The recent terrorist attack in London brought the questions around encryption and public safety debate back to the forefront of political debate.
Khalid Masood, the terrorist who killed four people before he was shot dead outside Parliament, sent a final message via WhatsApp just minutes beforehand. The contents of that message could lead to vital clues about Masood’s accomplices or collaborates. Despite facing intense pressure from the authorities, WhatsApp did not give security services access to the terrorist’s messages.
The reason is that WhatsApp uses ‘end-to-end encryption,’ a system so secure that even WhatsApp is not able to access its users’ messages.
In a statement shortly after the attack, the Home Secretary Amber Rudd told the BBC:
“It is completely unacceptable, there should be no place for terrorists to hide. We need to make sure that organisations like WhatsApp, and there are plenty of others like that, don’t provide a secret place for terrorists to communicate with each other.”
Rudd subsequently summoned Facebook (who own WhatsApp), Google, Twitter and Microsoft to a meeting to discuss ways to ensure that security services can access the data they need in future.
Tech companies vs. the authorities
The central question has always been how to balance the competing needs of personal privacy and public safety. It’s a long-standing dilemma that has seen politicians arguing for access to data and tech companies arguing that privacy rights are paramount.
Speaking in the wake of recent terrorist attacks in Paris, Prime Minister David Cameron pledged to give security services powers to read all messages sent over the internet.
Google, Microsoft, Apple, Facebook and IBM signed an open letter to President Obama calling for him to respect the privacy rights of consumers by not weakening encryption systems.
Apple refused to comply with a Federal Judge’s order to provide the FBI with “reasonable technical assistance” to access the iPhone of a terrorist gunman.
Amit Yoran, President of RSA, speaking at its annual conference, argued that weakening encryption to assist law enforcement would harm economic interests.
Speaking a press conference, the French and German interior ministers called for legislation to enable courts to order companies to decrypt data to help criminal investigations.
FBI Director James Comey renewed his calls for tech producers to enable law enforcement to access digital content when necessary.
Take part in our poll...
The end-to-end encryption used by WhatsApp is designed to prevent third parties and WhatsApp from ever having access to users’ messages or calls. Only linked phones have the matching security keys allowing them to decode messages. Even if security keys from a user’s device are recovered, they cannot be used to decrypt previously transmitted messages.
End-to-end encryption is so strong that the CIA has had to resort to tapping individual phones and intercepting data before it is encrypted or after it is decoded. It’s a painstaking process that they’ve likened to “fishing with a line and pole rather than fishing with a driftnet.”
There’s been a persistent call for ‘backdoors’ to be installed in encryption systems to give security services access when necessary. But tech companies see back doors as undermining the entire purpose of encryption. If they were to build a backdoor to bypass encryption, it would not only give security agencies access, but potentially hackers and criminals too.
The encryption debate: views and opinions
“What we’re saying is if someone is a known terrorist or a known serious criminal, we’d like to be able to find out who they’re talking to and what they’re saying and I don’t think that’s unreasonable. But there’s a fear that goes alongside that which says the government will start watching everyone.”
“It’s not possible to build a system, which you can guarantee that only a definition of good guys can break. What you should do is you should build a system which will work in a world where there’s a government in power that you do not trust at all. Giving that sort of power to the government is inappropriate.”
EXCLUSIVE TO EM360…
EM360 spoke to a selection of leading experts to canvass a broad range of opinions:
“Every company has a fiduciary obligation to protect their employee, customer, partner and company information. As part of that duty, I believe that the sole consideration for a CIO is “Am I doing everything reasonable to protect that information?” The government is perfectly capable of using the courts or legislation to trump a company’s fiduciary obligations and that’s the way that should be handled – not by industry.”
— Jackson Shaw, Senior Director, Product Management at One Identity
“The Westminster issue is around P2P encrypted communications. The Government is getting its knickers in a twist around something that it can’t control – if it forces the likes of WhatsApp to put in place a backdoor, all that will happen is that WhatsAppski from some murky supplier in Moscow will take over with its own ‘full’ security model.”
— Clive Longbottom, Co-Founder and Service Director at Quocirca‘
“There are two considerations for CISOs to make around end-to-end-encryption for their enterprise systems. The first consideration is employee privacy. The second consideration is security and the conflict between end-to-end encryption versus content inspection. Reflecting this need, all enterprise staff should take into account that any digital communication that the employee is conducting on employer property can be inspected by the employer.”
— Israel Barak, CISO at Cybereason
“I have always been a big advocate of CCTV cameras under the belief that if you have nothing to hide, then you have nothing to fear. Controversially I also feel the same way about DNA samples being taken from everyone. But I know that’s not popular! My view is the same with end-to-end encryption. Don’t let moral panic affect your judgement.”
— Bennett Arron, comedian and identity theft victim