The Investigatory Powers Bill may toll the bell for end-to-end encryption. As it was being debated in the House of Lords at the committee stage, the government unearthed the fact that the bill would allow the government to compel companies to break their own end-to-end encryption.
Earl Howe, a minister for defence and the government's deputy leader within the House of Lords, reaffirmed to his colleagues that the government must maintain the right to access private communications data, whether it's encrypted or not.
He spoke in response to the proposing of several amendments to the IP Bill which would limit the government's ability to remove encryption, the issue at the heart of the debate.
He told the upper chamber, “I have to say that they are irresponsible proposals, which would remove the Government's ability to give a technical capability notice to telecommunications operators requiring them to remove encryption from the communications of criminals, terrorists and foreign spies.”
The amendments in question – 92, 102 and 103 – address one key contested clause within the bill. Clause 226, 5 (c) of the bill allows the government to compel “the removal by a relevant operator of electronic protection applied by or on behalf of that operator to any communications or data”.
While the fight over how much encryption private entities would be allowed was always going to be central to the bill, this provision allows the removal of seemingly any kind of encryption. This would presumably include end-to-end encryption, employed by many private messaging services. This type of encryption, widely applauded by the tech sector and privacy activists alike for its security and privacy, means that messages are encrypted by the device before they are transmitted over any networks. .
This means, for instance, that WhatsApp – which famously took it up earlier this year – can't even look at the messages that its users send.
But how exactly does one break end-to-end encryption? Howe was keen to mention that the government did not want to ban “any kind of encryption. However, there will be circumstances where it is reasonably practicable for a company to build in a facility to de-encrypt the contents of communication.” In essence, the government only needs the right to break it when necessary.
This, responded Lord Strasburger, is a contradiction in terms. Responding to Howe, the Liberal Democrat peer made it clear that any encryption that would be considered breakable is simply not end-to-end. He added that this would make new generations of technology, like the next iPhone, illegal.
Strasburger elaborated to SCMagazineUK.com, “The Government is wrong to think that we can have the strong encryption with no back doors which e-commerce and many other services rely on and at the same time permit the security services to have a way to decrypt secure communications.”
Strasburger added, “Any weaknesses in encryption cannot be just for the good guys and are there for anyone to find and exploit and that includes all the bad actors who would do us harm.”
Other commentators agreed with him. “You cannot just turn this sort of end-to-end encryption off on an individual basis. This is a broad brush approach that will affect almost everyone using the service concerned,” Norman Shaw, CEO of ExactTrak told SC.
It's a “typical political grandstand without the slightest idea of how it could be accomplished. Nice in theory and also impossible to implement. Forgetting the endless legal wrangling this would entail, who is actually going to do the work?”
A more nuanced debate is required, added Shaw: “What is needed is intelligent discussion directly with the main service providers and come to a legally binding agreement that when presented with appropriate authorisation and reasonable proof of potential threats the service provider can offer a highly targeted solution. Is it a breach of privacy? Well, yes, to the source of the alleged threat but not the vast majority of the normal users.”
Bart Preneel, a professor of cryptography at The University of Leuven, thinks that this is possible through a combination of geolocation and updates. He told SC, “Most apps get updated a few times per month and it is feasible to send specific updates based on a number of elements, including location.”
However, added Preneel, “Removing encryption (or using a weaker key) would of course expose users to other threats.”If people were to find out, they'd probably switch to another app.As there are hundreds of apps that offer encryption, “this will end in a cat-and-mouse game that will evolve towards attempts to regulate the app stores,” Preneel said.
Richard Anstey, CTO EMEA, Intralinks told SC that “this approach would not only risk hurting users, organisations and enterprises but would also erode the usefulness and power of the Internet.”
Anstey added, “an encryption scheme is essentially an algorithm and the formulae for these mathematical operations are in the public domain. Nobody can take away that knowledge. You can no more ban a formula than you can ban an idea.” Trying to limit encryption strength “only risks damaging the protection it gives to everyone else and the usefulness and power of the internet as a whole.”
Even strong arming companies into giving their encryption up wouldn't be all that effective: “not only is this damaging to individuals and companies who just want good cyber protection, it is also thoroughly futile on a global scale - it's just too easy for another provider to spring up in another jurisdiction.”