Will there be no end to govt attempts to break encryption? Hand over your data or the kiddies get it, threaten Five Eyes spies

The Great Unicorn Prayer of security services: Stay secure, but - ya know - give us backdoors


Column In a move as predictable as it is wearisome, a bunch of government security agencies have got together and demanded we let them have our data. This latest spooky manifestation is a collection of the Five Eyes - the US, the UK, Canada, Australia and New Zealand - and for some reason Japan and India. Let’s call this coalition of the chilling, JIANUSCUK.

The declaration is a masterly exercise in security administration doublespeak. It starts with a stirring call to righteousness and the power of proper privacy. Encryption is vital to protecting people's use of data, it says, alongside human rights activists in repressive regimes, journalists researching corruption, and all those good things. Who could disagree?

Not JIANUSCUK, which continues: "Encryption is an existential anchor of trust in the digital world and we do not support counter-productive and dangerous approaches that would materially weaken or limit security systems."

Oh dear. Experts will by now be alerted by the skilful deployment of the weasel modifiers "dangerous" and "counter-productive". How so? To whom? And indeed, we're just 80 words in and JIANUSCUK can't keep a straight face any longer. It drops the H bomb followed by the C word. However. Children.

I don't kid. Really, go and look for yourself.

The rest is an absolutely perfect example of the Great Unicorn Prayer of the security services: oh Lord, grant us this day all the data, but keep it from the sight of the evil-doers. And if that's not possible, because it isn't, even for thou, oh Lord, force industry to give it to us by framing them as complicit in child sex abuse. Amen.

Departing MI5 chief: Break chat app crypto for us, kthxbai

READ MORE

As Reg readers will know, we have been here so, so many times before. Early '90s US president Bill Clinton and the Clipper chip kicked things off as the internet got its groove on. This would have been mandated hardware encryption with magic unlocking keys known only to, well, anyone with the right hat. Unfortunately, the encryption-breaking protocol was itself broken. Since then, there has been a constant cycle of government demands for the impossible "safe access" by back doors.

A fun game is to Google the name of any recent Home Secretary and "End-to-End" and see how far back you have to go before “calls for an end to” isn’t in the title of the top result. (Hint: it’s more than a decade.)

privacy

What's that? Encryption's OK now? UK politicos Brexit from Whatsapp to Signal

READ MORE

You cannot make an encryption system insecure without making it insecure. Nor do you need to. Just this summer, by good old-fashioned police and security work, the French and friends cracked Encrochat wide open - a custom Android system with baked-in end-to-end encryption that was the chatter carrier of choice of the criminal fraternity. Hundreds of arrests followed, and nobody else’s data was at risk. How did les plod pull it off? They hacked the phones, bypassed the encryption and hoovered up the bad guy blether. It took proper court orders, but nothing not in keeping with standard surveillance. And the French, like all the EU, clearly want nothing to do with JIANUSCUKery. Odd that.

It is of course open to any state to break its own laws, or frame them in such a way that it doesn’t need to. Both the UK and the US are brazenly bounding down that path, and Human Rights Watch says of India that “In 2018, the government... harassed and at times prosecuted activists, lawyers, human rights defenders, and journalists for criticizing authorities. Draconian sedition and counterterrorism laws were used to chill free expression.” So that’s almost half of JIANUSCUK behaving in ways that its own declaration says encryption is essential to protect against, at the same time as calling for that encryption to be turned off on demand, Do they think we just take them at their word?

A door in the middle of a landscape

After huffing and puffing for years, US senators unveil law to blow the encryption house down with police backdoors

READ MORE

Only those of us with 'nothing to hide' who end up with nothing hidden

And it is only the sort of encryption that ordinary people use that would be broken. The child abusers are already buried deep within multiple layers of encryption; if every wish in this declaration were to come true, that wouldn't change one jot. It is impossible to enforce a human law that breaks the laws of mathematics, and mathematics says that if you want good encryption you can have it, through code that can be written on the back of a postcard.

By focusing on the tech industry to do its dirty work, JIANUSCUK is admitting there is no practical or legal way to back-door all encryption. The bad guys will carry on using the good stuff, it's only those of us with "nothing to hide" who'll end up with nothing hidden.

It is likely that this exercise in futility will end up in the bin like all of the rest, but only because people who know such things for what they are keep calling them out. I don't know when Priti Patel (the latest UK Home Sec to call for an end to encryption) will leave government - hell, I don’t know how she got there in the first place - but I do know that the next person in that seat will waste no time in calling for an end, endlessly. I'll be there, blowing raspberries. Be there with me. While we can. ®


Biting the hand that feeds IT © 1998–2020