'Real' people want govts to spy on them, argues UK Home Secretary
Magical thinking meets willful ignorance at closed meeting
Analysis UK Home Secretary Amber Rudd kicked off a firestorm in the tech community Tuesday when she argued that "real people" don't need or use end-to-end encryption.
In an article in the Daily Telegraph timed to coincide with Rudd's appearance at a closed event in San Francisco, Rudd argued: "Real people often prefer ease of use and a multitude of features to perfect, unbreakable security."
She continued: "Who uses WhatsApp because it is end-to-end encrypted, rather than because it is an incredibly user-friendly and cheap way of staying in touch with friends and family? Companies are constantly making trade-offs between security and 'usability,' and it is here where our experts believe opportunities may lie."
The reference to "real people" struck a nerve with a host of security experts, sysadmins, privacy advocates and tech-savvy consumers who took to Twitter to point out that they were real people, and not ISIS sympathizers – as Rudd implied in her piece. Rudd essentially declared that people who use strong encryption are not normal, not real people, which is a rather dangerous sentiment.
More broadly, her argument is an effort to square the circle on the issue of encryption: where tech companies and security experts say they cannot allow access to encrypted messages without compromising the entire system; and politicians and the security services argue that they need to be able to gain access to all communications for national security reasons.
The politicians' argument has long been disparaged as "magical thinking" by the tech industry (and some federal agency representatives): simply wishing something to be true does not make it possible.
"This is not about asking the companies to break encryption or create so-called 'back doors'," Rudd argued, while failing to recognize that any method of breaking encryption on demand is, by definition, the introduction of a backdoor. She added:
I know some will argue that it's impossible to have both – that if a system is end-to-end encrypted then it's impossible ever to access the communication. That might be true in theory. But the reality is different.
"There are options. But they rely on mature conversations between the tech companies and government – and they must be confidential. The key point is that this is not about compromising wider security. It is about working together so we can find a way for our intelligence services, in very specific circumstances, to get more information on what serious criminals and terrorists are doing online."
What Rudd appears to be arguing for is encryption on people's devices, but with tech companies providing and storing the encryption keys so they can decrypt messages when ordered to do so by the authorities – or perhaps provide some sort of secret backdoor access so investigators can leaf through decrypted chatter remotely on suspects' devices. The existence of these skeleton keys, or secret back passages, would undermine security and privacy for everyone.
And the reference to conversations having to be confidential – well, that was borne out by the fact that the first meeting of the "Global Internet Forum to Counter Terrorism" was kept entirely secret – with limited details only put out the day before. Even the location of the meeting was kept secret.
We asked to attend and were told: "The event isn't open to the press at the request of some of our participants." Some tweets from inside the event by the organizers provide a very limited window into discussions.
What Rudd's argument fails to acknowledge, however, is the entire reason that the encryption debate took off in the first place: mass surveillance carried out by the National Security Agency (NSA) that was revealed in confidential documents released by Edward Snowden back in 2013.
Lest anyone forget, Snowden revealed that not only were the US authorities monitoring every phone call made in the US, but they had tapped the internet's backbone and tech giants' data centers without letting them know.
Many of those programs have since been declared illegal, but the enormous breach of trust felt by the US tech companies that had been working with the authorities to provide legal access to communications resulted in immediate efforts to encrypt all data and so cut off the NSA's data firehose.
The tech companies also responded to massive consumer demand for more secure systems when the extent of government spying became clear. The earliest and most high-profile shift was when Apple updated its mobile operating system to provide true end-to-end encryption, meaning that it was unable to read its own users' messages.
That move was swiftly followed by others, including Facebook-owned WhatsApp, after competitors like Signal suddenly appeared on the market and picked up tens of thousands of new users almost overnight.
Rudd's argument essentially boils down to asking everyone to forget about the fact that the US government illegally hoovered up and stored everyone's personal communications, and then let them do it again. Because terrorists.
Sponsored: Becoming a Pragmatic Security Leader