Every few months there is another salvo of allegations about the desire of governments, particularly those in the UK and US, to somehow ban or circumvent the use of encryption on the Internet.
So far all this has revealed is that some governments want free access to private electronic communications, but don’t seem to know how to achieve that, other than by making sweeping statements which they then have to correct.
In the UK, for example, the Prime Minister has been variously quoted as saying that it should not be permissible for there to be a means of communication between two people that government agencies cannot read. But when the everyday importance of encrypted communications in commerce, for example, has been pointed out, and there have been other examples cited of the routine use of encryption for some forms of privacy, “sources” have claimed that there is no intention to ban encryption.
The letter from Baroness Shields, the UK Minister for Internet Safety and Security, to Yvonne Fovargue MP shown in Business Insider UK’s report makes it clear what the UK government’s intention is: “to retain the ability to access information where necessary for a counter-terrorism investigation and under warrant.”
Although Baroness Shields has a long and glittering CV of technology management – see Wikipedia or her own website – she is not a programmer or engineer by trade. Curiously, for a short while she worked for a storage encryption company, Decru, which was later bought by Network Appliance, but again this was at an executive or managerial level.
Apart from the fact that, even if the UK were to be turned into a Police State on the pervasive model of the former East Germany, the government has not a snowball’s chance in hell of achieving that stated intention, it has bigger problems too.
Regardless of concerns over privacy, no government has a universal ability (let alone right) to access all the information which it might want to.
I can have a conversation with someone to which only the two of us are witnesses. As the entire UK is not yet instrumented to record every word spoken by its peoples, the only two people who can give access to the information exchanged in that conversation are its participants. And the law no longer permits the two of us to be subject to torture, and does not yet permit the administration of drugs or other aids which might extract from us that private information. If we choose to withhold that from counter-terrorist or other investigators, there is nothing that they can do to extract it from us.
Furthermore, if I give that other person several hundred pages of handwritten encrypted material, which is later seized under an appropriate warrant, there is nothing that counter-terrorist or other investigators can do to force us to decrypt those pages for them.
Ever since the invention of codes and cyphers, perhaps almost as early as the dawn of written communication, the challenge has remained for interceptors (whether given right by law, or not) to crack the code or cipher. This was the task for Alan Turing and the staff at Bletchley Park during the Second World War, and for their counterparts in Germany and Japan working on Allied encrypted traffic. David Kahn’s superb history of the field The Codebreakers gives a good idea of the effort which has been expended in the past.
To a certain degree this changed with the introduction of the telegraph and then the telephone: official interception of these novel means of communication was provided for in law. But still there remains the problem of encryption: no matter how much wire-tapping went on, if I spoke over the phone using a code or cipher, there was and is no legal right to force me to decrypt that content.
It gets worse. Let’s suspend disbelief for a moment, and assume that somehow a government was able, through enforced ‘back doors’ or whatever, to decrypt everything that was encrypted, as part of “a counter-terrorism investigation and under warrant”, of course. That power would only be useful if those investigators were able to identify the encrypted traffic.
Most current encrypted communications are fairly recognisable; instead of an email appearing as plain text, HTML or RTF, for example, it is marked out as unintelligible blocks in the message. The investigators can then send it off for decryption, and all will be (magically) revealed.
Back in the late 1990s, Ron Rivest came up with the idea of the ‘all-or-nothing’ transform, which allows a message to be understood only if all of it is known. This is powerful because the recipient only receives the original and intact message, or none at all: no damage or tampering is possible. Others have proposed coupling that with Huffman encoding from a reference text (such as Tolstoy’s War and Peace) which will produce what appears to be regular English prose, unless you read it carefully. (I acknowledge David McClain for pointing this out.)
These and other well-described and implemented techniques (including straight steganography) can disguise encrypted data as almost sensible English, defeating practical methods of detecting conventionally encrypted content.
No doubt these and the many other technical issues that are apparent even to non-professional cryptographers will not get in the way of government resolve over matters of principle. Neither will the massed laughter of nerds and many others when the intended legislation hits the statute book, only to prove utterly ineffective.
Now, Baroness Shields, what are you doing about widespread Internet fraud and the lamentable lack of interest in it on the part of UK law enforcement agencies? How do you think government meddling with encryption will affect that? Or is “Internet Safety and Security” another cheap way to try to win votes from the easily-impressed?