Privacy advocates, journalists and a representative from GCHQ squared off in a debate on surveillance in Cambridge today.
The heavyweight exchange of ideas between Cambridge security engineering professor Ross Anderson and Ian Levy, technical director of the National Cyber Security Centre, the assurance arm of GCHQ, took place to mark the anniversary of the foundation of the FIPR think tank1.
Professor Anderson opened a panel discussion titled "Crypto wars: the control of interception and surveillance" by arguing that the concept of key escrow – which technologists defeated in the 1990s – was back but since "most IP traffic was encrypted it's all about your phone". He also said that one of the main issues with government-developed surveillance tools is that they aren't being applied to fight cybercrime, a particular problem as more and more economic crimes happen online.
Following on after Prof Anderson's argument was a history of surveillance by investigative journalist Duncan Campbell titled "100 years of data stealing". GCHQ's Levy, who was next up, joked that he was addressing a "hard audience". Levy began by saying that both privacy advocates and governments were putting across a narrative that's "not quite right" when it comes to real world crypto systems.
The world has changed since former NSA sysadmin Edward Snowden revealed the levels of mass surveillance being done by the world's governments on their citizens, said Levy. The quality and availability of encryption schemes and security engineering have both improved. Agencies such as GCHQ and the NSA have become more open and transparent about their work, he added.
Row over GCHQ-built voice algo MIKEY SAKKE rumbles onREAD MORE
"Mobile phones have changed surveillance. Metadata is more important," Levy explained, contrasting modern surveillance with the techniques of yesteryear where a physical clip would be put on the phone line of a suspect and listened in to by specialists.
Levy went on to argue that GCHQ or the UK government wasn't arguing for government mandated backdoors2 while pointing out that other countries might be. He suggested that tech companies might be receptive to requests from nations with a large target market, a reference to the pressure China is putting on tech suppliers. Levy used India rather than China as an example.
Levy controversially claimed that GCHQ is scrupulous. "The biggest amount of work we do at GCHQ is to make sure we operate within the law," he said.
The problem with this, audience members in Cambridge argued, included the difficulty for GCHQ to interpret laws that weren't clearly written even before considering that intel agency lawyers are likely to apply a more permissive interpretation on rules. One delegate pointed out that GCHQ had been censured for violating EU privacy laws.
Levy argued for a "transparent, well managed and ordered" surveillance regime as opposed to a system that would rely on finding software flaws in order to defeat encryption. He told privacy advocates: "If you whack governments on privacy it will only drive the vulnerability market."
He added that real world end-to-end encryption systems are far from perfect. Intel agencies are able to exploit the "I've lost my phone" feature. Levy argued for co-operation between tech providers and governments. The debate needed to move beyond talking about "angels and demons", Levy concluded. ®
1The Foundation for Information Policy Research was launched on 29 May 1998 in the run-up to the Regulation of Investigatory Powers Act. In addition to organising conferences on surveillance, FIPR has worked on many topics around privacy, digital rights and cybercrime. Its achievements included significant amendments to surveillance and export control laws and the foundation of EDRi.
2Two years ago, GCHQ was obliged to defend its controversial MIKEY-SAKKE phone encryption protocol against criticism that it leaves a backdoor into systems that support the technology. El Reg had the pleasure of bumping into security researcher Steven Murdock, who reminded us of this case, the existence of which suggests that GCHQ is perhaps not entirely adverse to backdoors.