Why Theresa May’s Encryption Plans Are a Danger to Us All

houses of parliamentI realise it’s been a while since I posted something up here, so here’s an article I wrote recently for Top10VPN’s new Privacy Central site:

The UK has been unlucky enough to know terrorism for quite some time. Many will remember the IRA campaigns of the 1970s and ’80s. This was an era before smartphones and the internet, yet the Irish paramilitary group continued to wage a successful campaign of terror on the mainland.

It continued to recruit members and organise itself to good effect. Politicians of the modern era, led by Theresa May and various members of her government, would do well to remember this when they launch into yet another assault on Facebook, Google, and the technology platforms that are alleged to provide a “safe haven” for Islamic terrorists today.

Now she is calling for greater regulation of cyberspace, something the independent reviewer of terrorism legislation has openly criticised. Along with increasing moves across Europe and the world to undermine end-to-end encryption in our technology products, these are dangerously misguided policies which would make us all less safe, less secure and certainly less free.

Our “Sliding Doors” moment

Every time a terror attack hits, the government continues its war of words not simply against the perpetrators, but against the tech companies who are alleged to have provided a “safe haven” for them. After all, such rhetoric plays well with the right-wing print media, and large parts of the party.

“Safe haven” has become something of a mantra for the prime minister, alongside her other favorite; “strong and stable”. She argues that terrorists are hiding behind encrypted communications on platforms like Facebook’s WhatsApp and Apple’s iMessage, and are using social media platforms like YouTube to recruit members and distribute propaganda.

“We cannot allow this ideology the safe space it needs to breed. Yet that is precisely what the internet, and the big companies that provide internet-based services, provide,” May said after the London Bridge attacks. “We need to work with allied democratic governments to reach international agreements that regulate cyberspace to prevent the spread of extremism and terrorism planning.”

Part of the regulation May wants to bring in could include fining tech companies that don’t take down terrorist propaganda quickly enough. Max Hill QC, independent reviewer of terror legislation, has rightly questioned this hard-line approach.

“I struggle to see how it would help if our parliament were to criminalize tech company bosses who ‘don’t do enough’. How do we measure ‘enough’? What is the appropriate sanction?” he said in a speech reported by The Times.

“We do not live in China, where the internet simply goes dark for millions when government so decides. Our democratic society cannot be treated that way.”

China is an interesting parallel to draw, because in many ways it offers a glimpse into an alternative future for the UK and Europe; one in which government has total control over the internet, where freedom of speech is suppressed and privacy is a luxury no individual can claim to have.

The problem is that no one sees authoritarianism coming, because it happens slowly, drip by drip. Regulating cyberspace would begin a slow slide into the kind of dystopic future we currently know only from sci-fi films. As Margaret Atwood’s heroine Offred says in her acclaimed novel The Handmaid’s Tale: “Nothing changes instantaneously: in a gradually heating bathtub you’d be boiled to death before you knew it.”

In many ways, we sit today at a Sliding Doors moment in history. Which future would you prefer?

The problem with backdoors

End-to-end encryption in platforms like WhatsApp and on our smartphones and tablets is something Western governments are increasingly keen to undermine, as part of this clamp down. It doesn’t seem to matter that this technology keeps the communications of consumers and countless businesses safe from the prying eyes of nation states and cybercriminals – it’s also been singled out as providing, you guessed it, a “safe space” for terrorists.

The Snoopers’ Charter already includes provisions for the government to force tech providers to effectively create backdoors in their products and services, breaking the encryption that keeps our comms secure. In fact, the government is trying to sneak through these provisionswithout adequate scrutiny or debate. They were leaked to the Open Rights Group and can be found here.

It remains to be seen whether the British government could actually make this happen. An outright ban is unworkable and the affected tech companies are based almost entirely in the US. But the signs aren’t good. Even the European Commission is being strong-armed into taking a stance against encryption by politicians keen to look tough on terror in a bid to appease voters and right-wing newspaper editors. Let’s hope MEPs stand up to such calls.

The problems with undermining encryption in this way are several-fold. It would give the state far too much power to pry into our personal lives, something the UK authorities can already do thanks to the Investigatory Powers Act (IPA), which has granted the government the most sweeping surveillance powers of any Western democracy. It would also embolden countries with poor human rights records to do the same.

Remember, encryption doesn’t just keep terrorist communications “safe” from our intelligence services, it protects journalists, human rights activists and many others in hostile states like those in the Middle East.

More importantly, it protects the communications of all those businesses we bank with, shop with, and give our medical and financial records to. The government can’t have its cake and eat it: recommending businesses secure their services with encryption on the one hand, but then undermining the very foundations on which our economy is built with the other.

Once a provider has been ordered to create a “backdoor” in their product or service, the countdown will begin to that code going public.

It’s inevitable.

Even the NSA and CIA can’t keep hold of their secrets: attackers have managed to steal and release top secret hacking tools developed by both. In the case of the former this led to the recent global ransomware epidemic dubbed “WannaCry”.

Why should we set such a dangerous precedent, putting our data and privacy at risk, while the real criminals simply migrate to platforms not covered by the backdoor program?

“For years, cryptologists and national security experts have been warning against weakening encryption,” Apple boss Tim Cook has said in the past. “Doing so would hurt only the well-meaning and law-abiding citizens who rely on companies like Apple to protect their data. Criminals and bad actors will still encrypt, using tools that are readily available to them.”

In short, we need more police officers, constructive relationships with social media companies, and smarter ways of investigating terror suspects. Dragnet surveillance, encryption backdoors and more internet regulation is the quickest way to undermine all those democratic freedoms we hold so dear – and send us hurtling towards that dystopic authoritarian future.

Advertisements

Why F-Secure and Others Are Opposing the Snoopers’ Charter

whatsapp logoIt’s widely expected that next week the government will unveil details of its hugely controversial Snoopers’ Charter, aka the Investigatory Powers Bill. To preempt this and in a bid to influence the debate cyber security firm F-Secure and 40 other tech signatories presented an open letter opposing the act.

The bill most controversially is expected to force service providers to allow the authorities to decrypt secret messages if requested to do so in extremis. This is most likely going to come in the form some kind of order effectively banning end-to-end encryption.

I heard from F-Secure security adviser Sean Sullivan on this to find out why the bill is such as bad idea.

To precis what I wrote in this Infosecurity article, his main arguments are that forcing providers to hold the encryption keys will:

  • Make them a likely target for hackers, weakening security
  • Send the wrong signal out to the world and damage UK businesses selling into a global marketplace
  • End up in China or other potentially hostile states a service provider also operates in also requesting these encryption keys – undermining security further
  • Be useless, as the bad guys will end up using another platform which can’t be intercepted

I completely agree. Especially with Sullivan’s argument that the providers would become a major target for hackers.

“End-to-end encryption makes good sense and is the future of security,” he told me by email. “Asking us to compromise our product, service, and back end would be foolish – especially considering all of the back end data breach failures that have occurred of late. If we don’t hold the data, we cannot lose control of it. That’s just good security.”

One other point he made was the confusion among politicians about tech terminology as basic as “backdoor” and “encryption”.

“A lot of UK politicians end up putting their foot in their mouth because they don’t properly understand the technology. They try to repeat what their experts have told them, but they get it wrong. UK law enforcement would probably love to backdoor your local device (phone) but that’s a lost cause,” he argued.

“The politicians (who actually know what they’re talking about) really just want back end access. As in, they want a back door in the ‘cloud’. They want to mandate warranted access to data in transit and/or in the back end (rather than data at rest on the device) and fear that apps which offer end-to-end encryption, in which the service provider doesn’t hold any decryption keys, are a threat.”

Let’s see what happens, but given the extremely low technology literacy levels among most politicians I’ve got a bad feeling about this one.


News of the World hackers, hacked ATMs and celeb snooping

news of the worldNews of the World private investigator Glenn Mulcaire was this week revealed to have gone to extraordinary lengths to hide his illegal tapping of celebrities’ voicemails: hacking an ATM to use its phone line.

I covered the story here for Infosecurity Magazine but thought it was worth including some extra comments.

Mulcaire’s cover was finally blow when BT sent a bill for the landline to the ATM owner, who forwarded it to the convenience store in which it was located, in a scruffy part of south London.

Sophos senior security advisor, Paul Ducklin, explained to me that Mulcaire probably chose an ATM line rather than tapping a copper phone line via other means, for several reasons.

“1. Unlike a fax machine the line never plays through a speaker for feedback purposes. Fax machines usually play their modem noises for a few seconds as part of the ‘user interface’.

2. If you interrupt a data transmission, the system will probably sort itself out automatically later on and no-one will realise that it was deliberate, rather than just a glitch. And you’ll hear the modem trying to come on-line, so you can hang up temporarily to get out of the way.

3. It’s likely to be a rented service that bundles in the phone line, so the bills probably go through a convoluted route to the person where the line is actually installed, making detection more complex – as happened here.”

He stressed the important of business owners checking their phone statements, just as one should bank statements or those belonging to online accounts, for any signs of suspicious activity.

“Cybercriminality usually leaves traces, and the one thing you can be sure of if you don’t make a habit of looking for those traces is that you won’t find them,” Ducklin told me.

“In various recent high-profile credit card breach cases, the afflicted retailer found out because someone outside the organisation noticed suspicious patterns of fraud. Best not to wait until someone else finds out before you do.”


Don’t worry Cisco, you’re not getting kicked out of China

cisco logoA lot of media reports have been flying around this past week or two predicting that US tech firms will find life increasingly difficult for them in China following the various revelations leaked by Edward Snowden.

It’s a compelling narrative and on one level makes quite a bit of sense.

If, as the PRISM whistle-blower has claimed, the NSA really is spying on foreign targets including China and Hong Kong and even allies like the EU, then the logical next step would be to assume it could be doing so with the acquiescence of US technology providers who have managed to establish a firm foothold in the country.

After all, wasn’t it US lawmakers who branded Huawei and ZTE a national security threat due to the perceived risk of the firms being forced by Beijing to modify systems to enable state-sponsored eavesdropping?

No wonder then that Chinese state-run media including the English language Global Times have called for US companies including Cisco to be replaced by domestic providers. China Daily even sourced an anonymous “industry insider” who claimed: “There is a terrible security threat in China from US-based technology companies including Cisco, Apple and Microsoft.”

There’s good reason to believe that Cisco et al won’t be overly concerned about such claims, however.

For one thing, although its kit is all over China’s network infrastructure, the market there accounts for less than 5 per cent of turnover.

Huawei is probably Cisco’s biggest Chinese competitor, especially in the telco edge router market, and has certainly been taking market share from the venerable US giant, but a rip-and-replace policy of the sort advocated in the Chinese media is simply not practical.

“I would say a few vendor replacements had considerations beyond the offerings themselves, for example for certain clients with high security sensitivity,” Gartner analyst Tina Tian told me. “But much more of it would be purely a market decision.”

As for the other US technology providers, the likes of Google Android, Microsoft and Apple between them control just about the entire mobile and desktop operating system market in China.

For that reason and the lack of strong domestic alternatives (for the time being) we’re just not going to see wholesale changes here, which could even work in Cisco’s favour, according to Tian.

“Even if China could replace all the networking equipment from foreign vendors, their data would still need to be handled by IBM, Oracle, HP, EMC, Intel and also Microsoft,” she said.


The truth about PRISM (no, honestly)

big dataJust a short post this week because it has quite frankly been a quiet week apart from one massive story that has dominated the headlines worldwide, except quite notably mainland China: PRISM and the IT whistle-blower Edward Snowden.

By far and away the most balanced most informative and least hyperventerlatingly hyperbolic piece was over at El Reg, where Duncan Campbell picked through the actual facts about PRISM so far to conclude that, actually, most of it is legal and definitely not tyrannical.

My key observations from his piece are as follows:

  • Prism is nothing compared to the powers the UK government was asking for in its draft Communications Bill – now shelved for the time being. It is also pretty similar to what goes on in police offices and other agencies all over the country where officers act on RIPA requests to collect comms data.
  • The NSA has numerous other similar schemes including direct Deep Packet Inspection, which have been going on in the background and arguably are more intrusive on personal freedoms.
  • The scheme costs around $20m year and as such is definitely small fry in terms of the extent and type of surveillance involved. NSA’s overall budget is an estimated $10 BILLION.
  • The number of requests disclosed by Microsoft, Google et al via PRISM are even far lower than the government requests they’ve disclosed not associated with the scheme
  • Where Microsoft is concerned, at least, most requests (2%) were for non-content data – ie just account details but not the content of messages. I imagine the same is true of other web service providers.
  • These providers may have said they didn’t known about PRISM because it is just an internal codename used by NSA.

What people should REALLY be worried about here is not PRISM per se but the other Guardian scoop – that Verizon was issued with a secret warrant “requiring wholesale delivery of all call data records from their entire system”. That and the doubtless other similar requests which other comms providers have been issued with are more insidious and certainly warrantless compared with PRISM.

It’ll be interesting to see whether the future “scoops” which The Guardian promises will focus on these. I for one would be interested to see whether UK operators have been subject to similar orders from GCHQ.