Digital Privacy
19 Jan 2016 Jim Killock Privacy
Does the government want to break encryption or not?
The government opens up by stating:
This Government recognises the importance of encryption, which helps keep people’s personal data and intellectual property safe from theft by cyber means. It is fundamental to our everyday use of the internet.… As Baroness Shields made clear in the House of Lords on 27 October 2015, the Government does not require the provision of a back-door key or support arbitrarily weakening the security of internet services.
However it then goes onto state that
Clearly as technology evolves at an ever increasing rate, it is only right that we make sure we keep up, to keep our citizens safe. There shouldn’t be a guaranteed safe space for terrorists, criminals and paedophiles to operate beyond the reach of law.
The Government is clear we need to find a way to work with industry as technology develops to ensure that, with clear oversight and a robust legal framework, the police and intelligence agencies can, subject to a warrant which can only be issued using a strict authorisation process where it is necessary and proportionate, access the content of communications of terrorists and criminals in order to resolve police investigations and prevent criminal acts.
That appears to imply that any encryption should be removeable. This stands in direct contradiction to the paragraphs above. Either encryption can only be removed by the intended sender and recipient, or it is broken and unsafe.
The government concludes that:
There are already requirements in law for Communication Service Providers in certain circumstances to remove encryption that they have themselves applied from intercepted communications. This is subject to authorisation by the Secretary of State who must consider the interception of communications to be necessary and proportionate. The Investigatory Powers Bill will not ban or further limit encryption.
Perhaps this is the nearest thing we have to clarity. The government perhaps thinks that companies, where they control the technology, should be able to get to the information. Perhaps the government is assuming that companies might re-engineer their products, so any encryption is only for data in transit. End to end encryption, where companies are not key holders, is the kind of set up that the government might seek to limit, without attempting to break the fundamental mathematics or encryption technologies.
As TechCrunch observes, however, this kind of threat of companies enabling internal backdoors is already displacing the technology used by ISIS to set ups that are not under the control of central platforms. So such an approach could end up with privacy for the criminals, but not for ordinary, law abiding ctiizens.