In the run up to the United Kingdom’s elections, Prime Minister Theresa May promised to “regulate cyberspace” to deny “safe spaces” to terrorists online. Though it doesn’t mention the word “cryptography,” her statement has widely been interpreted as a vow to undermine end-to-end encryption.
Since May appears to be set to continue on as Prime Minister, we have to assume she’ll try keep this promise, which her party has been running on for years. That is very bad news for the Internet, according to Erka Koivunen, F-Secure’s Chief Information Security Officer.
“Banning cryptography as a technological and mathematical foundation of encryption just would not work,” he told me.
He notes that a 2015 study called “Keys Under Doormats: Mandating Insecurity by Requiring Government Access to All Data and Communication” found anti-cryptography policies were “likely to introduce unanticipated, hard to detect security flaws,” while raising huge questions about how to govern such systems could “respect human rights and the rule of law.”
When officials demand the ability to read any “means of communication” online, they have no idea what they’re demanding.
“It’s impossible to overstate how bonkers the idea of sabotaging cryptography is to people who understand information security,” Boing Boing‘s Cory Doctorow wrote.
Not only would many versions of open source and independent software have to be banned, the government would need a “master key” that would ultimately force a back door in every software we use to communicate or store our secrets.
“There’s no such thing as a secure backdoor,” Erka said. “Period.”
If a backdoor exists, criminals will find a way through it.
WIRED Magazine‘s Emily Dreyfuss put it like this: “Simply put, weakened encryption makes everything from world banking to travel and healthcare riskier.” It could also have a chilling effect on free speech and political activism.
Banning cryptography or undermining encryption would inevitably fail, Erka warns, and the victims of this will be the people May says she is trying to protect.
“Forcing businesses to abandon cryptography would lead to protectionism and ultimately expose honest people to more online crime,” Erka told me.
And in exchange for a more dangerous online existence, there’s no promise that people will be any safer in real life.
“In most cases of terror, the culprits have been known to intelligence and law enforcement,” he said. “But officials weren’t following them, questioning or detaining them at the right time.”
What could make people safer?
“There are significant gaps in information sharing — not only between countries, but often between agencies within the same government.”
He suggests we fix those gaps before we break the internet.
Twitter urged all 336 million of its members to change their passwords in early May…
May 21, 2018