The government has been challenged to set out how it can “clearly and transparently” allow law enforcement agencies and intelligence services access to encrypted communications while still maintaining communications security.
Ciaran Martin, founder and former CEO of GCHQ’s National Cyber Security Centre, and now a professor at the University of Oxford, said the onus should be on the government to set out detailed technical options for scrutiny and debate on its plans to monitor encrypted communications.
His comments came amid increasingly polarised arguments between the Home Office, which argues that end-to-end encryption allows people to spread child abuse images or terrorist content, and cryptographers who warn that weakening encryption would undermine the security of everyone.
Home secretary Priti Patel has singled out Facebook, calling for it to abandon plans to extend end-to-end encryption from its WhatsApp service to Messenger and Instagram, on the grounds that encryption would assist criminals.
But Martin said in a lecture organised by the Bingham Centre for the Rule of Law, that the use of end-to-end encryption must be permitted unless a technical compromise can be found that is acceptable to the tech industry and cryptography experts.
“If a suitable technical compromise solution that commands widespread expert and industry confidence cannot be reached, then security must win, and end-to-end encryption must continue to expand, legally unfettered for the betterment of our digital homeland,” he said.
Onus is on government
The government argues that the tech industry should enable government access to encrypted messages, while at the same time demanding the highest levels of cyber security.
“Surely though, the onus is on the government, not the industry, to set out clearly and transparently how they believe these two seemingly irreconcilable objectives can be met in the same regulatory package?” said Martin.
Technology companies and cryptographers claim that the government’s demands are simply not possible – the government is in effect, trying to argue against the laws of mathematics.
If the UK and US governments can read encrypted messages, so potentially can criminals, or hostile nation states such as North Korea or Russia.
Extensively researched proposals to find a compromise, including proposals by Ian Levy, technical director of the National Cyber Security Centre to use “virtual crocodile clips” to listen in to encrypted communications, have failed to convince sceptics, said Martin.
Plans by Apple to introduce “client-side scanning” technology to detect child abuse images before they are encrypted provoked a backlash from the world’s top cryptographic experts and internet pioneers and have now been suspended.
An expert report identified over 15 ways in which states or malicious actors, and targeted abusers, could turn the technology around to cause harm to others or society.
Martin spoke sceptically about the Home Office programme, known as the Safety Tech Challenge, which is offering a prize to companies that can implement end-to-end encryption “without opening the door to greater levels of child sexual abuse”.
If anyone can develop the innovative technology the Home Office envisages, he or she is likely to be worth a lot more than the £85,000 promised by Her Majesty’s Treasury.
“The government has some way to go to convince people that it has not just launched a competition to develop the digital age equivalent of alchemy,” he said, in a speech first reported in Prospect magazine.
He said much of the public intervention at ministerial level over the last three years appears to have been spent “shouting at Facebook,” which has been slower than other tech companies to implement end-to-end encryption across its platforms.
The prospect of Facebook fully encrypting its services has alarmed organisations such as the National Society for the Prevention of Cruelty to Children (NSPCC), which reported in 2019 that half of the reports of online abuse came from Facebook platforms. In the US the figure is closer to 90%.
Home secretary Patel, along with other interior ministers of the Five Eyes countries, wrote an open letter to Facebook CEO Mark Zuckerberg the same year, urging him not to introduce end-to-end encryption.
But Martin said it was unreasonable to conclude that Facebook accounts for the vast majority of online child sexual abuse. The figures simply reflected the fact that Facebook has not yet implemented end-to-end encryption.
“The difficult reality is that these policy interventions are, in effect, demanding that one very large and increasingly unpopular company does not do what most of its competitors have already done,” he said.
“Of all the legitimate complaints we can have about Facebook’s business practices, catching up with the rest of the industry on what has become broadly-accepted best practice in messaging platform security is surely not top of the list.”
The Investigatory Powers Act 2016 gives the government powers to issue Technical Capability Notices (TCNs) to require communications companies to remove encryption or provide communications in intelligible form, when required.
Martin said the government needs to be transparent and honest with the public over its approach to encryption.
“If it is to be the case that end-to-end encryption poses such a threat to public safety that its implementation and use must be constrained by law, then the government needs to be absolutely open about what that means,” he said.
That means the government should level with the public that digital protections will not be as good as they might be otherwise, but the greater good demands that law enforcement can access encryption.
There should also be more openness about what sort of Technical Capability Notices are needed, why and how they are applied.
“If we learned anything from Snowden, it’s that the state needs to seek informed consent for what they do in this space. Relying on a general sense of ‘those with nothing to hide have nothing to fear’ is a terrible idea’,” he said.
Encryption cannot be wished away
Martin said the revolution in digital security brought about by encrypted services such as Signal cannot be wished away, “Canute like”.
“It is hard to see a blanket ban on end-to-end encrypted services, and it is hard to see an increasingly security- and privacy-savvy population doing anything other than flock to them, the bad minority as well as the good majority,” he said.
The difficulties for law enforcement are real, he said. adding he had no doubt that if Facebook moves to end-to-end encryption it would make the job of law enforcement harder.
But he said the widespread use of encryption is the latest cycle in a game of cat and mouse between technology and law enforcement.
Technology changes, criminals use the new technology, the good guys catch up, the technology changes, and the cycle starts over again.
“Looked at this way, end-to-end encryption is just another practical operational issue, not an issue of principle,” he said.
Even in the aftermath of the NSA whistleblower Edward Snowden, governments did not “go dark”, they “went spotty”. They had access to a lot of data but not all the data they needed or had access to before.
Often, though not always, there are other ways for law enforcement to get hold of the information they need.
For example, in 2015 the FBI attempted to compel Apple to unlock the iPhone of the San Bernardino terrorist, but after a protracted legal battle the FBI managed to access the phone in a different way.
“Would it really have been better,” Martin asked, “if the US government had won and compelled Apple to do something that would potentially compromise all of its phones?”
He suggested that both sides in the argument over end-to-end encryption should approach the problem with “fairness” and “generosity of spirit”.
“Instead of traducing the good intentions and vital work of policing and intelligence with offensive accusations that they’re ‘playing the child abuse card,’ why not redouble efforts to help bring offenders to heel in the new technological dispensation?”