Encryption and the law: will vendors hand us the keys?

The first serious proposal for earth-orbiting satellites was articulated in a 1946 report by Project RAND, which two years later turned into the RAND Corporaton – RAND being a contraction of Research ANd Development. A non-profit corporation, one of RAND’s greatest achievements has been the development of game theory, which kept the Cold War from overheating into overt conflict. Much of that was led by RAND’s chief strategist, Herman Kahn, who was one of the models used by Stanley Kubrick for the title role in his movie Dr Strangelove.

I hope that RAND Corporation researchers are advising the US and UK governments over their current stand-off on encryption and access to private data. The evidence suggests that, if anyone is playing a smart game, it is Apple and its supporters, not the politicians and law enforcement agencies.

The politicians are desperate to gain access for their law enforcement and security agencies to all private data. They know that if they were to tackle this head-on and outlaw strong encryption, there would be outcry across government departments and influential business sectors, and most users would simply ignore the ban.

The only way that they can see to achieve their aim is to pass the problem to the product and service suppliers like Apple. Then, when things do go horribly wrong as all the experts are predicting, the politicians will be able to blamestorm that back on those suppliers, or so they think.

Apple knows that, should it cave in to the absurd legal artifices, lies, and other ploys, it will be blamed by politicians, the rest of the industry, and its users, for all the consequences. Here in the UK it would quickly find itself in a similarly invidious position once the disgraceful Investigatory Powers Bill becomes law – only here, according to that law, it would be expressly forbidden from even mentioning it, making Apple an even better target for blame.

But Apple and others in the industry have already recognised the solution, which can only break the current stand-off, and send the politicians and their agencies back to square one.

Apple’s current weakness is its potential ability to unlock a locked iPhone, because everyone knows that Apple can replace iOS (and lower-level software) on an iPhone and enable faster and more reliable unlocking. Apple has a similar weakness in respect of private data held in encrypted form on iCloud: because Apple can perform password-recovery procedures, it has no overriding reason to refuse requests to decrypt data held on iCloud.

Legal arguments put forward in the US, and the burden which will be imposed by the UK’s Investigatory Powers Act (IPA), can only have merit (if they have any at all) when Apple performs the encryption, and could therefore perform decryption. If Apple – or any other product or service supplier – does not perform the encryption and cannot have any knowledge of the keys involved, then it cannot be expected to be able to break into such encrypted data, no matter what anyone might think of the importance of so doing.

One indication of this is the growing rumour that Apple is preparing to change iCloud encryption, so that it will be unable to provide password recovery, or has any knowledge of the keys used. Instead of users being pawns in the game played by politicians against Apple, Apple could then step aside and leave the politicians to have to deal with the users direct.

That would in turn force the politicans either to back off, or to try to draw up effective legislation limiting the use of strong encryption, knowing that the latter would fail dismally and ensure that all blame resulting from any consequences would stick to the politicians.

I am sad that Herman Kahn, who died in 1983 at the young age of 61, is not around to watch and advise. Maybe he would have told the US Department of Justice and the UK Home Office that, for the moment at least, their game risks utter failure.