Whatsapp end to end encryption

End to End encryption – The reasons we can’t just outlaw encryption for all.

Over the past few days in the UK there has been a renewed sense of urgency within government to address & ban/circumvent end to end encryption in communications apps. On Wednesday of last week in the UK an attack was launched on Westminster. During the subsequent investigation it has come to light that the attacker used the WhatsApp messaging app to message a friend or accomplice minutes before the attack. The government’s response to this, perhaps with the best of intentions, is to outlaw or circumvent encryption for the purposes of law enforcement. The reasoning, to stop criminals using platforms to co-ordinate is commendable, however it is totally unworkable. encryption’s raison d’etre is to make interception by a third-party as difficult as possible, if not impossible.

It would be wonderful if the government could figure out a way to allow complete privacy between citizens for all of the personal communications, whilst being able to listen in on the bad guys, but the two aims are mutually exclusive. We have to pick one side or the other, either all of our communications are un-encrypted & able to be read by anyone, or we admit that for the good of the privacy of billions of people, encryption is a must. It’s ethically tough to defend encryption amidst a criminal investigation, especially one as sensitive as an act of terror, however the privacy of millions of UK citizens cannot be surrendered for the sake of a few fringe elements of our society.

If encryption was to be removed from the likes of Whatsapp, iMessage, Facetime and a whole host of messaging apps, people would lose trust in the platforms. Imagine, for example having a video message with your children & not knowing if a third-party was watching your live video stream, making recordings or notes & redistributing them online. Imagine the same party intercepts something intimate, a private exchange between lovers or a chat of confidential nature such as discussing finances. If this video was intercepted it could be used to extort those involved with the threat of publishing said private material in a public place online.

As the internet of things becomes a major industry, consider the implications of an IoT without encryption. Your neighbour accessing your thermostat and turning your heating on while at work to cost you money. A sexual predator using an internet or wi-fi connected video baby monitor to watch & talk to your child in their bedroom. A stalker connecting remotely to your home CCTV system. The list of problems & threats is huge & encryption means that such data can pass over the internet from your home to your device, without any man in the middle or third parties accessing the feeds. This kind of stuff needs discussing to balance the governments insistence on having access to everything.

Imagine you send a photo of your children to a family member, and those photos are intercepted & distributed online among child abusers – the very thought would send chills down your spine & invoke outrage. We trust that information between each other is secure & that no third parties can listen in, including governments. There are thousands of strong arguments in favour of strong encryption & very few strong arguments against.

Another method of interception being discussed freely by MP’s such as Amber Rudd is that of requiring manufacturers of hardware & applications to include back doors into their encrypted apps. This would hopefully give governments free access to accounts while limiting the exposure of  personal information to eavesdroppers and criminals. However a back door into an encrypted system essentially nullifies encryption. If your communications are safe until such a time when someone comes along and reads them through a back door, they aren’t safe at all. Developers spend countless hours securing code & systems against such vulnerabilities, to write one in by default & just bide your time until a criminal cracker (note I’m not using the often incorrect term used by the media of hacker, completely different beast) or questionable regime expose the weakness and they too start reading messages would be madness.

Now, picture the scene. The government of the UK has legislated to require a back door into all hardware & all software which employs encryption. They believe this gives them an edge over criminals & allows intelligence services to track certain individuals. What they haven’t realised is that a third-party government has employed a group of crackers to find & breach these back doors. For months, the emails, text messages sent via iMessage or Whatsapp, the video conferences over Cisco or Facetime, the encrypted VPN’s allowing them to connect to their place of work in Whitehall on the go (I’m assuming they have some sort of encrypted tunnel, I could be wrong) have all been cracked & the contents of all of those communications have been captured. The foreign governments now have intimate knowledge of the inner workings of our democracy. We are exposed & vulnerable & the misinformed MP’s and public via tabloid witch hunts all supported the legislation of back doors. There would be a scramble to find out what had been breached, information would be used against the UK & distributed amongst criminals & foreign governments. We would be facing a leak of monumental proportions & all because we enforced the introduction of a weak spot via a back door. A way around that would be a two tier system where government employees are allowed encryption without back doors while the general public aren’t, but this would be a serious ethical issue in any democracy. It would also leave the public exposed.

I admit, that is an extreme example, but encryption is an all or nothing kind of thing. You wouldn’t, for instance, be happy to give a copy of your house keys to the government so they could pop in whenever they liked to check everything was in order. You wouldn’t allow them to just have a quick read of all of your post before it came to you, just to make sure you where a good citizen. How about someone in a trench coat sitting with you over a romantic dinner to make sure conversation was all to their liking? That would be preposterous, but when it comes to tech, ministers lag behind in a big way.

Let’s use an analogy for the back door in encryption software. Every house in Britain, for securities sake, has to be fitted with a secret door around the back of the house. Only the government would know exactly where it was, just in case they wanted to pop in now and then, but it would be common knowledge that everyone had a secret back door (no puns or innuendo please) which was unlocked and ready to use, if you could just find it. Can you imagine such a use case for that? But the same ministers push for either an end to encrypted communications or at least a way in. My advice to them would be to consult someone with a grasp of technology before coming out on live TV and making statements which are either impossible or unworkable.

MP’s are always banging on (I’m a Northerner, sometimes I like to write with an accent) about making Britain the tech capital of the world. With innovation it could be the next huge export. But with such a simplistic grasp of the basics of tech, it’s hard to imagine how these same people can legislate towards this mecca of a country for innovation. If encryption is outlawed in the UK, our apps will be useless to a worldwide market, the products we produce will be insecure & undesirable. Our ability to harness the power of e-commerce & online finance will be impossible without stronger & stronger encryption. Any watering down of encryption & vilification by MP’s and the press will only make such innovation harder if not impossible.

This website uses encryption via a HTTPS certificate. That means that anyone watching, other than my server & your browser, will only see the metadata of you viewing my website. They will see the time you connected and the top level domain, but not the individual pages you load. Chances are, you have checked your online banking today via an app or your banks website. Good news, those connections are encrypted too. You’ve probably signed into websites today, over encrypted connections and safe in the knowledge that your passwords with that website are hashed & encrypted, so any data dumps or site hacks won’t reveal your password.

Encryption is a fundamental of privacy & guaranteed privacy is the only way that the internet can work for private or transactional data. If you thought your texts where being read, you would seldom say anything which needed to remain private. If logging into your bank meant others could intercept your traffic and access your bank account online, you would never use internet banking. This is where the rhetoric of MP’s without a basic working knowledge collides with the realities of passing data over public networks. If you wanted to tell someone something in secret or confidence, face to face, you would generally meet somewhere with a closing door & without others present. The only way to simulate this kind of data transfer online (over a public network like the internet) is to encrypt the traffic, otherwise it’s the equivalent of shouting your bank card details and billing address across a crowded pub. You wouldn’t do it for fear of someone making a note.

The final issue we need to deal with is retention of data. Since the introduction of the IP Bill a requirement is coming into force that ISP’s and providers need to retain data on their users. Logs & metadata. Without encryption, this could be expanded to keeping a copy of all files you upload to the cloud, a recording of all voice and video chats, retention of all personal instant message chats and countless other data sets. As much as companies try to safeguard this data, eventually they will face a data breach. This could be an external hack or it could be a breach from within such as an employee breaching their privileges and accessing or leaking your data. This kind of breach could expose so many data points & so much personal information about you that your privacy could be breached indefinitely. If someone gains access to your most intimate information, you could potentially face a lifetime of identity theft and frauds in your name. I would hope that any data retained would be encrypted & protected with as much security as possible, but the best defence would be to not require any logging of data. Once it has been deleted or the transaction has taken place, the data expires and its erased. This does prove to be an obstacle for law enforcement, but the security of millions of citizens intimate lives needs to be considered when trying to stop a handful of criminals.

The conundrum faced by politicians is not an easy one, but they need to seek advice from those with the technical skills to educate them. A reactionary “we must tackle” or “we must ban encryption” isn’t a reasoned argument. Criminals use all sorts of tools that regular citizens use. They drive cars, they cook with knives – this means they have the tools required to harm fellow humans. The solution isn’t to ban everything, but to develop tools that can be used to detect. Behavioural patterns, anonymous tip offs, education of the general public – not the removal of all citizens rights to a private life.

Encryption will be the scape goat for a lot of government & tabloid problems, but ultimately without it, we revert to the pre-internet days of filling in forms and transacting face to face. Without the ability to secure over a public network, the internet is nothing more than a public library of information. I’m an academic. I research internet security for my studies & also out of personal interest (I know, my hobbies sound really boring). The discussion around privacy in the UK needs to change. It’s not about having something to hide, it’s the freedom to express yourself and communicate without the fear of someone else reading or hearing your conversations. I believe everyone would see that as a basic right & one that needs protecting.

Let me know your views in the comments. I would love to hear from you. Also, send me any corrections, I’m sure there will be a few. I’ve written this all in one sitting to address concerns brought up by people asking me questions today, following the press coverage, so excuse any errors.

John Large

John Large - Uber Techie!

Leave a Reply