Encryption and terror: how can government get the balance right?

The emergence of multinational, mass-scale, internet-based social networks at the start of the 21st Century has changed the rules of communication like no other invention since the birth of broadcast radio 100 years previously. 

Never before has it been possible for anyone to disseminate information, talk and share on such a mass scale, across the barriers of language and political borders. It's marvellous on so many levels.

But there's a dark side. Add easy-to-use, easy-to-access, high-strength encryption into the equation, as has indeed happened over the last few years, and we have a recipe for disaster. Terrorists and law-breakers are empowered like no previous era - and it may feel like there's no means to stop them without major incursions to civil liberties.

Justice is (more) blind

It's very clear that terrorist groups and other criminals are using encryption to organise their activities without fear of being detected, because strong encryption has become so easy.

Encryption proliferation, through popular messaging services - available for free, to anyone - makes it impossible for our security services to exercise their investigatory powers in the digital world in the same way they can in the physical domain.

In the physical domain, we expect privacy, of course. We expect to be able to come into our houses and close the door behind us, and no-one is allowed to come in and bother us. Quite right, too.

Unless we've broken the law and it demands we either be arrested or our property investigated.

Then, those privacy rights are clearly less important than the rule of law.

At that point, as members of a democratic society, we're bound to agree that - having obtained a judicial warrant through the laws we consent to as members of this society - security and law enforcement services ought to be able to bash through people's doors and conduct a thorough search.

But those actions are no longer available to our peacekeepers in the digital realm. The doors they have a legal warrant to breach won't break down. The wire-tap that was obtained through the courts yields only gibberish.

This cannot stand. We can't live safely in a society in which our security forces work blind and deaf.

Fundamental flaw

This weakness for security and privacy are born out of design. The outer layers of the Internet, where social networks and messaging apps exist, have moved faster than its lowest levels.

The technological foundations of the Internet, invented in 1969 to enhance communications between a limited number of academic, corporate and defence systems, as DARPANET have barely moved on.

There was no thought around maintaining personal privacy on these systems back then, nor was there any thought given to the widespread use of sophisticated encryption systems.

Much the same thing is true of our legislature which, in the UK, relies on a complex system of precedents and legal acts, dating back centuries. Many current lawmakers continue to have a weak grasp of technology, and are prone to making over-generalisations that are neither practical, nor ultimately in their nation's best interest.

Privacy first

In short, we need to change the Internet, and our social networks.

We need to retrofit our wonderful, but dated, 1969 communications network with the powers it needs to continue to provide the amazing benefits it has done to date, but with safety and privacy embedded.

We need a blanket policy that will treat everyone the same, and give everyone their rightly deserved privacy.

A mechanism for privacy should be provided at the application layer of the Internet and this involves several steps, and some caveats.

To join future networks, identities ought to be verified. This is a complex area, and the verification credentials required of a 10-year-old girl might not be the same ones required of a 30-year-old man. But the broad proposition is that everyone should have a verifiable identity on the Internet that remains the same throughout one's life, much like your passport.

That, in itself, poses questions about privacy. If I were a young, closeted gay man, for example, then I may be looking for information and connections on the Internet that means a verified identity could threaten my privacy, and have further ramifications for my private life. That needs to be protected against.

Or what if I am now a 40-year-old businesswoman, who perhaps made some regrettable choices in my youth that are shown online? Again, people deserve that degree of privacy, just as they would normally find it in the physical world.

Encryption in the name of the law

So, everything to be encrypted by law. Everything. Nobody, and no commercial organisation, will be allowed to read or identify your messages, browsing history or any other content you have produced on the Internet through any kind of scanning without your explicit consent.

The proviso is that when your actions and your content are encrypted, very securely, then the keys to that encryption action are retained by the service provider.

If the law enforcement or national security authorities require access to those keys, then the regulated service provider will yield them, for the specific actions for which they have a warrant. Only people with something to hide should have anything to fear - again, only warranted authorities would be allowed access.

This, I believe, is the only solution. We need privacy. We need security. We cannot continue as a free, democratic society without a balance between those two things. At Scentrics, we've put years of research into the problem, and we believe that legitimised key escrow, through agencies regulated by government, as telcos and ISPs already are, is the only solution.

Hard passage

There's no doubt that a transition to such a state will be resisted by some, and from well-meaning intentions. People, by-and-large, don't want to change. There's a knee-jerk lobby ready to resist any change to the status quo perceived as any infringement to existing rights. And not least, be sure that such a change would require a considerable body of legislation, communication and reassurance. It will be a long, hard road.

But consider the alternative. Across most of the Internet, private networks are harvesting everything you do, say and post. And make no mistake that state authorities are not equally interested in probing your digital persona on a mass scale. You have no privacy whatsoever in the current environment. Encryption will change the rules for that engagement - in the favour of private citizens.

The encryption tools we have now are empowering terrorists, who currently face no checks to their organisation, recruitment, and operational efforts. That cannot be allowed. Whereas server-centric encryption against verified identities will make it very hard for them to continue.

What's it to be? The status quo we have at present is entirely untenable. And the terrorists will win if we drag our feet. As for the future we are proposing? It requires compromises, but making rational compromises which balance safety and civil liberties is the very foundation of rational society.

Paran Chandrasekaran, CEO, Scentrics
Image Credit: Sergey Nivens / Shutterstock