Once again there are talks about making platforms add some sort of back door to encrypted private communications. This happens every few years and usually falls flat on its face when policy meets mathematics, but what is the issue here?
The key issue is that the state, in various guises, would like to be able to snoop on private communications. There are lots of excuses for this - the latest is "online harms", and of course a smattering of "think of the children". The idea is that if you can snoop on communications you can catch dodgy people grooming children in otherwise "private" chat channels. These latest efforts are rather complicated as they are trying to over reach beyond what is illegal off-line (what is illegal off-line is already illegal on-line), but even muddy the waters of legal and illegal in the first place. It is about obligations on platforms over "harmful but legal" content. This is, in my view, very bad - there should be simple clear rules on what is and is not legal, and speech of any sort that is "legal" should not be censored, even by some sort of back-door means by placing duty of care obligations on platforms.
However, in with all this, is some need to apply this duty of care to end to end encrypted communications, which means making us all less secure. You cannot make a back door that only works for the good guys. It simply does not work like that. We all rely on basic encryption to protect our privacy every day.
See this blog for more on this generally.
But there are other issues with this when it comes to trying to catch criminals or even "harm", and that is the notion that secure communications requires some platform or vendor to provide that security. This is simply not the case. Right now a lot of platforms provide the apps and allow secure (end to end encrypted) communications, but it only takes some sort of snooping law like this to drive things another way. We can have apps that allow security to be applied to the communications that a platform is providing (even simple SMS) where that security is in the end points, in the app. And apps that have no "vendor" in the conventional sense, but are free open source code that is just available on the Internet for all to download. With separate moves to break up Apple's monopoly on its AppStore, this could allow such apps even on otherwise locked down iPhones, but obviously this is already the case with more open platforms like Android.
Of course, you also have the question of having a separate platform and app provider. Are app providers in scope of such laws anyway, and if they offer end to end encryption via some other platform (which itself does not offer end to end encryption), what is in scope of such laws?
Even if this duty of care tries to apply to a platform or an app vendor, it is no good when there is no such entity to which the law can apply. End to end encrypted communications does not need a platform or vendor.
I have a video which is standing the test of time quite well that shows that encryption does not need complicated maths in any way. The example is a simple type of encryption with pen, paper, and dice. But the tools to do good, high quality, secure, encryption, are all available freely. It is not secret. The cat is well and truly out of the bag. Anyone with criminal intent can use such tools. Measures to reduce security will impact "normal" people, happy to use the app with the platform, and so allowing criminals access as well and making us all less secure.
I've lost count of the number of times I've written to my MPs on this over the years. After the US getting pwned through backdoors installed via SolarWinds, you'd think governments would start to understand, but I'm not holding my breath!
ReplyDelete"Online harms" is by far the worst attempt at government censorship we've seen in any supposedly liberal Western democracy.
ReplyDeleteIt seems that the government have given up on legislating against specific types of content that could be considered harmful (child porn, terrorist recruitment etc), and want to move straight to the endgame of total, Chinese-style regulation of our thoughts and conversations. Effectively they will set up a Ministry of Truth which will have unilateral power to censor any speech act which they don't like, even perfectly legal and innocuous stuff like questioning whether facemasks work or whether men can become women (i.e. scientific claims which are far from settled and still subject to intense debate, but which the government will have the power to prevent us from discussing).
Combine this with the neo-Stalinist proposals from both the Scottish and English governments to expand so-called "hate speech" laws to cover all manner of controversial statements, even made in the privacy of our own homes, and there will be barely any functional difference between the censorship regimes of Russia/China and the UK. I suppose at least we won't get "disappeared" or shot in the back of a car for saying the wrong thing, but that will be little comfort to people who are being censored, banned, arrested, fined, sacked or potentially jailed for disagreeing with Unquestioned Answers that our lords and masters have decided are not up for debate.