A few days ago, the press was full of ridiculous statements about banning end-to-end encryption in the UK. After watching a short talk by renowned security expert Bruce Schneier today, I thought I’d add some colour to the story.
Of course, Cameron isn’t the first to come out with this sort of rhetoric. Last year, FBI Director James Comey gave his view that the encryption that is increasingly being included as standard by companies like Apple and Google deprives law enforcement authorities of information which could be crucial to solving crimes or saving lives.
The problem, however, is that it is impossible to give the intelligence services what they want. Or – to be precise – it is possible to give it to them – but not to them alone. Technologies can either be secure for all users or vulnerable to all attackers. You cannot build a technology that is able to be decrypted by the security services but not by criminals. It is impossible to build a technology that can distinguish between morality or legality in this way.
The problem is that the narrative presented to the public at large is one in which they are given a choice in which only one use-case, invariably negative, is ever highlighted. The reality is that from a technological perspective, you simply can’t have surveillance and security together. So whilst the press might report on the risks of a terrorist using a mobile phone, the message ignores the use of exactly the same technology by a dissident fighting to avoid execution under a repressive political regime.
If you think that’s an edge case, you need only cast your mind back to the demonstrations in Kiev a year ago when everyone standing in the vicinity of a gathering, demonstrators and journalists alike, received the same anonymous messages on their phone:
“Dear subscriber, you are registered as a participant in a mass disturbance”
We do not have the choice of letting the spying be done by the “good” guys and not the “bad” guys. We’re all using the same stuff. We now live in one world, with one network, using one technology. Technology is neutral and by definition must therefore be capable of dual-use. That’s exactly why half the US secret services are trying to break the Tor network whilst the other half struggle to protect the anonymity of its users (who include its own agents).
Once it is understood that there can be no halfway house, the choice is at least clear. Which do you value more – security or surveillance? As Schneier points out, “Everybody uses cyberspace. Everybody. The moon shines on the just and the unjust. Everybody drives cars, eats at restaurants, sends email. The good guys and the bad guys”.
Even if you trust your government 100% and are convinced that your data will never be misused, what you are actually saying is that you believe this proven vulnerability through which your data was hoovered up can, and will, never be used by anyone else for their own criminal ends. Oh, and you are 100% that government records will never, ever, be hacked.
Let’s think about some of the examples that Schneier suggests:
- Quantum: the method of packet injection used by the NSA to hack into computers – also used by the Chinese to spy on their own citizens.
- Hacking Team: an Italian cyber-weapons arms manufacturer that sells its technology to whoever pays the asking price
- ISMI Catchers: fake mobile phone towers that are used to capture people’s data (including location, conversations and messages). This might sounds like tinfoil hat territory – until you realise that the FBI have admitted using them. Unlike the UK government which still denies it despite the evidence that shows otherwise. Recently, someone wandering around Washington DC with a detector found 80-100 ISMI catchers. Interesting fact? These were not installed by the government but by other unidentified parties who cannot be traced (foreign governments? criminals?)
- A US law in 1996 (‘CALEA‘) forced Telco’s to build their systems in such a way that the FBI would be able to eavesdrop on conversations (with the correct warrant in place). In 2005, Greece found out to its cost that buying ‘off-the-shelf’ technology might not have been such a good idea when they discovered that this built-in wiretapping capability was being used to spy on the Greek government for almost a year.
- By definition, most of us are unaware of surveillance. Walk around with your phone’s wifi turned on and it will continually send out a signal whilst it looks for a connection. Routers then pick up your mobile phone signal and triangulate your location so accurately that a company can now tell which aisle you’re in at the supermarket and for how long. Then, after they sell that data to the shop, if you actually connect to their public wifi network, you also give them access to your location data for the past 12 months. Just as with the ‘spy bins’ that were outlawed in London in 2014, it records the unique MAC identification address of your device. Log into the system with your name or social account and after clicking the usual terms and conditions small print that no-one ever reads, it then matches that data to you as an individual – providing the wifi operator with extremely detailed knowledge of the exact places that you’ve visited for the last year.
Or, as Edward Snowden wrote in one of his early emails to documentary maker Laura Poitras:
“Every cell phone tower you pass, friend you keep, article you write, site you visit, subject line you type, and packet you route, is in the hands of a system whose reach is unlimited but whose safeguards are not.”
So what’s the alternative?
Schneier’s quite clear. People have the right to defend themselves from tracking, including communicating via encrypted systems and browsing the Internet anonymously via systems such as TOR.
No-one is arguing that intelligence should be prevented from tracking and preventing bad actors from carrying out their damaging activities. Tracking should be legal – but, crucially, it should also be targeted.
The reason that society works overall is because “there are more good guys than bad guys and good uses outweigh bad uses”. By attempting to capture all of the data about all of us as opposed to concentrating on the criminals, the government is forcing those who are aware of the risks to use defensive tools. It is otherwise unreasonable to expect people to simply accept the vulnerabilities in technology that are being exploited by intelligence agencies if these simultaneously open up opportunities for exploitation by malicious hackers, criminals, terrorists or even companies, insurance firms or other unwanted commercial interests.
The digital exhaust that we leave in our trail in the modern age is so much more than a simple footprint. Instead, we are leaving behind the very essence of who we are – from our most public personality to our most personal and private worlds as they relate to our bodies, our personal life, our property, our thoughts, our feelings, our secrets and ultimately our identity. In a world in which technology is enabling such power to accumulate at a speed that is far beyond anything that has been seen before in history, it’s becoming increasingly important to consider deeply which option you feel is better for the society that you would like to live in.