Source: Ben Fisher/GAVI Alliance
Earlier this month in the aftermath of the Paris attacks, David Cameron pledged to deny terrorists any ‘safe space to communicate’ online. To make this possible, he is essentially pledging to ban end-to-end encryption.
Encryption is the backbone of online security. It allows the safe transfer of sensitive information such as passwords and credit card details, in addition to safeguarding most of the data we use online. Without encryption there would be no e-commerce, no online banking, and certainly no cryptocurrencies, such as Bitcoin.
Outlawing the use of encryption would be like imposing a ban on envelopes and forcing all correspondence sent via Royal Mail to be in the form of postcards.
Whilst Cameron may simply have been looking to reassure the British public that the government will be taking further measures to safeguard the nation from unwanted attacks, the current option being proposed is an ill-advised one. Not to mention, it contradicts the UKs own vision of establishing itself as the safest place for e-commerce in the world, as well as the upcoming EU Data Protection Regulation.
Even if there was enough of a consensus for a ban on encryption to go ahead, it isnt a technology that can easily be made to go away. Whether we like it or not the encryption genie is out of the bottle and its not something we can put back.
What Cameron has proposed would mean having backdoors or intentional secret flaws built into apps so that suspicious content can be accessed by the government. Crucially, however, there is no way to guarantee that only the good guys will use it you cant deliberately introduce a flaw into a piece of software and prevent it from being used maliciously.
Similarly, the idea of having these rules applicable to software for one country alone wouldnt work from an international standpoint. Would Britons be required to avoid software from creators that fall outside of the UKs jurisdiction? Would visitors to the UK be expected to replace the software on their laptops, and have all messages to and from the UK be scrutinised by the government for contamination by encryption?
Governments might grudgingly accept that encryption is here to stay and instead focus on ways that enable them to crack the code. They could try to limit the size of encryption keys, force the use of approved algorithms or require people to register a copy of their keys with the authorities but none of these approaches are practical, and even if they were would just serve to make the life of an attacker easier.
Its important to remember that security and privacy are not the enemy, but rather fundamental and complimentary aspects of free societies with the benefits far outweighing the negatives. Tinkering with this is a slippery slope towards authoritarianism a far cry from what you might expect to see in the UK.
Security is an evolving science so we cant ever expect to have a perfect system in place, but the rules of the battle have changed. Whether were talking about cybercrime, cyber terrorism or even cyber warfare, its no longer an asymmetric struggle, with rebels attacking the castle.
Tools like encryption mean that the bad guys have many of the same weapons as the good guys. Its a new reality and the conversation should now be focused on how intelligence can be gathered in a world where data is protected rather than trying to undo the past. Either way, even suggesting a ban on encryption is not the answer.