Backdoors into Whatsapp’s encryption is not the UK’s answer to terrorism
Share on Facebook
Share on Twitter
Share on Google+
Share on Reddit
Share on Email

Photo Illustration by Thomas Trutschel/Photothek via Getty Images Israel

Photo Illustration by Thomas Trutschel/Photothek via Getty Images Israel

Despite what Amber Rudd believes, targeting popular tech will not solve their intelligence problem, doing more harm than good

Feeling like a movie that has been played way too many times, the UK’s Home Secretary Amber Rudd predictably came out swinging at encrypted chat app Whatsapp on Sunday. Appearing on the Andrew Marr Show, she told the BBC’s audience that it was “completely unacceptable” that authorities could not view messages sent by the London attacker, Khalid Masood, who killed four people last week.

According to reporting in the Guardian, Secretary Rudd plans to hold a meeting with the heads of tech companies operating in the UK this Thursday to talk about how the government can find a work-around for them to read encrypted messages.

Device and message encryption has become a real bee in the bonnet for law enforcement and politicians over the past few years, offering up an easy-to-point-to excuse for failing to prevent an attack or crime.

However, this problem of “going dark” is way over blown. Critics fail to show any real understanding of why encryption serves a greater societal good and how the ability to scoop up massive amounts of communications is not as useful for countering terrorism as it may appear.

Encryption is an increasingly vital element of our digital lives. As we move to transfer more of our lives online, we widen the attack surface for malicious actors like hackers. Whether you need to transfer your bank details, travel plans, personal photos, or any other kind of information that you would rather not be public knowledge, encryption makes it that much safer.

(L-R) Mayor of London Sadiq Khan, Home Secretary Amber Rudd MP and acting Commissioner of the Metropolitan Police Craig Mackey stand in silence during a candlelit vigil at Trafalgar Square on March 23, 2017 in London, England. Four People were killed in Westminster, London, yesterday in a terrorist attack by “lone wolf” killer Khalid Masood, 52. Three of the victims have been named as PC Keith Palmer, US tourist Kurt Cochran from Utah and Mother of two Aysha Frade. (Photo by Carl Court/Getty Images Israel)

The most common form of encryption these days is “end-to-end”: whatever you send from your device will stay jumbled even as it passes through a given provider’s servers. Taking Whatsapp as an example, when I send a message from my phone to my friend’s device, it will remain encrypted until my friend’s device uses their own private key to put it back into human-legible material.

Since Whatsapp doesn’t keep a key for themselves, they can’t read what I’ve sent. In a sense, they’re putting their technology out there for the public and throwing up their hands in case the Feds come knocking. This is a constant annoyance for people like Rudd, who think that this allows criminals to hide from law enforcement.

Maybe it does and maybe it doesn’t.

From the looks of it, authorities appear to have gotten into Masood’s device pretty quickly.

Gaining basic access was a challenge for the San Bernardino case where the FBI reportedly reached out for help from a third party, Israeli startup Cellebrite, to get inside the perpetrator’s iPhone. In this case, British investigators either had a hack to ease into the device or perhaps used the dead man’s hand to unlock the device if it had a fingerprint reader.

What is at issue here however appears to be Rudd expecting providers like Whatsapp to create backdoors into their systems that will allow the government to come in and spy whenever the latter deems it necessary.

This is an extremely bad idea. Beyond the potential for abuse by authorities, there remains the fact that there is no such thing as a backdoor only for the good guys. If hackers can already find and exploit unwitting holes in security, then it should follow that they will have a field day with one built by design.

Photo Credit: Tim Robberts / Getty Images Israel

Try to think about the problem this way: It would be far easier for law enforcement if they had a master key that could allow them to look inside anybody’s house whenever they chose to. But what would happen if criminals also had this key and could come in and steal at will? This is why we all have different keys to our homes.

Most folks believe that the authorities should only be able to perform searches when it is demonstrably vital to security. I firmly believe that a determined government hacker could break into a specific account if they put their mind to it. If such a move is deemed important enough, then let them work for it actively and not just passively suction up data.

As I have said before, just collecting more data is not sufficient for properly stopping attacks. Taking this case as an example, let’s see how Rudd’s theories of snooping on Whatsapp convos would have played out.

First off, even as machine learning and the like are getting better at recognizing words of interest, there is still a sea of information to sort through. How many people per day say or write the word “bomb” or “attack?” Even if one decided to run down every single lead that came in where a conversation contained a word of interest, authorities are unlikely to have the resources necessary to perform a proper follow-up.

There simply are not enough agents to do this. Moreover, Masood like others in recent cases like the Orlando shooter, has been investigated in the past and had their files closed after insufficient evidence was found upon which to build a case. Keeping these investigations open-ended are untenable and hard to justify from a constitutional point of view.

So what is the answer here?

Come to grips with the fact that some attacks by people acting alone are a fact of life. They are unfortunate, but in today’s climate, they will happen. They are also terribly difficult to stop since they don’t require any external communications to carry out. The only solace here is that they are generally less destructive than coordinated attacks like London experienced in the 7/7 attacks.

When an attack does occur, try to map out the perpetrator’s social network to uncover new leads. Maybe a new face to watch will turn up that was previously unknown.

Authorities will need to turn to old-school methods like talking to informants and building trust in at-risk communities. If someone starts acting like they could be a threat to the public, support from the people who know them best can be an invaluable tool.

These are all hard facts and missions to carry out. It seems that Rudd and her counterparts around the world would rather chase after blaming technology and shaming companies for not being completely complicit with the government snoops than admit that they have a hard road ahead. She should ask herself if the uncertain probability of finding that terrorist in the haystack is worth the assured havoc on every other part of society, running from financial to general privacy.

On a slightly positive note, however, I actually trust that many in the intelligence community actually do understand these challenges and are capable of finding reasonable workarounds that do not endanger the public’s privacy and security. Rudd might do well to speak with her professionals and work to give them the resources that they need instead of scapegoating.

Share on:Share
Share on Facebook
Share on Twitter
Share on Google+
Share on Reddit
Share on Email
Gabriel Avner

About Gabriel Avner

Gabriel has an unhealthy obsession with new messaging apps, social media and pretty much anything coming out of Apple. An experienced security and conflict consultant, he has written for The Diplomatic Club, the Marine War College, and covers military affairs with TLV1 radio. He mostly enjoys reading articles wherever his ADD leads him to and training Brazilian Jiu Jitsu. EEED 44D4 B8F4 24BE F77E 2DEA 0243 CBD1 3F7C F4B6

More Goodies From Policy

4 reasons startups should consider moving to Toronto

The top destinations for global tech talent in the age of Trump

7 serious sessions at Austin’s SXSW that make Gamergate panels look like child’s play

  • SafeSwiss

    Govt now appears to use last week’s very tragic horrific event as a mechanism to either ban or introduce legislation on encryption providers, reality encryption is here to stay Last week’s tragic events have highlighted the effectiveness of end to end encryption such as deployed by likes of Telegram Messenger, SafeSwiss, WhatsApp.This truly represents a true paradox between privacy & security. Modern encryption architecture ensures there can be no possibility of back doors as either these apps are encrypted or they are not, there is no middle ground. Modern cryptography is extremely complex, The primary purpose of a robust encryption solution is to prevent any possibility of third party access, Its extremely misguided to think that any Govt or Govt agency can be considered a trusted third party. Simply banning encryption will open doors to a multitude of malicious MiTM attacks from adversary’s everywhere. Govt would be far better placed to put their resources into the issue at the source of the problem the continual brainwashing of children, youth & adults under the guise of medieval religious delusion.