Could Cameron Be So Stupid as to Undermine Encryption?

Yesterday I wrote about the appalling opportunism of many in the wake of the Paris attacks, and I quoted David Cameron's comment:

the question is are we going to allow a means of communications which it simply isn’t possible to read. My answer to that question is: no, we must not.

I had assumed this was largely rhetorical - meaning that he wanted to bring in more powers for the UK's intelligence services. But many people have interpreted his words literally: that he would pass legislation ensuring that privacy was abolished in the UK. Some, like The Independent, have gone further, and guessed at what that might mean:

David Cameron could block WhatsApp and Snapchat if he wins the next election, as part of his plans for new surveillance powers announced in the wake of the shootings in Paris.

The Prime Minister said today that he would stop the use of methods of communication that cannot be read by the security services even if they have a warrant. But that could include popular chat and social apps that encrypt their data, such as WhatsApp.

Apple's iMessage and FaceTime also encrypt their data, and could fall under the ban along with other encrypted chat apps like Telegram.

Unfortunately, Cameron's speech is not (yet?) on the 10 Downing Street site, so it's not possible to check whether he did mention those programs. I suspect not; I think this is people - not unreasonably - trying to work out what the implications of his comment would be.

Taken at face value, his words imply much, much more. As well as those chat apps, encrypted email would be affected. The UK government might be able to use warrants to twist the arm of big companies like Google and Microsoft to hand over encryption keys for specific users, but it won't be able to do anything about users of smaller services that have been set up specifically to avoid that eventuality. And what about PGP, Tor and OpenVPN? Even HTTPS could be a problem, since soon many sites will be using certificates provided by the Let's Encrypt project, and unlike companies providing such services, it will doubtless be unwilling to hand over anything to British government.

Of course, for people in the UK, the authorities could use the pernicious Regulation of Investigatory Powers Act (RIPA) to demand the keys for any encrypted communication. It already has that power, and so doesn't need anything more. But that won't work for those outside UK jurisdiction, and it's hard to see how any new UK laws would be able to remedy that situation. As long as there are still some companies outside the UK that refuse to comply with RIPA orders, there will always be ways to keep communications private. Of course, the UK government could make it illegal to use such tools, but then people intent on mass murder are unlikely to worry too much about that.

As the above makes clear, it's hard to see how Cameron can turn his lazy rhetoric into reality. I rather suspect that, like many politicians, he doesn't understand the underlying technology, and just assumes that the "boffins" can come up with some wizard solution whereby the UK government can gain access to anything, while keeping out the "bad" people. Of course, as readers of this blog well know, that's not possible: once the security of system is compromised by putting in government back doors, say, it is compromised for everyone.  Even key escrow would be a security risk, as the Clipper chip showed.

That means that if Cameron's crazy plan is attempted, not only will the privacy of everyone in the UK be at risk, but so will will things like commercial confidentiality and online security. Trying to give UK intelligence services access to everything will result in the weakening of crucial elements of the Internet's infrastructure. It will be easier for people to break into networks and company systems, easier to steal company information, easier to siphon off money from banks.

But it gets worse. As The Guardian reports:

The prime minister also appears to want to future-proof any new measure. Traditionally the security services and the police have always had the authority to intercept and read any letter or listen in to any phone call as long as they have a warrant personally signed by the home secretary. Cameron’s comments suggest that he wants a blanket law that would cover not only existing forms of communication such as encrypted services or Snapchat-style services but also any that might develop into the future. This would amount to an extremely sweeping new power.

If such a law were enacted, it would force every future piece of software produced in this country to be compromised. That guarantees that few people outside the UK would even think about using it - why should they, when it is certain to have backdoors that the UK secret services can use? That, in its turn, means that no sane entrepreneur would start up a tech company here in the UK, since it would be a pariah on the global scene, with no chance of expanding overseas.

Thus Cameron's blatant attempt to win a few votes in the wake of the Paris murders by sounding "tough" would not only threaten basic human rights in the UK, expose British citizens to greater risks when they went online, and endanger every company that has an Internet connection, it would probably destroy the healthy digital start-up ecosystem that is starting to form in this country. Not bad for a single, stupid idea. Well done, Mr Cameron.

Follow me @glynmoody on Twitter or, and +glynmoody on Google+


Copyright © 2015 IDG Communications, Inc.

8 highly useful Slack bots for teams
Shop Tech Products at Amazon