torrent, the fact of installing the tools to communicate securely could be seen as conspiracy or criminal activity in itself.
But it’s a slippery slope — criminalising millions of people simply for using a particular technology isn’t a law I’d like to write. Switching to developer mode and installing a home grown app is something millions of software programmers need to do.
In any case, displacing criminal communications onto the dark web, smaller networks and ephemeral technologies still won’t allow the police to access communications of those we really need them to. The critical evidence will still be beyond our reach.
So, beyond displacement, I’m afraid there isn’t an easy answer to the question of how do we access and intercept criminal communications.
