Cooler heads needed in heated E2EE debate, says think tank
RUSI argues for collaboration, while others note all 'scans' compromise secure encryption
End-to-end encryption (E2EE) has become a global flashpoint in the ongoing debate between the security of private communications versus the need of law enforcement agencies to protect the public from criminals.
The Register has written at length about this increasingly strident back-and-forth that is seeing proponents of both sides more entrenched in their beliefs.
London-based think tank the Royal United Services Institute (RUSI) released a report [PDF] this week laying out the contours of the privacy-vs-safety debate, weighing the needs and exploring possible solutions.
The researchers have tried to find middle ground in a highly polarized environment, calling for "a more nuanced conversation about possible solutions to the criminal use of E2EE services. It is vital that a range of views are considered in order to identify the key issues and inform a more productive debate."
E2EE essentially encrypts messages at every step of the journey in cross-communications. Proponents note the technology's ability to keep the communications private and secure, away from the prying eyes of not only hackers but also governments that may want to spy on and suppress their citizens.
Others argue that lawful exceptions need to be carved out, allowing law enforcement access to encrypted messages to protect citizens and hinder criminal behavior – a position that logically precludes secure encryption.
Meta wants to expand E2EE to all of its messaging services and this week said that an assessment by Business for Social Responsibility, funded by Meta, found that expanding full encryption protects fundamental human rights.
Britain's proposed Online Safety Bill and its No Place to Hide campaign look to ban or limit E2EE, a move that has been criticized by the likes of the Internet Society and BCS, The Chartered Institute for IT, which have argued that restricting E2EE would do more harm than good.
In a BCS survey last month, 78 percent of IT professionals said restricting E2EE would not protect users and 66 percent said it would have a negative impact on society.
In addition, 70 percent didn't believe it is possible to have both secure encryption and the capability of law enforcement to check encrypted messages for criminal material, worrying about surveillance from governments and tech companies as well as threat actors.
However, that is the path that RUSI is trying to lay.
"The extent to which a consensus can be reached depends on whether solutions can be developed which can combat criminal activity on E2EE platforms while also ensuring that the cyber security and privacy of civilians is fully protected," the researchers wrote in their report, based on writings on the subject and almost two dozen interviews with experts in the UK and US.
"Currently, proposed solutions have focused on methods for allowing law enforcement exceptional access to E2EE communications and ensuring E2EE service providers can access data to effectively monitor criminal and harmful activities on their platforms."
- Zoom agrees privacy conditions, gets low-risk rating from Netherlands
- Dutch govt issues data protection report card for Microsoft
- Internet Society condemns UK's Online Safety Bill for demonising encryption using 'think of the children' tactic
- Privacy is for paedophiles, UK government seems to be saying while spending £500k demonising online chat encryption
Those proposals have generated significant controversy that has only been stoked by UK policymakers' efforts to sway public opinion otherwise. Proposed solutions include lawful exceptional access, which is supported by UK officials. Two possibilities in this area are key escrow – with telcos and social media companies keeping a copy of keys for decrypting information with a third party that would turn the keys over to authorized law enforcement – and quietly adding a law enforcement person to an E2EE group chat or call, which would not break encryption. Both have been criticized as threats to security and privacy.
Other ideas include on-device scanning of data-at-rest – such as plaintext or images – on a user's phone to detect harmful material, such as that related to child sexual abuse or terrorism. However, Apple developed a scanning tool called NeuraHash and received blowback from opponents who said the technology could be exploited by bad actors or nation states and used for surveillance.
Analyzing the metadata at the network and application levels and legal hacking – allowing law enforcement to hack a device using their own means – are other options with pros and cons.
E2EE is a gnarly issue pitting security and privacy concerns against law enforcement issues. RUSI noted that the European Union's Internet Forum and the Safer Internet Forum are good collaboration avenues for discussing the problems.
However, there needs to be a consensus among "policymakers, proponents of technical measures and those who argue that access to E2EE communications is not possible without severe implications for privacy," the researchers wrote.
That said, the path forward will rely heavily on cooperation between those on both sides of the debate.
"One way of doing this is to ensure the technical community is involved in the development and assessment of capabilities and tools that are being considered," RUSI wrote. "Encouraging a stronger relationship through collaborative research with experts is key for building trust and ensuring tools are properly tested and critiqued before any technical measures are implemented." ®
- Black Hat
- Common Vulnerability Scoring System
- Cybersecurity and Infrastructure Security Agency
- Cybersecurity Information Sharing Act
- Data Breach
- Data Protection
- Data Theft
- Digital certificate
- Identity Theft
- Kenna Security
- Let's Encrypt
- Max Schrems
- Palo Alto Networks
- Privacy Sandbox
- Trusted Platform Module
- Zero trust