I don’t do politics on this blog, but I have been thinking about the clash between politics and technology that seems to be brewing after the recent terrorist attacks.
Following the terrible attacks in Manchester and London there have been calls from the government for internet companies to take action. Theresa May seemed to be placing some of the blame on the internet and the big technology companies when she said “We cannot allow this ideology the safe space it needs to breed… yet that is precisely what the internet, and the big companies provide”
One particular area of contention is end to end encryption in messaging apps such as WhatsApp. This level of encryption means that even the providers of the messaging service can’t read messages sent over the service. The government feels that this is unacceptable – that, presumably with some kind of judicial oversight, they should always be able to gain access to those messages.
This has been interpreted as a call for a ban on strong encryption and a demand that vendors leave deliberate backdoor access to messages for the benefit of the authorities. Any such backdoor creates a vulnerability that could be exploited – if the government can read your messages then so, potentially, could criminals.
It’s an argument with some merit – if that was the only option.
What rarely gets mentioned is that end to end encryption is a fairly recent development and is not used universally by messaging services. WhatsApp only added it in 2016. Google’s Allo app is not encrypted by default – their Assistant feature has to be able to analyse the messages to function and that would be impossible with end to end encryption in place.
Email does not have end to end encryption, and I’d be surprised if any web based messaging services provide it – I’m willing to be proved wrong on that, but I suspect there are technical reasons why it would be more or less impossible.
Encryption in transit is essential to protect messages from being read by eavesdroppers, but that is not the same thing – almost all messaging services encrypt messages in transit regardless of whether they also offer end to end encryption.
It would be possible for service providers to implement messaging apps in such a way that they could provide the messages to authorities in the same way that they currently can for email. I’m not suggesting that this should be an easy option – it should require warrants and strict controls. The same kind of thing that you would expect if the authorities asked to intercept physical mail or tap phone lines.
The downside is obvious – abuse by an overreaching authoritarian government. That, however, is a political argument and not a technical one.
Painting the issue as purely technical and mocking it as impossible – as many have done – is somewhat disingenuous when a technical solution does exist and when many messaging services don’t have end to end encryption in the first place.
Don’t get me wrong, end to end encryption has advantages beyond keeping your messages away from the prying eyes of the authorities. For a start, it ensures that rogue employees of messaging providers can’t access your messages. Again, I’d point to the fact that this is a current risk for most forms of internet communication – email being a good example. Both Microsoft and Google have been involved in court battles over handing emails over to authorities, demonstrating that they have the ability to read and provide those messages.
Google’s Allo app shows that tech companies don’t enable end to end encryption when it suits their purposes. Equally there are benefits to those companies to use end to end encryption where they can – if they can legitimately claim to be unable to read your messages they don’t have to deal with legal requests for them.
So once again, I’d argue that it’s largely a political issue rather than a technical one.
One counter argument is that even if WhatsApp and the other mainstream apps did away with end to end encryption there are a number of alternatives. Encryption itself cannot be banned – it’s a mathematical fact and you can no more ban it than legislate that the value of pi is exactly 3.
The answer is nothing, and there isn’t anything that can be done about that. Of course, any potential terrorist would have to trust that the obscure app they’re using is genuinely more secure than the mainstream options – Telegram, for example, may not be as secure as it claims to be.
Even if there are entirely secure apps, the majority of people won’t use them. Messaging relies on scale. There’s no point in me using Signal if all of my friends use WhatsApp or Facebook Messenger… or SMS, Allo, Hangouts, iMessage…
Of course, an organised group planning criminal activity, terrorist or otherwise, will seek out a truly secure means to communicate. They always have, even before encrypted messaging and before the internet itself. That won’t change. Requests that the mainstream messaging providers retain the ability to provide access to messages will not stop the truly determined, and technically capable, from communicating off the radar.
I suspect that many of the less well organised don’t give it second thought and just continue using what they use for their usual chat. People – including terrorists and criminals – like the easy option.
It’s a complicated issue. I am not suggesting that there should be unfettered government access to all private communication all of the time and I am extremely uncomfortable with some of the attacks on civil liberties being justified in the name of fighting terror. We don’t win if we slide into authoritarianism ourselves.
What I am suggesting is that it’s not helpful for both sides – government and the tech industry – to entrench themselves in knee jerk and sometimes indefensible positions. Once the initial chest thumping has died down I hope that technical experts on both sides can have an open and reasonable debate on the issues.
One final thought – I thought long and hard before posting this. My initial reaction was to side with the tech industry view, both because of my political leanings and understanding of the technical issues. I’m also aware that although this is one of my longer blog posts I’ve only skimmed the surface, particularly on the technical side. If anything, my fear is that the tech industry dismissing any change out of hand will lead to more draconian proposals from the government.
Of course there is the tin foil hat explanation for all of this – that they can already read your WhatsApp messages and are claiming they can’t as a way to encourage us to keep using it and not switch to genuinely secure options that they can’t read… 😃in Random Musings