The Blog

Why Banning Encryption Just Won't Work

This attitude encourages people who value privacy to seek out tools to protect it and this leads to encryption. The United States-based providers Google, Facebook and Apple all added encryption to their services as a response to Snowden. But now, the UK Government wants to go after that.

The recent report by independent think tank the Royal United Services Institute (RUSI) has given its recommendations for the interception of communications by the intelligence services. This is the second report within the last two months that has contested the idea of politicians having the power to issue warrants for the intelligence services to conduct mass surveillance on UK citizens. Both have been requested by the UK government to help formulate policies that will influence the proposed new draft of the communication bill due in Autumn 2015. It remains to be seen if their recommendations will be accepted with pressure from security services to limit privacy related tools.

The Anderson Report's recommendations start with the assertion that any changes to current regulations should 'affirm(s) the privacy of communications'. It seems the Government will likely not want to honour this initial view and will seek to allow unprecedented access to all our communications.

We used the phrase "unprecedented" after the material released by Snowden showed the scale of state snooping. Privacy campaigners and Freedom fighters everywhere hoped those revelations would herald an open debate of what is acceptable and what a state should be allowed to do. Instead, we have had a ramping of rhetoric around national security and no debate. The UK Government, if it really does seek to ban encryption tools, is stepping into state surveillance not seen in Europe since the days of the Stasi in East Germany.

Hyperbolic? Not at all. Consider the response to Snowden by the US and UK Governments. In the US, it was acknowledged that the NSA had overstepped the mark and large companies like Facebook and Google went knocking at the Whitehouse door. The Senate introduced regulations to overhaul NSA regulations, whilst the UK Government and GCHQ have never even acknowledged the truth of the facts Snowden shared.

This attitude encourages people who value privacy to seek out tools to protect it and this leads to encryption. The United States-based providers Google, Facebook and Apple all added encryption to their services as a response to Snowden. But now, the UK Government wants to go after that.

The trouble is, the Internet and its safety are built on encryption. Every banking transaction and most of the websites we interact with use varying levels of encryption to protect us from criminals. Most companies encrypt messages, access to company data and websites to protect their IPR. It's impossible to outlaw encryption.

Could the government then block specific apps? Let's take a look at how this might work, using the example of WhatsApp.

First, they could ask Google and Apple to remove the apps from the UK-facing stores, then they could get ISPs to block access to the services, most likely by blacklisting the IP addresses that host the service. All do-able to an extent, but is it really effective? No, inevitably the app would leak and be made available outside the app stores (for IOS users, this would mean rooting the phone to install something that would deter many users, but not all).

Some stubborn users would find ways around blocks (the way democracy campaigners in Myanmar, China and North Korea) have had to find ways of getting around their governments' censorship of the Internet. Are we really going to ask UK citizens to have to employ the same techniques used by those who fight oppression and totalitarianism, so teenagers can chat? And for those stubborn users, what would happen when traced or caught? Are we going to criminalise the nation's teenagers for said chat?

Many other customers would simply migrate to alternative messaging tools. There are many good open source encryption tools, whilst not trivial to implement, it's certainly straightforward for someone who can build messaging platforms.

Ban WhatsApp and successors will arrive pretty soon. So, the Government would need a regulatory body whose job it is to identify "offensive" applications. This body would need to monitor internet traffic, identify encryption tools, evaluate them and decide if they are legal or not. That's a lot of bureaucracy.

Finally, there would inevitably be pressures, legal and commercial. Facebook (which owns WhatsApp) won't be happy, nor will the UK tech industry, which will see innovation in a key area of internet technology stymied.

In summary, to ban would be technically difficult, onerous and probably ineffective as alternative products would emerge and users would find work-arounds. It would be massively unpopular and alienate a generation of our kids. It would require new regulation and may face legal and commercial challenges.

In a related case, the Government forced all UK ISPs to introduce parental controls. All the major vendors have complied using network-based controls. Whilst it's laudable to protect children from harmful content, adoption of these services has been low. ISPs are loath to share stats, but figures are thought to be no more than 5 per cent usage - even with heavy promotion. When applied, they are very easy for teenagers with access to YouTube to find work-arounds. We've seen some scope creep with the Government, using these filters to introduce forms of censorship through incorrectly classifying sites as harmful. The Government then has a track record of foisting ill-thought through technologies on UK Internet users.

So is it bluster then? Quite possibly. It's much easier to lean on Facebook, to either remove the encryption or at least share the decryption keys with our security services. For the larger providers of casual messaging services (like WhatsApp), this could be a work-around. There could be a scary knock-on for other companies though. There are hundreds of encryption tools (free and paid-for available for email or instant messaging.

Would the Government seek to ban all of them? This would be pretty impractical, but they could (via the ISPs) monitor who is using such apps and create a "watch-list". This, for me, is a real concern. The UK Intelligence Services don't just want your messages, they want to know where you are, who you talk too and how you do so. No-one denies they should not have the capability to investigate this data. But it should be done based on legitimate investigation of criminal acts with judicial approval. Not blanket surveillance, poorly regulated and without privacy baked in.

What is the driver for all this? Well, the argument is one of national security versus privacy. The government is heavily influenced by GCHQ, whose technical director recently said: "At its heart, the internet economy is fundamentally incompatible with privacy." But privacy advocates would argue, these communications are private in the same way what happens in our homes is private. Security services do not have the right to snoop on what we do at home, unless there is criminal concern and they have followed an established judicial process. Why should it be different for our private messages?

If the Anderson report is the template for the new bill, then it should implement many of his recommendations including that monitoring requests should be done with judicial approval of warrants.

All of this has parallels with the UK Government's approach to drug policy - ignore expert advice that consistently recommends licensed use and, instead, ban, ban, ban. This has proved unsuccessful. Drug usage has not decreased overall and, when substances have been banned, we have seen an emergence of 'legal highs' which have caused deaths themselves.

Drug policy is based on kneejerk banning orders, that don't address why people use drugs and the social issues associated. Similarly, banning encryption isn't banning criminals or terrorists - they will continue to operate in different ways. Whilst, the legacy for the rest of us is invasive state monitoring and potential curbs on freedom of expression and future abuse by security services.