In December 2013, the United Nations General Assembly adopted resolution 68/167[1], which expressed deep concern at the negative impact that surveillance and interception of communications may have on human rights. The General Assembly affirmed that the rights held by people offline must also be protected online, and it called upon all States to respect and protect the right to privacy in digital communication.
As the previous High
Commissioner cautioned in past statements [September 2013 and February 2014],
such surveillance threatens individual rights – including to privacy and to
freedom of expression and association – and inhibits the free functioning of a
vibrant civil society[2].
Yet this week we have headlines that “Facebook encryption
threatens public safety[3]”
from the UK Home Secretary and her US and Australian counterparts.
Now while I’m not Facebook's greatest fan (I won’t install it
on my Smartphone), history tells me that the moment I hear politicians talk
about encryption coupled with the words “paedophiles and terrorists” as their
headline justification I start to worry; as it usually means there is little
valid argument; but they would like to trample on people’s Human Rights on a
wave of moral outrage!
Existing laws allow for orders for wire taps of products
like WhatsApp and can get some data, (IP addresses, phone numbers, contact
lists, avatar photos etc.); and while you cannot get encrypted messages and
attachments, you use this and other evidence to apply to a court and convince a
judge that you have sufficient grounds for a warrant to arrest and seize their
end-point device!
Having worked with the police in the 1990s to get the solid
evidence so that they could arrest one of our employees for accessing indecent
images of children, I know first hand that our existing laws were more than
adequate to get an arrest warrant.
There are a number of root-cause problems here that have
been rehashed over the many, many years I’ve been listening to this debate as
it continually rears its head.
The first is the Phil Zimmerman[4]
quote[5]
“If privacy is outlawed, only outlaws will have privacy.” Which is often misquoted as “If encryption is outlawed, only outlaws will have encryption”.
This probably applied double to those terrorist organisations who are well
funded enough to write their own encryption products and even use steganography[6]
to hide it in plain sight.
The second is the “our government wants a back-door into
your encryption”. – The problem here (especially for International tech
companies) is “which government is entitled to have a back door key?” – because
if the US demands it, then other countries will also demand it, usually as a
condition of doing business in their jurisdiction – so it rapidly becomes “any
legitimate government” – but legitimate does not equate to benign, or even
non-repressive towards certain sections of it citizens.
The third is that international business needs to be able to
ensure that its business communications are secure; I can remember the time in
the 90s when France would not allow secure encryption of our corporate WAN
links into the country – this can negatively affect business investment
decisions if you can not ensure the security of your business (physical or
digital) in that country.
History is littered with failed and flawed attempts to get
back-doors into encryption; so I would recommend that any politician who actually
wants to make this suggestion goes and talks to the (white-hat) hackers at
Blackhat and Defcon, or those of us who have been implementing security in
large corporates for many years, and they will tell you that the encryption
genie escaped the bottle a long time ago and the only person you will actually
harm are the 99% plus of citizens who are law abiding; and the companies and
organisations that need MORE strong encryption to protect us from the evils on
the Internet.
In our work on Identity we have identified the need not only
for strong encryption, but also for it to be open source and peer reviewed so
all parties can assure themselves that there are no back doors – this builds
trust in both the identity and digital ecosystem; then this must be coupled with 100% anonymity
at the root of an entity’s identity, which ensures privacy and delivers primacy
and agency.
It may seem counterintuitive, but by doing this you end up
with a more accountable, more trustworthy digital ecosystem.
[5] Why
I Wrote PGP, Part of the original 1991 PGP User's Guide (updated in 1999)
No comments:
Post a Comment