Digital encryption no longer some fancy exotic feature

Karlin Lillington: David Cameron’s and Barack Obama’s attempts to expand the power of security agencies isn’t anything new

If the national legislatures of the UK and US decide their leaders are right, and laws are passed to cripple encryption and permit other forms of mass surveillance, the world – especially the business world – will become a very strange, more vulnerable and difficult to regulate place.

UK prime minister David Cameron’s suggestion last week that all digital encryption in Britain be maimed by supplying back doors for security organisations, and President Obama’s dovetailing proposals for new cybersecurity laws, suggests national politics remain disconnected from the realities of technology, the internet, business and, for that matter, security.

Liberal Democrats accused Cameron of being “technologically illiterate” for proposing new online data surveillance legislation to ensure law enforcement would have access to all encrypted data. Cameron said such legislation would guarantee there would be “no means of communication” that “we cannot read”.

But encryption becomes meaningless when there’s a master skeleton key that can unlock it, allowing backdoor access to the data. That master key is a substantial, persistent, crippling risk. What if the key is leaked? What if it is hacked? If such a key exists, it will be an immediate hacker target.

READ MORE

Cameron and Obama’s attempts to expand the power of security agencies isn’t anything new. Every time a terrorist incident occurs, spooks attempt to make quick political capital out of it. While people are scared and politicians feel they can score public points by appearing to be hardliners in control, proposals are made to give these secretive organisations more legal powers.

That's even though successive leaked documents from whistleblower Edward Snowden have shown these agencies pay scant attention to existing laws and frequently operate outside of them – especially the UK's General Central Headquarters. In recent weeks, for example, we learned that it snooped on all communications – that would include all government, business and citizen data – travelling over the major undersea fibreoptic cables connecting Britain and Ireland.

Leaked report

Even as Cameron implied encryption made society more vulnerable because terrorists use it to encode communications, a leaked 2009 report from the US

National Intelligence Council

(which answers directly to the head of intelligence in the US) undermined his “security equals surveillance” bombast. The report, again from Snowden, stated unequivocally that encryption is essential to business and consumer security, offering the “best defence” for private data.

Encryption is no longer some fancy exotic feature. It’s as mundane as can be, an embedded feature in business services and applications. Most day to day business operations, from ordinary communications using a Gmail account, to an online purchase from a website, to the automated backing up of corporate data, to the processing of credit card transactions, involve the routine use of encryption.

Encryption protects businesses and consumers. It can also be used by terrorists, yes, but banning encryption for this reason would have the same logic as dismantling the internet, or abolishing the ability to wire money, because terrorists use those things as well.

Or, as one National Security Agency employee told me once at a security conference lunch (before he realised I was a journalist): "If the government really wanted to prevent criminals and terrorists from communicating secretly, it should just ban envelopes."

Deja vu

That was 17 years ago, when a battle was raging in the US over the use of encryption (yes, it’s a bit of a deja vu moment right now for those of us with long memories and an interest in digital security). The US had imposed restrictions on the export of products containing “strong” encryption – basically, what’s used now every time you buy a book on Amazon or file your taxes with Revenue.

The export ban was finally lifted in the early part of the last decade – a move signalled first here in Ireland during a visit by President Clinton, when he signed an agreement with the Irish government using strong encryption digital signatures.

If it hadn’t been lifted, we’d not have had the global economic transformation that has come from the internet – or at least, the US would have been more a bystander than a participant, something Clinton no doubt realised.

But fast forward to to the current proposals. Encryption is now so widespread, so mainstream, so international, that if the US and UK seek to force limits on its use, and potentially expose all US and UK users of it to the persistent threat of massive data leaks and hacks, who will want to run businesses from those countries?

Naive

Likewise, it is incredibly naive to believe that, if terrorists cannot use Gmail, that will be that. We are in a world where cryptocurrencies such as bitcoin, created using the same basic idea as encryption for data communications, can be invented anonymously and become internationally significant.

It’s idiotic to believe that new encryption products won’t likewise be created for communications, even as economies deprived of adequate mainstream encryption will suffer and grow even more vulnerable to hacker attacks, cyberterrorism and espionage.

One imagines a potential intellectual and business capital shift to other, wiser nations. How would large multinationals react, with their international data and cloud centres? What would be the response of, say, US-based banks forced to use weakened encryption? It is an almost unimaginable scenario.