The Blog

We're Not as Scared as We Should Be About the 'Snoopers' Charter"

The 'Snoopers' Charter' is confusing, worrying and for many, just jargon so to try and clear this issue up I chatted with Richard Anstey, EMEA CTO at Intralinks, a secure online collaboration platform to find out.

Theresa May was hoping yesterday to finally clear the air over the Investigatory Powers Bill, otherwise known as the 'Snoopers' Charter'.

What she wanted to clear up was the ongoing discussion about encryption and whether the government would ban it. It's the part of the bill that resulted in the headlines: 'The Government Wants to Ban WhatsApp'.

The reason they'd want to ban it is something called end-to-end encryption, it's the technology that scrambles your messages and makes them hidden from governments and from WhatsApp, Apple and Facebook.

What she said was quite simply that the government would not ban encryption (the technology which makes your messages secure), but instead that companies should make 'reasonable' efforts to hand over the data to the government.

That's entirely contradictory, because for companies to do that they will need to essentially remove encryption in the first place.

The 'Snoopers' Charter' is confusing, worrying and for many, just jargon so to try and clear this issue up I chatted with Richard Anstey, EMEA CTO at Intralinks, a secure online collaboration platform to find out:

Right, what is end-to-end encryption?

End-to-end encryption is the jumbling of information using a 'magic key' to then decrypt it. What happens is that each party has a couple of keys, one which is public and one which is private.

So If I want to send something to you, I use your public key to encrypt it in a way that only your private key can decrypt it.

True end-to-end encryption is also known as 'Zero Knowledge' which means that the middle party (Apple, Facebook) have zero knowledge of the information contained within the message.

Can anyone other than the recipient read an end-to-end encrypted message?

No, not if you're using Zero Knowledge. However there are arguments that say if you used all the computing resources currently available in the world how many millions of years would it take to encrypt it etc. Put simply the strength of encryption now means it's just not feasible.

OK, so what could companies/governments do to then read our messages?

They would have to change the way in which the system works, you could use a weaker encryption algorithm, or they could grab everybody's private keys. This is what's known as a 'back door'

Apple could simply tell iMessage to start collecting the private keys on everyone's phone, but then that would be changing the way the system works.

This would essentially mean you're still getting end-to-end encryption but you're removing the 'Zero Knowledge' aspect of it, which in turn makes the whole exercise fairly pointless.

So What Are The Government Proposing?

They're not banning end-to-end encryption, but every hint they've given so far suggests they want to cripple it by legally demanding that companies create the 'back door' we've been talking about.

It's the reason Tim Cook's so upset about the whole thing and it's the pivotal point that allows the government to say they're not banning it but yet still getting what they want at the end.

Speaking to Richard it became clear that these answers were just one small part of a much wider issue and that quite simply is that there's absolutely nothing the government can do to really get this information.

"It sounds like a very complex topic and so people try to back away, it's not that complex there's an algorithm, it's just a formula, they're in the public domain, they were published by the early researchers and they're absolutely common knowledge.

So you can't take away that common knowledge it's like saying you must not use Pythagorus' theorem. What they're trying to say I think is that anyone who's providing that service must find a way to be able to break it, so you've got to downgrade the power of the algorithms.

Even if you do that it's very difficult to stop someone from jumping to another service in another jurisdiction, even if the UK were to do this, what's to stop someone jumping to another service run from another country."

This is the crucial point, which is that the bill suggests that it would expect a 'reasonable' amount of cooperation in getting that encrypted information but it doesn't actually specify what that entails.

Here's what we need to know: Does 'reasonable' include a back door into encryption, and if not then what does it actually mean?

So what have we learnt from this? Well quite simply it's that gaining access to end-to-end encryption won't give you any better access to criminal messages because those responsible will just jump ship to an app that doesn't have to follow UK law.

What it will do though is make the general public's information vulnerable and visible, and that's why the public should be scared.