The UK and USA appear to be sliding inexorably towards passing primary legislation with the intent to force backdoors in the encryption used in computer communications.
I have already explained how a previous attempt in the US, in the form of the Clipper chip of the 1990s, failed miserably in a similar task. Our politicians appear blind to that recent history, and deaf to the warnings of internationally-recognised experts on encryption and computer security. Brandishing the banner of fear of terrorism, our governments are set on their course, guided ever onward by their over-influential security agencies.
So, let us assume that hard on the heels of the Investigatory Powers Act, when it has received Royal assent in the UK, there is secondary legislation to force all those who provide communications services in the UK to be able to decrypt any and all encrypted traffic which their services carry.
What then will be the consequences?
We know that all backdoors will be the subject of intense efforts at exploitation, both by foreign powers and their agencies, and by organised criminals. Whether a backdoor consists of a ‘secure’ database of keys used and held in escrow, a ‘golden’ key, or an intentional weakness in the encryption method, it will come under multiple attack.
We know that, ultimately, such attacks will succeed. It is not a matter of whether, but when. Already, where there have been unintentional weaknesses in encryption, they have been exploited. Only a few days ago, passwords for up to 13 million users of MacKeeper were unintentionally exposed, and found to be weakly protected using a deprecated hashing function. The latest news about backdoors being introduced into Juniper Networks’ devices is further important evidence.
Although such attacks may be made on individuals, the main targets will be the same as today: businesses, particularly large corporations with sensitive international dealings, government and public services. They rely heavily on encrypted services for their own communications, those with customers and outworkers, and to connect to the cloud services on which they are increasingly reliant.
Individuals, particularly the criminals and potential terrorists who are the targets of this legislation, inevitably have the greatest opportunities to evade any impact on their communications. They can switch to services operated outside the UK’s jurisdiction, use their own methods of encryption, and so on. Larger businesses and the public sector cannot do that, not without a very public hew and cry, and unworkable alterations to the proposed legislation.
Any attempt to provide such backdoors in encryption will therefore have greatest impact on the operation of the larger businesses in the UK (and the US, should it follow suit), and government and other organisations in the public sector. They will increasingly find themselves fighting foreign powers and organised crime with one hand tied behind their back.
They also have many rich pickings. For foreign competitors, it would be extremely valuable to be able to listen in on in-house communications, learning about plans, deals being arranged, trade secrets, and more. For criminals it opens up new revenue streams involving blackmail, extortion, and more extensive theft of sensitive information.
If applied to some sectors, such as banking and financial services, and healthcare, it could force complete re-engineering of communications systems because of the dangers of their encrypted traffic being intercepted. Yet it is hard to see how such services could be allowed to continue using robust encryption when no one else is permitted to.
The cost – to businesses, government departments, banks, and our healthcare sector – could be disastrous. Yet our politicians seem happy to gamble those consequences and costs.
Shouldn’t those in charge of our larger businesses, government departments, banks, healthcare, and most of all those who are responsible for overseeing the protection of personal data, shouldn’t they be ringing alarm bells?
Putting backdoors in encryption, however smartly you might think it could be done, can only invite serious unintended consequences. It cannot bring even the slightest glimmer of good.
Like it or not, our economy and society now depends on secure encryption. Make it insecure, and you risk economic collapse and social catastrophe.