The return of the weekly #Analogette. A tweet-size stating of the security obvious, which sometimes leads to more. This time it starts with encryption.
[tweet https://twitter.com/S_Clarke22/status/635212109807161344 hide_thread=true]
Followed by plain English perspective on the UK government demanding backdoors to enable decryption of secure communications. This time it’s our PM, but it’s an aim either explicitly stated, or – you can reasonably assume – covertly pursued by many nations.
[tweet https://twitter.com/S_Clarke22/status/635213230785359872 hide_thread=true]
Specifically for us Brits, David Cameron appeared to back away from this firm position when the security community united to point out flaws in his technical logic (the understatement of the year as you’ll note from the tweeted article and any page 1 results for ‘Cameron’ and ‘encryption’).
Legally the main hurdle to an encryption ban is EU human rights legislation. However, if the 2016 referendum on Europe and/or the bid to create a UK Bill of Rights goes the government’s way, the UK will be free to vote its way past ECHR judgements. The Express went over that again last week.
On the flip side David Cameron is right…terrorists and paedophiles can foil attempts to read communications by encrypting them. That fact isn’t disputable.
In that context, here’s an entirely fair challenge from Jan Winter…
[tweet https://twitter.com/janwinter15/status/635373668974100480 hide_thread=true]
…and my entirely honest riposte;
[tweet https://twitter.com/S_Clarke22/status/635451541881810946 hide_thread=true]
Of course analogies are blunt tools. As Pádraic Brady pointed out;
[tweet https://twitter.com/padraicb/status/635771057237004288 hide_thread=true]
He’s right. With a locked door the police could still knock it down, or (in extremis), go through a wall. With properly implemented encryption there are no such work arounds.

Ends justifying means?

Analogies aside, no-one will give us the inside gen on current threat levels, or the realistically estimated risk that encryption poses to national security operations.
Does that risk allow for the backstop of all properly operated pre-existing investigatory capabilities? How well do current data analysis tools and techniques work? Can they effectively target wrongdoers by analysing bulk personal and business communications? Are all instances of access and types of use effectively limited to what’s necessary by existing checks and balances? Do answers to those questions add up to a justification for breaking a cornerstone of reliable data security?
I’m not saying it doesn’t. I’m asking. Because I get and wholeheartedly buy into sacrifice of some personal freedom for the good of all. But I don’t feel hugely confident that oversight bodies really understand how tech – especially encryption – works. You don’t break encryption ‘a bit’, you just break it. Perhaps more concerning; How robust is their ability, while under intense political pressure, to resist the lure of “You have nothing to worry about if you have nothing to hide”. Pressure that was very much in evidence when the UK government pushed the Data Retention and Investigatory Powers Act through parliament in 7 days.

Shortsighted idealism from the privileged few?

On the more general debate about blanket retention, access and analysis of data, I thoroughly recommend reading this:
The US surveillance programmes and their impact on EU citizens’ fundamental rights
The late Caspar Bowden put a lifetime of accumulated knowledge into that document. It’s an excellent foundation for an informed debate around the next privacy-curtailing defensive measure we are told is necessary ‘just in case’.
I have a privileged life. The right to vote for a (kinda) representative government, the ability to speak out like this without immediate fear of personal persecution, and a government subject to a fair degree of real scrutiny. For many people around the world that’s an unobtainable dream and for many others our freedom of speech and unencumbered ability to communicate are tools to manipulate for political, financial, or criminal gain. But does that negate our right to privacy?
I’m honestly sitting here wearing my sceptical hat – in the true sense of that word – but willingness to change my mind about political risk management and accountable oversight won’t be well served by information I’ll get to see…information that would need to be pretty heftily persuasive to reset the Snowden calibrated scale of my concern.