UK PM Theresa May's response to terror attacks 'shortsighted'
You can't make the internet more and less safe at the same time
The UK's Prime Minister has been taken to task for trying to make the internet "both more and less safe" at the same time – and failing to publicly acknowledge the dichotomy.
Following the attacks on two major British cities in the past fortnight, Theresa May yesterday gave a speech saying that "enough is enough", calling for more to be done to "regulate cyberspace to prevent the spread of extremism and terrorist planning".
However, her promises to hold the big internet companies to account and push ahead with plans to circumvent encryption have been branded shortsighted and impractical by tech firms, privacy campaigners and academics.
Both May and Home Secretary Amber Rudd have indicated that the Conservatives would look to force companies to introduce backdoors in their services.
Such plans have been repeatedly slammed for failing to acknowledge there is no way to ensure these would only be used by "the good guys" and reducing the public's ability to access secure online services.
"Fighting terrorism does not translate into fighting internet freedom and security," said Andy Yen, founder and CEO of encrypted email service provider ProtonMail.
"Even if Prime Minister Theresa May's request is pushed by a good intention, asking tech companies to create backdoors for governments goes against the basic rule of cybersecurity. It's impossible to have backdoors serving only the 'good guys', which is the reason why for the greater good, digital security must be absolute."
Ed Johnson-Williams, a campaigner for the Open Rights Group, agreed, telling The Reg that the government needed to be sure it didn't succumb to a knee-jerk reaction to the attacks.
"We want to make sure the response doesn't undermine fundamental human rights," he said, adding that attempts to blame the internet were "shortsighted" and treating encryption or providers as the enemy was not the answer.
"Government should be looking at the deeper causes of the atrocities," he said, for instance by tackling radicalisation within communities. Johnson-Williams also questioned whether the government had a clear idea of what they wanted from technology companies, complaining that they had yet to "flesh out" any of their proposals.
Writing in The Guardian today, Liberal Democrat leader Tim Farron – who has pledged to roll back the 'draconian' mass surveillance measures set out in the Investigatory Powers Act – said the Prime Minister was resorting to "political gimmicks".
"Instead of posturing, politicians need to work with technology companies such as Facebook, Twitter and WhatsApp, and with other countries, to develop solutions that work to keep people safe," he said.
"The alternative is a government that monitors and controls the internet in the way that China or North Korea does. If we turn the internet into a tool for censorship and surveillance, the terrorists will have won. We won't make ourselves safer by making ourselves less free."
Alan Woodward, security professor at the University of Surrey, said the big question would be how the government could focus the minds of the big tech companies – suggesting that this might amount to fines for those not making "reasonable efforts" to remove material.
"What will be up for interpretation is what constitutes 'reasonable'," he said. "I would not be at all surprised to see the NATO countries, possibly G7, attempt to agree a common form of regulation that imposes such fines."
Facebook, Google and Twitter have all issued statements in response to May's criticisms in a bid to highlight their work to counter terrorism by working to identify and remove extremist content online – but one academic stressed that the focus should not be on the big corporations.
"This isn't just about big US companies," Thomas Rid, professor of security studies at King's College London, told The Reg. "It's that secure communications can be provided by companies in non-co-operative jurisdictions, by small companies, by non-proprietary platforms and protocols like Tor or PGP—and home-made apps (which are probably least secure).
"The crypto train has left the station – and that's a good thing, both for liberal democracy and its enemies. That's the core dilemma."
Effectively, the government is facing the problem of trying to regulate technologies that both allow the public access to secure services, such as online banking, and prevent the security services intercepting terrorist communications.
"Number 10 is trying to make the internet both more safe and less safe at the same time – that doesn't work," Rid said. "The Prime Minister should confront this difficult digital dilemma publicly, honestly, and thoroughly, as befits one of the oldest liberal democracies. That isn't happening right now." ®
- Black Hat
- Common Vulnerability Scoring System
- Cybersecurity and Infrastructure Security Agency
- Cybersecurity Information Sharing Act
- Data Breach
- Data Protection
- Data Theft
- Digital certificate
- Identity Theft
- Kenna Security
- Let's Encrypt
- Palo Alto Networks
- Privacy Sandbox
- Trusted Platform Module
- Zero trust