Home  |  Sarah  |  Services  |  Blog  Contact

Monday, 24 Aug , 2015

Encrypting is like locking doors…

Share this article

Encrypting is like locking doors - bad guys do it too. Should the police have 'just in case' keys to all of our homes?...and the discussion that analogy provoked.

The return of the weekly #Analogette. A tweet-size stating of the security obvious, which sometimes leads to more. This time it starts with encryption.
[tweet https://twitter.com/S_Clarke22/status/635212109807161344 hide_thread=true]
Followed by plain English perspective on the UK government demanding backdoors to enable decryption of secure communications. This time it’s our PM, but it’s an aim either explicitly stated, or – you can reasonably assume – covertly pursued by many nations.
[tweet https://twitter.com/S_Clarke22/status/635213230785359872 hide_thread=true]
Specifically for us Brits, David Cameron appeared to back away from this firm position when the security community united to point out flaws in his technical logic (the understatement of the year as you’ll note from the tweeted article and any page 1 results for ‘Cameron’ and ‘encryption’).
Legally the main hurdle to an encryption ban is EU human rights legislation. However, if the 2016 referendum on Europe and/or the bid to create a UK Bill of Rights goes the government’s way, the UK will be free to vote its way past ECHR judgements. The Express went over that again last week.
On the flip side David Cameron is right…terrorists and paedophiles can foil attempts to read communications by encrypting them. That fact isn’t disputable.
In that context, here’s an entirely fair challenge from Jan Winter…
[tweet https://twitter.com/janwinter15/status/635373668974100480 hide_thread=true]
…and my entirely honest riposte;
[tweet https://twitter.com/S_Clarke22/status/635451541881810946 hide_thread=true]
Of course analogies are blunt tools. As Pádraic Brady pointed out;
[tweet https://twitter.com/padraicb/status/635771057237004288 hide_thread=true]
He’s right. With a locked door the police could still knock it down, or (in extremis), go through a wall. With properly implemented encryption there are no such work arounds.

Ends justifying means?

Analogies aside, no-one will give us the inside gen on current threat levels, or the realistically estimated risk that encryption poses to national security operations.
Does that risk allow for the backstop of all properly operated pre-existing investigatory capabilities? How well do current data analysis tools and techniques work? Can they effectively target wrongdoers by analysing bulk personal and business communications? Are all instances of access and types of use effectively limited to what’s necessary by existing checks and balances? Do answers to those questions add up to a justification for breaking a cornerstone of reliable data security?
I’m not saying it doesn’t. I’m asking. Because I get and wholeheartedly buy into sacrifice of some personal freedom for the good of all. But I don’t feel hugely confident that oversight bodies really understand how tech – especially encryption – works. You don’t break encryption ‘a bit’, you just break it. Perhaps more concerning; How robust is their ability, while under intense political pressure, to resist the lure of “You have nothing to worry about if you have nothing to hide”. Pressure that was very much in evidence when the UK government pushed the Data Retention and Investigatory Powers Act through parliament in 7 days.

Shortsighted idealism from the privileged few?

On the more general debate about blanket retention, access and analysis of data, I thoroughly recommend reading this:
The US surveillance programmes and their impact on EU citizens’ fundamental rights
The late Caspar Bowden put a lifetime of accumulated knowledge into that document. It’s an excellent foundation for an informed debate around the next privacy-curtailing defensive measure we are told is necessary ‘just in case’.
I have a privileged life. The right to vote for a (kinda) representative government, the ability to speak out like this without immediate fear of personal persecution, and a government subject to a fair degree of real scrutiny. For many people around the world that’s an unobtainable dream and for many others our freedom of speech and unencumbered ability to communicate are tools to manipulate for political, financial, or criminal gain. But does that negate our right to privacy?
I’m honestly sitting here wearing my sceptical hat – in the true sense of that word – but willingness to change my mind about political risk management and accountable oversight won’t be well served by information I’ll get to see…information that would need to be pretty heftily persuasive to reset the Snowden calibrated scale of my concern.

Opinion: Paying to play with our personal data – is it ok?

We’ve migrated from ‘Hot or Not?’ to being held virtually hostage by many of the digital platforms we rely on today. In the midst of that a new processing paradigm has emerged. Myriad startups want to pay to play with your personal data. Can this tackle on-going...

In AI we will blindly trust…

...and the architects, designers, data scientists, and developers will think we are nuts I've been driven back to the blog to talk about one very specific aspect of privacy, data protection and Artificial Intelligence (exchange for Machine Learning or Algorithms as...

Data Protection, Security, and the GDPR: Myths and misconceptions #2

Welcome back! This is a shamefully delayed sequel to my first instalment of security themed GDPR thoughts: Data Protection, Security, and the GDPR: A fraught and fuzzy relationship. Here I look back again over my pre-privacy IT and InfoSec career to spot things likely...

Where and to whom does the GDPR apply?

Yeah, I doubted my sanity going at this one too, but here I am, because working out whether or not the GDPR would apply in different practical and geographical circumstances is proving harder than it really should...for everyone. This regulation has been my almost...

GDPR – You’ve analysed the gaps, but can you close them?

  There is a critical gap for most firms: An inability to interpret and leverage gap analysis, data discovery, and mapping output to actually implement technical data processing change. This article is about the challenges most large firms are facing when trying...

GDPR – The Compliance Conundrum

There is one question related to the General Data Protection Regulation that will arguably cause more ulcers than any other: How much is enough? In some portions of the GDPR 'good' is straightforward. In many others we are asked to respect principles of fairness and...

Opinion: The role of automated data discovery in a GDPR programme

Do you have any online profiles or posts featuring those 4 magic characters: G D P R? If so, whether you are a business decision maker, IT body, security body, charity boss, employed data protection pro, or job seeking data protection pro (less and less likely), you...

When Business Culture Eats Cybersecurity For Breakfast – Part One

A four-part story of budget cuts, blamestorming, breaches and massive bumps in the road to mature security. Wild Speculation & IT Transformation Do you remember Nick Leeson? On February 23rd 1995 he sent a fax telling bosses at Barings Bank he was ill and wanted...

Cyber Insurers Dictating Cybersecurity Standards?

A run down of the key challenges with choosing and using cyber insurance called out in the last few months. It looks entirely possible you will have 'adequate' security dictated by your insurers, so it is your job to understand the risk based yardstick they're using...

There Is No Such Thing As Information Security Risk

Having worked in IT and Information Security for 13 years, I've come to the conclusion that there is no such thing as information security risk. There are just business risks that have one or more security or IT related causes. There is a fundamental and persistent...