Rhetoric of the impossible: Paris and privacy

Understandably, the aftermath of the vile slaughter of innocent people in Paris has been strong and emotional. Whether fellow humans are murdered en masse in Paris or Syria, the closer that you relate to the victims and their families, the greater will be your grief, and reaction to that grief.

It has also, almost universally, brought out the worst in most politicians, who seem unable to say or write anything beyond unreasoned rabble-rousing. In doing so they have found the next victims of terrorism: privacy, freedom, justice, perhaps even open democracy.

Whether or not these political responses are part of the goals of terrorists, before any politician or other public figure engages mouth or keyboard to comment on encryption and surveillance, they should think very carefully, and ensure that they do not ignore some basic facts. If they fail to do so, then they are likely to reveal to the electorate that their understanding of technology stops about half a century ago.

Encryption control

Any suggestion of enacting a ban on the use of encryption is simply preposterous. Aside from the many business-critical uses of encryption, so long as there are computers, computer-like devices, and smartphones, they will be able to communicate using strong methods of encryption.

Possible ways in which encryption could be opened up, to allow security and law enforcement agencies ready access to encrypted communications, are also doomed to fail.

The obvious method, of embedding encryption keys in the communication, would negate the purpose of encryption altogether. Every tech-savvy schoolchild would be able to break such a technique. It would also be unenforceable.

One scheme which has been attempted in some previous legislation (not in the UK) is that of key escrow. This would require the encryption keys used for each and every encrypted connection to be lodged with the ISP (or another authority). Considering that this would have to apply to every HTTPS connection and every VPN connection made, the volume and security of these keys would be an obvious issue. It is also readily defeated: if the keys are held in escrow, they could prove false when an investigator came to use them.

One of the most naïve ideas is that current encryption methods could be re-engineered to introduce hidden vulnerabilities, which could then be exploited by the intelligence agencies whenever they wished. This fails on many accounts, including the obvious problem that, if someone can open that back door, then anyone can, which would again render the encryption unfit for purpose, and open to abuse by criminals.

It also assumes that the Bad Guys are going to cooperate fully and switch away from using robust methods, and ignores the fact that encryption methods are necessarily subject to intense scrutiny by some of the greatest minds on the planet. If such a back door were introduced, it would quickly be found and a different method of encryption used instead.

In short, any schemes which try to limit, control, or manipulate encryption are doomed to fail. And the first to exploit that failure would of course be the Bad Guys.

Empty rhetoric

Each year, around 1500-2000 people die in road traffic accidents in the UK. In the USA, there are more than 30,000 deaths each year, and in France over 3000. We already have technical solutions which we know could substantially reduce the number of deaths, such as speed limiters. For decades governments have insisted that legal limits on maximum vehicle speeds are a vital part of their campaigns to reduce road deaths, but none has required these to be enforced by engineering in privately-operated cars.

Presumably the same politicians now crying for backdoors in encryption, and similar technically impossible measures to facilitate surveillance, understand the consequences of such restrictions on cars. If they wish to save lives, cost to society, and the steady stream of mutilated and disabled survivors, surely they should be advocating enforcement of the possible, rather than pursuit of the impossible. If they don’t understand encryption, and the absurdity of what they are calling for in its regulation, then they should hold their peace.

They should also consider what the purpose of all this surveillance really is. As I explain below, most of it came about as a response by intelligence and security agencies in the ‘War on Terror’ following 9/11. But the official records show that it has been most used to tackle serious and organised crime rather than terrorism.

It is currently being marketed to the public as a tool for locating missing persons and tackling crimes against children. Then in his speech on 17 November 2015, the UK Chancellor of the Exchequer made it central to the ‘cyber war’ being fought to protect essential utilities and business from disruption and fraud. Inevitably there is no evidential support for these efforts to turn surveillance into a benefit to those about to be its victims.

European law

There is an even bigger problem with existing and proposed legislation in the EU and the US: the law itself.

Just over a month ago (6 October 2015), the Court of Justice of the EU handed down a judgement which all legislators on both sides of the Atlantic need to ponder carefully. In it, the Court reiterates the overriding legal requirements which it applies in the EU. As those are also required of any US regime intended to meet EU requirements for the protection of data for EU citizens, such as the now broken Safe Harbour scheme, it will constrain all attempts to monitor and intercept electronic communications in the coming years.

The cataclysmic slaughter of the 9/11 attacks in New York, in September 2001, brought about a step change in the intelligence and security agencies’ approach to monitoring and interception of communications. Having been in steady decline since the end of the Cold War, this was an opportunity to assume a leading role in the ‘War on Terror’, and in those early days they were able to do so without any perceived need for explicit legislative controls (or, in the UK, on the strength of law which had been approved only the previous year).

The 11-M (Madrid) bombings of March 2004 and 7/7 (London) bombings of July 2005 brought further opportunity to increase surveillance, but successive governments felt a growing need to legitimise and extend these in law. European Directive 2006/24/EC of 15 March 2006 (the Data Retention Directive) set out to achieve just that by making mandatory across Europe the type of data collection already taking place in the UK under its RIPA (2000) legislation. It is significant that this directive was launched when the UK, in the form of Tony Blair, was President of the EU.

Privacy campaigners fought to overturn that directive, succeeding in April 2014, when the Court of Justice of the EU ruled that it violated the fundamental rights of respect for private life and the protection of personal data. The UK responded by rushing its DRIPA legislation through Parliament in July 2014, which was in turn found to be partially unlawful in the UK High Court just a year later.

This has all been complicated by the unprecedented revelations made by Edward Snowden in 2013-14, which have forced the hands of governments towards making explicit legislative provision for the surveillance which had been going on for more than a decade.

In its judgement of October 2015, the Court of Justice made it clear that its view of EU law – particularly after Directive 2006/24/EC had been overturned – differed from that in the UK or the US. The Court’s view is that surveillance legislation must not authorise the generalised collection and retention of all personal data, but it can authorise such collection “for purposes which are specific, strictly restricted and capable of justifying the interference which both access to that data and its use entail”.

In particular, part of the grounds for the effective suspension of the Safe Harbour scheme is that it granted the US excessive access to the personal data of EU citizens: “In particular, legislation permitting the public authorities to have access on a generalised basis to the content of electronic communications must be regarded as compromising the essence of the fundamental right to respect
for private life, as guaranteed by Article 7 of the Charter”.

The judgement also gave clear direction on remedies which must be available to the individual: “Likewise, legislation not providing for any possibility for an individual to pursue legal remedies in order to have access to personal data relating to him, or to obtain the rectification or erasure of such data, does not respect the essence of the fundamental right to effective judicial protection, as enshrined in Article 47 of the Charter.”

It is of course quite plausible that one of the drivers for the current UK government’s plans to withdraw from the European Convention on Human Rights (ECHR), and to give the electorate an opportunity to withdraw completely from the EU, is to free the legislature from those EU restrictions on surveillance.

If the UK does not manage to escape the jurisdiction of the ECHR, it will remain vulnerable to current and future legislation on surveillance powers being again struck down by its own High Court or by the Court of Justice of the EU.

No Safe Harbours either

If the US does not come up with Safe Harbours version 2 which is deemed compatible with EU legislation, particularly the ECHR as interpreted by the Court of Justice, then from January 2016 it is likely that a series of data protection cases will start to shut down the transfer of personal data from the EU to the US (and beyond).

That in turn will compromise the major revenue streams from Europe to US tech giants such as Google and Facebook. Although these are smaller than those from the US, thanks to their manipulation of European tax systems, their exceptionally low rate of taxation makes them more valuable to the corporations.

So as much as the US and UK might wish to pretend otherwise, EU law has and will continue to have major impact on national law. For the UK, unless it dramatically changes its status in Europe, it is again going to find itself in conflict in court. For the US, it is going to have to find a way of operating to EU standards in part, at least.

All round losers

So where does all this leave surveillance legislation such as the UK’s draft Investigatory Powers Bill?

With the Bad Guys increasingly avoiding the use of mainstream electronic communications, and employing ever more sophisticated measures for their security, the quantity and value of useful data acquired from normal surveillance activities is already in steep decline, and will continue until it is no longer even a needle in a haystack.

With the collection of even more data, as is currently proposed, the haystack will also increase in size, making it much harder to find any remaining needles.

Any attempt to ban, restrict, or circumvent encryption is doomed to spectacular failure. At worst it will not affect the Bad Guys at all, but may cause problems with its legitimate uses in security, only worsening security problems.

Over the next few years, judicial review of current and intended legislation is likely to confirm at least some of it as being illegal, and it will be struck down.

Politicians of the future will then blame those of today for sacrificing fundamental rights, pillars of our open democracy, for a mirage which has been constructed by our intelligence and security agencies. Perhaps rather than blathering on so, our politicians had better start preparing their excuses.