Last month, a U.S. magistrate ordered Apple Inc. to help the FBI hack into an iPhone used by the gunman in the mass shooting in San Bernardino, California. This set in motion an extraordinary legal fight – which has played out very publicly – with the outcome of the case having implications for digital privacy on a global scale.
In the UK, the legal battle around encryption has raised questions around the proposed Snooper’s Charter. The latest draft of the UK Investigatory Powers Bill can best be summed up as a visible and public legal recognition of the tools and techniques that organisations, such as GCHQ and the USA’s NSA, have already been performing for the last decade or so. In many ways it is a clarification and continuation of 'business as usual' for law enforcement and spy agencies – who’ll be able to refer to these clear new legal distinctions instead of tip-toeing between legal interpretations and obscure clauses of laws written prior to the Internet. As penance for establishing these specific cyber investigatory powers, compensating restrictions such as a new investigatory powers commission and tribunals would likely come into play too.
To encrypt or not? That is the question
As it relates to the bigger international debate on encryption and back doors, the proposed bill skirts most of the squeamishness by focusing on utilising existing powers to compel an organisation to hand over an encryption key if known – or provide unencrypted communications if they are available. It’s a testament to Apple and many of the newer encryption standards being adopted by technology companies and Internet messaging platforms that such legislation will have no practical impact on their businesses because they do not retain any keys or passphrases for their customers' encrypted data – hence they could never surrender the keys if asked.
That said, as the Snowden NSA leaks have illuminated, international spy agencies can still perform much of their job through the use of metadata and, while having access to the unencrypted data would be most preferred, knowing who’s exchanging data with whom, how much, and at what time, is more than enough to construct association graphs and make strong cases for more intrusive monitoring – such as the installation of spyware and remote access trojans on to the computers, smartphones, and routers of their targets.
On one hand, although the effectiveness of such a bill on controlling encryption keys and access to back doors of UK products and services may be perceived to be high, the reality is that technology vendors are continuing to advance their products and services to make much of the discussion moot. While legislators have spent the last couple of years proposing encryption and interception laws for hurdles encountered prior to 2012, encryption technology has moved on.
Technology vendors and service providers want no control of the encryption keys their customers use. They don’t want to be in a position to service legal requests from any governments and so have deployed encryption tools that make much of the question redundant. The fly in the ointment though is the request to install back doors. However the 'back doors' being requested assume encryption techniques and deployments of a half-decade ago and could not reasonably exist in what is currently deemed as best encryption practices today. Rather, the installation of a back door would mean to roll back the clock to the way technology providers used to operate – which is likely a big problem for many of them.
Big brother: a big bother
Advances in key management and sophisticated hardware integrity checking are fundamental to a new generation of products. There are technological reasons why we’re only now starting to see the first generation of smartphone-enabled payment systems. The prospect of government eavesdropping and encryption back doors will kill that transformation before its truly begun. Governments that choose to go down this path will likely find that their tech industry will suffer as competitors in less restrictive countries will have a growing advantage.
At the end of the day, let's take the worst case scenario that this bill gets passed with its most powerful legal interception laws intact and eventually undermining the default encryption (and inclusion of back door functionality) of technology products sold in the UK. The reality is that criminals and any reasonably literate technological citizen will simply be able to download other third-party encryption tools (e.g. TOR) to make redundant those restrictions and snooping laws.
I’d also anticipate more advances on cheap physical key readers that can be used in combination with a smartphone or laptop – thereby overcoming the threat or prospect of having to surrender a memorable password or passphrase. It’s all a little too late; perhaps the government should rename this bill after Hadrian’s Wall.
Gunter Ollmann is CSO of Vectra Networks