August 01, 2017 | Ed Johnson-Williams

Sorry Amber Rudd, real people do value their security

It’s not for the home secretary to tell the public they don’t need encryption


Amber Rudd has been out doing the media rounds this morning (£) talking about the issues end-to-end encryption poses to law enforcement. One comment in particular caught our eye:

“Real people often prefer ease of use and a multitude of features to perfect, unbreakable security. Who uses WhatsApp because it is end-to-end encrypted, rather than because it is an incredibly user-friendly and cheap way of staying in touch with friends and family?”

This is a little like saying: "Who uses a car because it has airbags and seatbelts, rather than because it’s a convenient way to get around?"

The Home Office strategy here may be to persuade internet companies to take action by telling them that ordinary people don’t care about security. This would be dangerous and misleading.

Clearly, real people (who are Rudd’s not real people?) do value security in their communication, just as they do with safety in their cars. Security is not – or at least does not have to be – the opposite of usability.

For many people, good security makes a service usable and useful. Some people want privacy from corporations, abusive partners or employers. Others may be worried about confidential information, sensitive medical conversations, or be working in countries with a record of human rights abuses.

Whatever the reasons people want secure communications, it is not for the Home Secretary to tell the public that they don’t have any real need for end-to-end encryption.

While Rudd seems to be saying she does not want encryption to be “removed” or bypassed, there are other things she might be looking for. It is possible that she wants the internet companies to assist the police with “computer network exploitation” – that’s hacking people’s devices.

It could mean providing communications data about users which could include data such as: "This user uses this device, often these IP addresses, this version of their operating system with these known vulnerabilities, talks to these people at these times, is online now, is using this IP address, is likely at this address and has visited these websites this many times."

Alternatively, Rudd might mean pushing out compromised app updates with end-to-end encryption disabled.

However, it is likely to be police rather than security services asking for this help. While targeted hacking does provide an investigative option that avoids blanket communications surveillance, it would be risky for the police to have these powers. Training and oversight, after all, are not as thorough or exacting as in the security services.

What is completely lacking is any serious attempt to tell the public what the Home Office wants internet companies to do to make people’s end-to-end communications accessible.

We should be told what risks the public would be exposed to if the companies were to agree to the Home Office’s private requests. Have these risks been properly weighed up and scrutinised? What safeguards and oversight would there be?

One risk is that users may start to distrust tech companies and the apps, operating systems and devices that they make. When security vulnerabilities are identified, firms push out updates to users. Keeping devices and apps up-to-date is one of the most important ways of keeping them secure. But if people are unsure whether they can trust pending updates, will they keep their devices up-to-date?

It would be incredibly damaging to UK security if large numbers of people were dissuaded from doing so. A prime example is the WannaCry ransomware attack that paralysed parts of the NHS in May. It spread through old Windows computers that hadn’t been updated, forcing doctors to cancel thousands of appointments.

The government must spell out its plans in clear, precise legislation and subject that legislation to full parliamentary scrutiny, and it should bring security and usability experts into a public debate about these questions.

Measures that deeply affect everybody’s privacy, freedom of expression, and access to information must not be decided behind closed doors.


Comments (3)

  1. Filipescu Mircea Alexandru:
    Aug 02, 2017 at 01:47 PM

    A senile old lady, who is the acolyte of another senile old lady, who was approved back in power by yet another old lady... sees herself in a position to lecture us on security and technology, while failing to even properly insult millions of people worldwide by claiming we don't even exist. Bad news miss Amber Rudd: Last time I looked in the mirror, I seemed pretty gosh darn real! Same goes for 99% of people who use the internet.

  2. Filipescu Mircea Alexandru:
    Aug 02, 2017 at 02:04 PM

    A senile old lady, who is the acolyte of another senile old lady, who was approved back in power by yet another old lady... sees herself in a position to lecture us on security and technology, while failing to even properly insult millions of people worldwide by claiming we don't even exist. Bad news miss Amber Rudd: Last time I looked in the mirror, I seemed pretty darn real! Same goes for 99% of people who use the internet. This kind of shameful behavior should be unacceptable for a British politician.

  3. David:
    Aug 02, 2017 at 05:13 PM

    https://tox.chat/ - take a look (I have nothing to do with this, it isn't a plug)
    After thinking I would build something like this myself (just to prove a political point), I googled and eventually found this mainly thanks to this excellent article: https://ar.al/notes/decrypting-amber-rudd/.
    Anyway, as far as I can tell, this makes the entire argument moot. What is the point of breaking e2e encryption on whatsapp etc, when there is something that is fully encrypted, decentralised and open-source available for anyone to use from any platform.
    Yes, it's still not quite as easy to use as whatsapp, but what we have here is something that the government could do nothing about but "ban" it's use. And I'm not sure how you would police that given they'd have to go after people individually.
    Does the existence of technology like this not make the entire argument moot?
    As far as I can tell, people are trying to fight the arguments of the government on their playing field and losing thanks to the poor general knowledge of the public and the mainstream media on this subject. Let's try being persuasive to the general public rather than being an echo chamber where we all agree with each other and don't persuade anyone else!
    Stop fighting based on logical reasons and breaking down their dumb arguments & publicise this (and related technologies) and point out that the argument was lost a long time ago by the government (before they even started arguing their case). Cat is out of bag etc.



This thread has been closed from taking new comments.