Despite what Amber Rudd believes, targeting popular tech will not solve their intelligence problem, doing more harm than good
Feeling like a movie that has been played way too many times, the UK’s Home Secretary Amber Rudd predictably came out swinging at encrypted chat app Whatsapp on Sunday. Appearing on the Andrew Marr Show, she told the BBC’s audience that it was “completely unacceptable” that authorities could not view messages sent by the London attacker, Khalid Masood, who killed four people last week.
According to reporting in the Guardian, Secretary Rudd plans to hold a meeting with the heads of tech companies operating in the UK this Thursday to talk about how the government can find a work-around for them to read encrypted messages.
Device and message encryption has become a real bee in the bonnet for law enforcement and politicians over the past few years, offering up an easy-to-point-to excuse for failing to prevent an attack or crime.
However, this problem of “going dark” is way over blown. Critics fail to show any real understanding of why encryption serves a greater societal good and how the ability to scoop up massive amounts of communications is not as useful for countering terrorism as it may appear.
Encryption is an increasingly vital element of our digital lives. As we move to transfer more of our lives online, we widen the attack surface for malicious actors like hackers. Whether you need to transfer your bank details, travel plans, personal photos, or any other kind of information that you would rather not be public knowledge, encryption makes it that much safer.
The most common form of encryption these days is “end-to-end”: whatever you send from your device will stay jumbled even as it passes through a given provider’s servers. Taking Whatsapp as an example, when I send a message from my phone to my friend’s device, it will remain encrypted until my friend’s device uses their own private key to put it back into human-legible material.
Since Whatsapp doesn’t keep a key for themselves, they can’t read what I’ve sent. In a sense, they’re putting their technology out there for the public and throwing up their hands in case the Feds come knocking. This is a constant annoyance for people like Rudd, who think that this allows criminals to hide from law enforcement.
Maybe it does and maybe it doesn’t.
From the looks of it, authorities appear to have gotten into Masood’s device pretty quickly.
Gaining basic access was a challenge for the San Bernardino case where the FBI reportedly reached out for help from a third party, Israeli startup Cellebrite, to get inside the perpetrator’s iPhone. In this case, British investigators either had a hack to ease into the device or perhaps used the dead man’s hand to unlock the device if it had a fingerprint reader.
What is at issue here however appears to be Rudd expecting providers like Whatsapp to create backdoors into their systems that will allow the government to come in and spy whenever the latter deems it necessary.
This is an extremely bad idea. Beyond the potential for abuse by authorities, there remains the fact that there is no such thing as a backdoor only for the good guys. If hackers can already find and exploit unwitting holes in security, then it should follow that they will have a field day with one built by design.
Try to think about the problem this way: It would be far easier for law enforcement if they had a master key that could allow them to look inside anybody’s house whenever they chose to. But what would happen if criminals also had this key and could come in and steal at will? This is why we all have different keys to our homes.
Most folks believe that the authorities should only be able to perform searches when it is demonstrably vital to security. I firmly believe that a determined government hacker could break into a specific account if they put their mind to it. If such a move is deemed important enough, then let them work for it actively and not just passively suction up data.
As I have said before, just collecting more data is not sufficient for properly stopping attacks. Taking this case as an example, let’s see how Rudd’s theories of snooping on Whatsapp convos would have played out.
First off, even as machine learning and the like are getting better at recognizing words of interest, there is still a sea of information to sort through. How many people per day say or write the word “bomb” or “attack?” Even if one decided to run down every single lead that came in where a conversation contained a word of interest, authorities are unlikely to have the resources necessary to perform a proper follow-up.
There simply are not enough agents to do this. Moreover, Masood like others in recent cases like the Orlando shooter, has been investigated in the past and had their files closed after insufficient evidence was found upon which to build a case. Keeping these investigations open-ended are untenable and hard to justify from a constitutional point of view.
So what is the answer here?
Come to grips with the fact that some attacks by people acting alone are a fact of life. They are unfortunate, but in today’s climate, they will happen. They are also terribly difficult to stop since they don’t require any external communications to carry out. The only solace here is that they are generally less destructive than coordinated attacks like London experienced in the 7/7 attacks.
When an attack does occur, try to map out the perpetrator’s social network to uncover new leads. Maybe a new face to watch will turn up that was previously unknown.
Authorities will need to turn to old-school methods like talking to informants and building trust in at-risk communities. If someone starts acting like they could be a threat to the public, support from the people who know them best can be an invaluable tool.
These are all hard facts and missions to carry out. It seems that Rudd and her counterparts around the world would rather chase after blaming technology and shaming companies for not being completely complicit with the government snoops than admit that they have a hard road ahead. She should ask herself if the uncertain probability of finding that terrorist in the haystack is worth the assured havoc on every other part of society, running from financial to general privacy.
On a slightly positive note, however, I actually trust that many in the intelligence community actually do understand these challenges and are capable of finding reasonable workarounds that do not endanger the public’s privacy and security. Rudd might do well to speak with her professionals and work to give them the resources that they need instead of scapegoating.