Weakening encryption is all about security vs security
More and more we read about the alleged need of governments to weaken encryption. In discussions it is often presented as a choice between privacy versus security. But is it really about privacy? And should governments be able to take protection away from us, in specific if the method it is not proven effective, but detrimental to all?
Bruce Schneier knows
In 2020 I spoke with Bruce Schneier about encryption. For those of you who never heard of him: he is the person you want to talk to when the topic is cryptography and encryption. I asked him what his thoughts where about more and more governments pushing an agenda of weakening encryption, for example by demanding backdoors in encrypted communications (think of chatapps like WhatsApp and Signal).
The conversation lingers in my mind ever since and with the new agendas of the UK (online safety bill) and the EU (chatcontrol), I want to give it some more thought, keeping in mind the abuse by governments of the spyware Pegasus made by the NSO Group in Israel.
For your mindset here is the transcription of Bruce Schneier's insights in 2020:
What are your thoughts about more and more governments are pushing an agenda of weakening encryption for example by demanding backdoors in encrypted communications?
?"I think this is bad. To be fair, the pushing hasn't been very hard. The US government for example has been pushing for decades, but we still do not have any mandate. After years it is still not here and a lot of the pushing is posturing and threatening but not actual work being done, except for the law that passed in Australia. There are a lot of pushers in the EU, UK and US for weakening in encryption, but so far there has been no weakening in encryption. But I think it is bad. The way to describe this and talk about this, is to not fall into a security versus privacy argument. That is a stupid argument and it is not even correct. It is a security versus security argument. There is security in using encryption for our phones and computers, even though law enforcement and governments cannot spy on the bad guys. There is a security value in letting them spy on the bad guys even though it also allows to spy on the good guys. Which is better? It is security versus security. And when you think of it that way, it seems pretty obvious that we need to adopt a defense dominant strategy. That as long as an iPhone is in the hands of an elected, politician a police officer, a judge, a ceo, a nuclear powerplant operatier, a voting official, that the value of making them secure outweighs making them insecure. We need to talk about it that way. Defense has to win. I think the internet is too critical to society to weaken it for the security value of spying on the bad guys. I think that this is really important."
To protect or not to protect
On 6th July 2021 the European Parliament approved the ePrivacy Derogation, allowing providers of e-mail and messaging services to automatically search all personal messages of each citizen for presumed suspect content and report suspected cases to the police. The European Commission has already announced a follow-up regulation to make chat control mandatory for all email and messaging providers. However, chat control is a form of mass surveillance. In fact, the law entails that images would be checke against a secret database, chat messages or comments on social media would be scanned for suspicious patterns.
Security?value?of?things
Security is like having breaks on a car and a steering wheel in your hands. It gives you control. If someone can disable your security at will, you are not safe. Schneier wants us to realise that the focus should be on how much of our own security we are willing to give up for the security value of having less bad guys (assuming that it will be effective). To make that choice, you need to know how much both are worth compared to eachother.
Does using encryption make you bad?
Encryption is a means of digital protection. There is a fallacy in the idea that we need to give up that security to stop child abuse (or privacy for that matter), apart from the fact that it makes you feel bad to object.
A law needs not only to be legitimised, it must also be good and deliver its goal. Now, how can we determine what is right? When would weakening security be proportional? Let's try to find an answer to that question.
Violations?of?human?rights
Mass surveillance is wrong, legally and morally. It violates fundamental rights like the right to privacy and for example the necessity of being able perform journalism. It goes against the principles of democracy and it is not compliant with the UN Universal Declaration of Human Rights. The European Court of Human Rights repeatedly ruled that mass surveillance contravenes Eureopean law (2014, 2019). For example Austria decided not to implement mass surveillance as the Austrian Constitutional Court rules on 11 December 2019 that the surveillance law that permits the use of spying software to read encrypted messages violates the fundamental right to respect for private life (Art 8 ECHR), the fundamental right to data protection?(§ 1 Austrian data protection law) and the constitutionally granted right that prohibits unreasonable searches (Art 9 Austrian bill of rights — “Staatsgrundgesetz”).
However, the desire of governments to implement systems of masssurveillance is big. Since Snowden we know governments keep an online eye on the entire population of their country if they want to, without any indication of criminal activities being present. Without telling anyone, because they are well aware their own behaviour is not allowed or dubious at best.
Follow?the?money
The answer to why governments want easy access to encrypted chats is actually not that difficult: it is about money. It is much easier and thus cheaper to get access to SMS messages or email than to obtain the content of encrypted conversations. Most people do not use encrypted mail, so there is no need for governments and agencies to focus on mail. How quickly that would change if we would all start using encryption for that too.
Tools in abundance
However, with or without backdoors: if you are an important suspect, they will get their hands on your communications either way. There are many tools and policies they can use to do the work, usually within the law - although we saw a dubious example this recently, when it became clear the police in the Netherlands had been reading in on Signal channels of activists of Extinction Rebellion. And remember what Pegasus can do? The Dutch government purchased this malware, btw.
Flawed by?Design
In 2016 the GDPR entered into force and one of the main protections it depends on, is encryption. It is one of the main principles of Privacy and Security by Design, as it is the best way to secure your communications, whether in transit or in rest. How would we be able to apply and comply with GDPR if end-to-end encryption (E2EE) is broken? If so, it would be flawed by design. There is no option to have backdoors for the good guys only. Who are the good guys anyway? We already established it is not the government per se. And don't start about commercial organisations (I mean, who would actually perform the decrypting?). Whom would you trust with the master key?
European Data Protection Supervisor Wojciech Wiewiórowski said the indiscriminate scanning of private communications proposed by EU’s CSAM regulation “will always be illegal under the Charter of Fundamental Rights (and probably under several national constitutional laws as well)".
领英推荐
Effectiveness?
And although it would not comply with other legislation as GDPR anyway, it is impossible to outlaw encryption. This means we can seriously doubt that the objective to prevent criminals from using (other) encryption techniques. An indication that chatcontrol will not achieve it's goal. It is in fact a hefty power tool while the effect of being able to catch a comparatively small group of criminals has not been proven.
Bad things happen even without encryption
After the terrorist attack in Paris (Bataclan, 2015), there was a strong call from policitians for banning encrypted communications between citizens. However, encryption had nothing to do with the preparation of the attacks; the terrorists were mostly individually known (for example by posting their weapons training in Syria online) and they used their own creditcards to rent cars and used phones registered to their own names. This shows that weakening encryption would have had no impact on preventing the attack. So, how can we be sure this isn't exactly the same with respect to preventing child abuse? Is chatcontrol really suitable for the proposed purpose, can we be sure it will solve the problem? And if so, without harming others?
Have?the?cake?and?eat?it?too
If we put all this knowledge together, I see a clear flaw in the thinking of European politicians, namely that their solution of making us safe (against baddies), will not harm ourselves. Snowden shows us that it will. Pegasus shows us that it will. If there are backdoors to be used, they will be used and usually not with good intent. Not just by bad guys, but also by governments.
Targets
People like politicians, people with access to stricted areas, journalists and vulnerably people in specific will be targeted. It will be more difficult for victims to keep their communications secure. The real irony is that they are still policitians apparently willing to vote for backdoors anyway. In trying to make (some of) us safer from baddies, they choose to make us all less safe.
Informed?decisions
The option of surveillance gives great responsibility of those who have the control. How can vulnerable groups be sure their government will not take advantage of their power and abuse it? Last week it became clear by leaked emails that US policitians of christians nationalist nature have the agenda to wipe out the LGHBTIQ-community ("Under His Wings"). People of these vulnerable groups will be the first to worry about. We know power corrupts. They will be a target as politicians will use their strings - with corporations like serviceproviders for example. Breaking encryption, makes us all less safe and not just online, but in the real world.
Before we can make informed decisions about weakening encryption for the purpose of chatcontrol, we need at least determine the security value for society of the possibility of catching more bad guys versus the security value of having good protection for all of us.
A product is either secure or not
Meta’s head of WhatsApp, Cathcart said in respect to the Online Safety Bill in the UK: “The reality is, our users all around the world want security. Ninety-eight per cent of our users are outside the UK. They do not want us to lower the security of the product, and just as a straightforward matter, it would be an odd choice for us to choose to lower the security of the product in a way that would affect those 98% of users. There isn’t a way to change it in just one part of the world. Some countries have chosen to block it: that’s the reality of shipping a secure product."
A variaty of other aspects
Apart from abuse of power, there are more aspects of security (and privacy) that seem to be not taken into account. For example: will the gathered information be adequately protected (I think of the creepy stuff of children that might be in the image database) - I mean, Snowden walked out of the NSA with top secret documents, so if that can be done, just imagine … - , which effect will the law have on the use of open source software like GPG for EE2E, what is the impact of age verification requirements to prevent children below the age of 17 from harm, i.e. will they do this without actually storing identity data? In addition there is also the idea of conducting clientside scanning (CSS) to circumvent the need to break encryption, but that comes with a whole lot of additional and new worries: who wants their devices constantly scanned and how will this be abused? I am not addressing those issues here, but, so much to worry about.
Authoritarian?cryptolaws
Countries like China, Cuba, Iran, Libya, Sudan and Syria have crytolaws that make use of encryption illegal. The list is longer, but does not contain democracies at the moment. For obvious reasons. We get to reset our politicians every four years, so we stay in control. Nevertheless, lobbyists (often former politicians) and creedy companies linger on for years, getting better at lobbying and getting creedier. We need to be informed if we want to hang on to our democracy. Just nodding, for example because of the clincher 'child safety and who would be against that', is not getting us anyware.
False?dichotomy
Fortunately, the Netherlands will vote against weakening encryption. I guess Austria will do the same. And probably Germany (see link). Maybe Hungary is bouncing with excitement to implement. We have no guarantees.
I believe the need for protection should be the focus in this discours, because it is not just about you keeping things private. It is about the protection of all of us. Why should we give up on either of those? I truly hope that the narrative will change and focus on the question of why it would be necessary to weaken security in the first place?
So to come to my conclusion, I wonder: security, privacy and child safety, why not just have it all?
Helma?(own views and silliness)
Sources
Amongst the sources I used for this article: