Here we go again... UK Prime Minister urges nerds to come up with magic crypto backdoors
Broken security? More like broken record
Crimefighters, snoops, and politicians who rely on intelligence gathered on citizens to make critical decisions are not willing to accept this rise of strong personal encryption as the new status quo. And so they are waiting for the public mood to turn – which, unfortunately, will likely come when a major terrorist attack kicks off and governments can point to the use of encrypted apps as a critical factor for why the assault wasn't thwarted earlier.
Even though Theresa May has taken a strong stance on the issue of extremist content online, even threatening new laws, she did not suggest in Davos that companies be legally restricted from offering heavy duty encryption. Instead, she sought to pressure corporations and programmers to voluntarily introduce backdoors into their systems.
And there is good reason for that: because a law limiting encryption would be very unlikely to pass Parliamentary scrutiny. Electronic encryption is an increasingly important aspect of our modern digital lives. Business and government rely heavily on it to keep their own communications private, as well as keep customers' and citizens' personal information out of the hands of crooks hackers.
And so we have the ludicrous situation of encryption Groundhog Day where the same things are said and done over and over again, each day the same.
The question is: when and how will the edifice crack? Governments and their intelligence services clearly feel at the moment that time will act in their favor and they will soon be able to return to a situation where they can access our private information readily and easily.
And they may be right: tech giants are only responding aggressively when they are put under direct pressure – such as when the FBI tried to force Apple's hand over the iPhone of San Bernardino shooter Syed Farook.
Despite those companies claiming philosophical opposition to granting governments blanket access to their users' private information, everyone knows that it only takes a change of mind from top management for them to devise face-saving measures and communications strategies to flip their position. Meanwhile, these organizations regularly cough up personal information on individual suspects to the cops and Feds because the law requires it.
"Protecting all of us against a few", "For the Greater Good" – you can almost predict the lines the chief executives will take while switching on backdoors to mass surveillance. Assuming, that is, they tell their customers at all (here's betting Apple won't). All it takes is a perceived shift in public opinion. And as time fades, and fury over Snowden's revelations dies down, that may well happen.
Just look at the reauthorization of America's Section 702 spying program – which stores vast amounts on US citizens despite claiming not to – earlier this month. A minority of lawmakers opposed it and fought hard for more safeguards, but the sad truth is that the program was reauthorized for another six years because not enough Americans were incensed enough to call their congressfolk about the issue.
Likewise in the UK, the government has already attempted to write in encryption-busting rules into law. But recognizing how unpopular that was going to be, it did so entirely in secret – at least until someone leaked the proposal.
It may be worth looking at the alternative. Let's assume that the status quo does hold and neither government pressure nor future terrorist attacks are sufficient to undermine public opinion over encryption and privacy. What does that look like?
Well, the biggest and hardest shift would have to be within the Establishment. The security services would have to let go of their favorite tools – keyword searching of vast databases of people's chatter. Or at least rely on them far less.
That is going to be a difficult mindset to shift, especially since it has been building and solidifying for a number of decades. In order to fill in the intelligence gaps, law enforcement and the security services would have to hire many more people who specialize in on-the-ground intelligence gathering. And that is both complex and time-consuming.
There would have to be a greater focus on metadata – which is information about people's messages, such as the time a text is sent and to whom, as opposed to the actual encrypted content. Metadata already provides a heck of a lot of intelligence – it reveals networks of associates, for example – but it's not quite the same as searching and reading actual texts and emails.
Unable to intercept messages or defeat filesystem cryptography, spies would also have to hack more and more suspected criminals and terrorists' phones and other devices to obtain information that is encrypted in transit and at rest. That's also complex, time-consuming, and risky.
There is good reason why intelligence services across the globe have shifted away from these complex and laborious operations in favor of armchair blanket snooping. Aside from being cheaper, it is also easier: you can read or listen first-hand to what a target says or types. It is also faster: no need to embed agents within evil organizations over months, slowly building trust, or develop exploits to hack computers and handhelds – just tap the network traffic and you're golden. Unless, of course, that traffic is end-to-end encrypted.
Simply put, electronic surveillance is extremely useful for figuring out what those who would seek to cause harm to a country are up to. And the security services are not going to give it up – or even one aspect of it – until they have no other choice.
And while the head of the FBI and the prime minister of the United Kingdom can be relied upon to maintain an encryption impasse, that's the position the intelligence services will maintain. Watch and wait. It's what they do. ®
Sponsored: Becoming a Pragmatic Security Leader