‘Snoopers’ Charter’ Part 2: ‘Back doors’ will not work

Neil Cook

Neil Cook

Today, the UK Government has outlined new legislation in the shape of the draft Investigatory Powers Bill. According to The Daily Telegraph, the Bill doesn’t plan to ban encryption services in general, but it will demand that service providers implement a ‘back door’ to allow the Security Services access to data that has been encrypted, writes Neil Cook.

Wired summed this up nicely by saying that the UK Government wants to “stop companies using ‘strong’ encryption it cannot break.” Before we get into the merits of this proposed legislation, why would a Government want to stop companies using the strongest possible encryption for their users?

Prime Minister David Cameron has stated that the Internet cannot become a “safe space” for terrorists and criminals, adding: “We need to know who called whom and when.”

A fundamental misunderstanding

Let’s examine the first of these statements.

Terrorists and criminals are free to use the vast resources of the Internet to communicate in any manner they like, using any encryption techniques they require and employing the resources of any entity in any country. To enact legislation that only covers companies providing legitimate services in the UK is to fundamentally misunderstand how easy it is for a criminal to use services such as Tor to completely bypass such measures.

To give a trivial example, Apple iMessage uses strong encryption for all messages sent through its service, and Apple claims that it has no way to decrypt those messages even if asked to do so by the Government. All criminals need to do to circumvent this legislation is buy iPhones and communicate with iMessage.

If we assume that any terrorist or criminal is either already – or soon will be – using fully end-to-end encrypted services that are outside the jurisdiction of the UK Government, what actual impact will this ruling have on the majority of non-criminal Internet users in the UK? It means that their data – even if it’s encrypted either during transport or at rest – will be able to be read by the Government using a back door.

The most likely scenario for this is that service providers and companies will either keep ‘master keys’ for decrypting customer data or sign up to some kind of Government ‘key recovery’ system.

The risks of companies attempting to secure master keys against criminals should be obvious, and are outlined in ‘The Risks of Key Recovery: Key Escrow and Trusted Third-Party Encryption’. The fact that Schneier’s paper was written in the late 1990s shows how long this debate has been running.

The scale of the TalkTalk hack showed the potential exposure of companies that are not adequately protecting their customers’ data, so the Government suggesting that the answer is to fundamentally compromise encryption mechanisms seems flawed to say the very least.

Making even less sense

If we examine the second statement, the proposed Investigatory Powers Bill makes even less sense. End-to-end encryption for e-mails and instant messages protects the contents of those messages from everyone except the sender and recipients. What it doesn’t do is protect the information on ‘who called whom and when’.

In order for Internet infrastructure to route such messages, it needs to know to whom and where to send them, so the sender and recipient information is generally in plain text and not encrypted. If this information was encrypted, the service providers wouldn’t know what to do with it or where to send it. Therefore, with the current powers of lawful interception available to the UK Government today, this information is generally already available even if senders and recipients are using strong encryption.

At Open-Xchange, we believe that people have a fundamental right to privacy and, as we blogged previously, we feel that mass surveillance is a violation of fundamental Human Rights.

We fully understand and support the Government’s desires to protect us from terrorists and criminals, but not by enacting legislation that does very little to restrict criminal activities while at the same time making it illegal for companies and individuals to protect their own data and privacy in the most secure manner possible.

Open-Xchange supports the Trusted E-Mail Services (TES) initiative which sets guidelines for open and standard methods designed to help protect against the mass surveillance of e-mail.

Neil Cook is Chief Security Architect at Open-Xchange

About the Author
Brian Sims BA (Hons) Hon FSyI, Editor, Risk UK (Pro-Activ Publications) Beginning his career in professional journalism at The Builder Group in March 1992, Brian was appointed Editor of Security Management Today in November 2000 having spent eight years in engineering journalism across two titles: Building Services Journal and Light & Lighting. In 2005, Brian received the BSIA Chairman’s Award for Promoting The Security Industry and, a year later, the Skills for Security Special Award for an Outstanding Contribution to the Security Business Sector. In 2008, Brian was The Security Institute’s nomination for the Association of Security Consultants’ highly prestigious Imbert Prize and, in 2013, was a nominated finalist for the Institute's George van Schalkwyk Award. An Honorary Fellow of The Security Institute, Brian serves as a Judge for the BSIA’s Security Personnel of the Year Awards and the Securitas Good Customer Award. Between 2008 and 2014, Brian pioneered the use of digital media across the security sector, including webinars and Audio Shows. Brian’s actively involved in 50-plus security groups on LinkedIn and hosts the popular Risk UK Twitter site. Brian is a frequent speaker on the conference circuit. He has organised and chaired conference programmes for both IFSEC International and ASIS International and has been published in the national media. Brian was appointed Editor of Risk UK at Pro-Activ Publications in July 2014 and as Editor of The Paper (Pro-Activ Publications' dedicated business newspaper for security professionals) in September 2015. Brian was appointed Editor of Risk Xtra at Pro-Activ Publications in May 2018.

Related Posts