Today the UK government will outline new legislation called the Investigatory Powers Bill. According to the Daily Telegraph, the bill doesn’t plan to ban encryption services in general, but it will demand that service providers implement a “backdoor” to allow security services access to data that has been encrypted. Wired summed this up nicely by saying that the UK government wants to “stop companies using ‘strong’ encryption it can’t break.”
Before we get into the merits of this proposed legislation, why would a government want to stop companies using the strongest possible encryption for their users? David Cameron, the UK Prime Minister, stated that the Internet cannot become a “safe space” for terrorists and criminals, adding: “We need to know who called whom and when.”
Let’s examine the first of these statements. Terrorists, paedophiles, criminals are free to use the vast resources of the Internet to communicate in any manner they like, using any encryption techniques they require, and using the resources of any entity in any country. To enact legislation that only covers companies providing legitimate services in the UK is to fundamentally misunderstand how easy it is for a criminal to use services such as Tor to completely bypass such measures. To give a trivial example, Apple iMessage uses strong encryption for all messages sent through its service, and Apple claims that it has no way to decrypt those messages even if asked to by the government. So all criminals need to do to circumvent this legislation is to buy iPhones and communicate with iMessage?
If we assume that any terrorist or criminal is either already (or soon will be) using fully end-to-end encrypted services that are outside the jurisdiction of the UK government, what actual impact will this ruling have on the vast majority of non-criminal Internet users in the UK? It means their data, even if it is encrypted, either during transport or at rest, will be able to be read by the government using a backdoor. The most likely scenario for this is that service providers and companies will either keep “master keys” for decrypting customer data, or sign up to some kind of government “key recovery” system.
The risks of companies attempting to secure master keys against criminals should be obvious, and outlined in: ”The Risks of Key Recovery, Key Escrow, and Trusted Third-Party Encryption”. The fact that Schneier’s paper was written in the late 1990s shows how long this debate has been going. The scale of the TalkTalk hack showed the potential exposure of companies that are not adequately protecting their customers’ data, so the government suggesting that the answer is to fundamentally compromise encryption mechanisms seems flawed, to say the least.
If we examine the second statement, the proposed bill makes even less sense. End-to-end encryption for emails and instant messages protects the contents of those messages from everyone except the sender and recipients. What it doesn’t do is protect the information on “who called whom and when”. In order for Internet infrastructure to route such messages, it needs to know to whom and where to send them, so the sender and recipient information is generally in plain-text, not encrypted. If this information was encrypted, the service providers wouldn’t know what to do with it or where to send it. Therefore with the current powers of lawful interception available to the UK government today, this information is generally already available, even if senders and recipients are using strong encryption.
At Open-Xchange, we believe that people have a fundamental right to privacy, and as we blogged about previously, mass surveillance is a violation of fundamental human rights. We fully understand and support governments’ desires to protect us from terrorists and criminals, but not by enacting legislation that does very little to restrict criminal activities, while at the same time making it illegal for companies and individuals to protect their own data and privacy in the most secure manner possible. Open-Xchange supports the Trusted Email Services (TES) initiative which sets guidelines for open and standard methods which will help to protect against the mass surveillance of email.