The Focus on Terror has Distorted the Debate on Encryption

CIOA8CvUMAEKQkX.png

Answers to the question: 'Why Does Encryption Matter?'

Surveillance has hit the headlines again. The UK Data Retention and Investigatory Powers Act, or DRIPA, which passed last year after just 24 hours debate, was ruled illegal by the High Court in a landmark case. DRIPA was an emergency measure to allow law enforcement agencies access to communications data, and its illegality puts even more pressure on UK Home Secretary Theresa May’s forthcoming Investigatory Powers Bill, announced in the Queen’s Speech. Last week, David Cameron announced that WhatsApp, Snapchat, iMessage, indeed, any encrypted messaging system, could be banned under new laws. In the fight against terrorism, the security services’ ability to intercept communications by would-be violent extremists is said to be paramount. ‘In our country,’ said Cameron speaking in January, ‘do we want to allow a means of communication between people which we cannot read? My answer is no we must not.’
 
That same week, a few thousand miles away in Milan, Hacking Team – a ‘does what it says on the tin’ company which specialises in creating software for governments – suffered a massive hack themselves. Imagine the worst Monday morning you’ve ever had. Its owners woke up to find that every email, every contract, every piece of software they’d developed had been stolen – hacked – and was being spread across the internet. In the early hours of the morning, the hashtag #IsHackingTeamAwakeYet? began to trend as people watched for the company to discover the catastrophic breach.

Linking these two events is the subject of encryption. ‘Encryption,’ writes Jamie Bartlett in The Dark Net, ‘is the art and science of keeping things secret from people you don’t want to know them, while revealing them to those you do.’  In reality, we all use it. Online banking, Facebook and Google all use encryption to help deliver their services and keep data safe. So how important to the average Brit is encryption? Is it doing more harm than good? Last week’s events offer some timely perspective.

Hacking Team lost control of everything. Their contracts, their contact details and, most importantly, the source code of their software. They say you can judge a man by the company he keeps. You can certainly judge a company by its clients.

Alongside the US, Hacking Team sold software to countries whose human rights records weren’t up to much. Ethiopia, where political opposition members are frequently detained in black sites. Egypt, where human rights activists have been tortured while under arbitrary detention. The less said about the Sudanese human rights record the better. Bahrain, Kazakhstan, Morocco, Russia, Saudi Arabia, Azerbaijan, Turkey. The list is a long one. The assumption is that such software was being used by intelligence agencies worldwide. Encryption is frequently described in shadowy terms: in fact, in countries where human rights, freedom of expression and freedom of association are all threatened, it is a fundamental tool in keeping activists safe from governments who are out to get them. While the type of software sold by Hacking Team might be able to break into encrypted services, it would certainly be much more difficult than accessing non-encrypted services.

Italy, Switzerland and South Korea all bought Hacking Team software, too. The UK is a notable absence: leaked emails published on WikiLeaks show our government trialled the kit but the purchase never happened.

From their commercial success alone it is reasonable to think that Hacking Team software was the real deal. Contracts were sold to dozens of governments, armies and police forces worth millions of pounds. And since 5 July, that software is all in the public domain, free for anyone to use.

In the same week, we have the government announcement that WhatsApp and Snapchat may be banned because they rely on end-to-end encryption to protect their contents. It’s a bit like the government mooting a ban on changing the locks on your front door because terrorists are locking their houses in the same week as a lorry jack-knifes on the Westminster roundabout and spills thousands of Chubb master keys.

You are far more likely to be a target of someone unduly interested in your emails, text messages and photos than a target of terror. The Hacking Team leak underlines how easy it is becoming for anyone with criminal intent and a modicum of technical skill to access our personal data. Who knows who might now be using this software? The only way to take responsibility for keeping your private data private is to rely on encryption.

It shouldn’t be difficult to convince anyone that taking steps to protect their data is worth doing: bank details, business transactions, personal communications – there are serious consequences if this kind of information is easy to get hold of. The massive leak of intimate photos from dozens of celebrities in 2014 underlined the embarrassment a seemingly innocuous bit of curious hacking can do. It isn’t a case of ‘having nothing to hide’: you have an awful lot to ‘hide’, not because you are up to anything, but simply because so much of your personal information is now being transported electronically. The government should also consider this: there is a real opportunity to save money using encryption, because its widespread uptake would almost certainly reduce the levels of petty cybercrime.

Basic encryption on services like Facebook and Whatsapp won’t protect suspected terrorists, either. If the security services want to get to you, they will. This level of encryption is like a front door lock: probably enough to keep you safe from most petty crime, but it won’t stop the police getting in. The resources available to the intelligence services are massive and will grow over the next few years. As the former head of GCHQ David Omand has said, ‘the intelligence machine never stops’. If the security services can’t intercept communications between suspects, they will resort to more intrusive methods like bugging, personal surveillance and skilled human intelligence that surgically targets suspects.

Banning encryption is not the answer. Weakening it is not the answer. Like a lock on your front door, encryption is a basic requirement of keeping your valuables safe. And like a lock on your front door, if you really are up to no good, it won’t protect you from our intelligence organisations. We need better education about life online and the risks it poses. We need to address the increasing number of people worried about companies and criminals snooping on their data. Banning the one tool that might protect us would be a mistake.

Alex Krasodomski is a Researcher at DEMOS: http://ow.ly/PMvWy 
Twitter: @akrasodomski

 

 

« The Right for Privacy in a World Where Everything is Shared
Airlines on Defence Amid Cyber Warfare: IATA »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

Cyber Security Recruiters

Cyber Security Recruiters

Cyber Security Recruiters is a niche recruiting firm who finds impact players for our clients in the Information Security Space.

Attivo Networks

Attivo Networks

Attivo Networks is an award winning provider of deception for in-network threat detection, attack forensic analysis, and continuous threat response.

CSIS Security Group

CSIS Security Group

CSIS provide actionable threat intelligence, prevention, incident response and 24/7 managed security services.

Hague Security Delta (HSD)

Hague Security Delta (HSD)

The Hague Security Delta Campus is home of the leading cyber security cluster in Europe with an Innovation Centre, labs and training facilities.

Conceptivity +360 Cybersecurity

Conceptivity +360 Cybersecurity

Conceptivity +360 Security addresses advanced cybersecurity and supply chain security issues in policy, regulatory, legislation, standardisation, compliance and project management areas.

Thinklogical

Thinklogical

Thinklogical manufactures secure, KVM, video, audio, and computer peripheral signal switching solutions for defence C4ISR applications.

Center for Strategic Cyberspace & International Studies (CSCIS)

Center for Strategic Cyberspace & International Studies (CSCIS)

CSCIS seeks to advance global cyberspace security and prosperity by providing strategic insights for cyberspace and policy solutions to decision makers.

Custodio Technologies

Custodio Technologies

Custodio Technologies was established as a Singaporean R&D Centre of Israel Aerospace Industries (IAI) in order to spearhead R&D activities in the field of cyber early warning.

Institute for Cybersecurity & Privacy (ICSP) -  University of Georgia

Institute for Cybersecurity & Privacy (ICSP) - University of Georgia

The goal of ICSP is to become a state hub for cybersecurity research and education, including multidisciplinary programs and research opportunities, outreach activities, and industry partnership.

Styra

Styra

Styra allows companies to secure cloud environments and applications, including those built on the popular Kubernetes open-source cloud platform.

Corsa Security

Corsa Security

Corsa Security is leading the transformation of network security with a private cloud approach that helps scale network security services with unwavering performance and flexibility.

WWPass

WWPass

WWPass is a global cybersecurity company that provides password-less authentication and client-side encryption technology.

Hudson Cybertec

Hudson Cybertec

Hudson Cybertec are an internationally recognized Subject Matter Expert for cyber security in the Industrial Automation & Control Systems (IACS) domain.

Cognilytica

Cognilytica

Cognilytica’s Cognitive Project Management for AI (CPMAI) training and certification is recognized around the world as the best practices methodology for implementing successful AI & ML projects.

Cork

Cork

Cork is a purpose-built cyber warranty company for managed service providers (MSPs) serving small businesses (SMBs) and the software solutions they manage.

A&O Shearman

A&O Shearman

A&O Shearman is a law firm at the forefront of the forces changing the current of global business: energy transition, life sciences, technology, private capital, finance and beyond.