David Cameron's proposed encryption ban would 'destroy the internet'
Last week, the British Prime Minister told Parliament that he wants to "ensure that terrorists do not have a safe space in which to communicate."
Strong encryption refers to the act of scrambling data in such a way that it cannot be understood by anyone without the correct key or password - even law enforcement with a warrant, or the software manufacturer itself. It's used in some of the most popular tech products in the world, including the iPhone, WhatsApp messenger, and Facebook.But amid heightened terror fears, Cameron says "we must look at all the new media being produced and ensure that, in every case, we are able, in extremis and on the signature of a warrant, to get to the bottom of what is going on."
The Prime Minister first indicated that he would try and clamp down on secure communications that could not be decrypted by law enforcement even with a warrant back in January, in the aftermath of the Charlie Hebdo shootings in Paris. His comments sparked an immediate flurry of condemnation from privacy and security activists, but his recent statements show he's not backing down. (Number 10 has not responded to requests for clarification about Cameron's comments.)
Bruce Schneier is a widely respected crypography and security expert and fellow at the Berkman Centre for Internet and Society at Harvard Law School. He serves on the board of digital liberties pressure group the Electronic Frontier Foundation, and writes frequently on encryption and security. Business Insider reached out to Schneier to discuss the feasibility of Cameron' proposed ban on "safe spaces" online. He didn't hold back.
BUSINESS INSIDER: What was your immediate reaction to Cameron's proposals?
Then I wondered why he would even wish for such a thing? Does he realize that this is the sort of thing that only authoritarian governments do? Again, my knowledge of the UK is limited, but I assume they are a free country that champions liberty.BI: Do you think they are even possible?
It's simply not possible to ban strong encryption within a country and software that uses strong encryption from crossing its borders. It's simply not possible to prevent people from installing the software they want on the computing devices they own. Countries like Iran, Syria, Pakistan, Russia, Kazakhstan, and Belarus have tried it and failed. China has tried before and is trying again. I wonder if Cameron is aware of the kind of company he is associating himself with.
BI: Let's say the UK government was determined to try and implement an encryption ban - how would it go about trying to do this?
Pretty horrible and totally infeasible. And even if Cameron turned the UK into the police state required to even attempt this sort of thing, he still wouldn't get what he claims he wants. That's the worst of it: it wouldn't work, and trying would destroy the Internet.
BI: What sort of effect would this have on the UK economy and businesses?
This isn't entirely speculative. Already security companies are moving out of the UK to avoid draconian surveillance laws, and more are talking about it. (Yahoo is the big company that comes to mind.) Cameron's proposal would only make things worse.
BI: Are American and other foreign businesses likely to comply with such a ban, if it were enforced?
BS: If the UK government starts throwing people who violate the ban in jail, businesses will either 1) comply, or 2) put themselves in a position where the UK government cannot throw their people in jail. I expect some of each would occur. Certainly many companies would pull out of the UK market rather than compromise the security of their global customers and users.
BI: Is there really no way to keep users' data secure while providing backdoors to law enforcement?
Think of it like this. Technically, there is no such thing as a "backdoor to law enforcement." Backdoor access is a technical requirement, and limiting access to law enforcement is a policy requirement. As an engineer, I cannot design a system that works differently in the presence of a particular badge or a signed piece of paper. I have two options. I can design a secure system that has no backdoor access, meaning neither criminals nor foreign intelligence agencies nor domestic police can get at the data. Or I can design a system that has backdoor access, meaning they all can. Once I have designed this less-secure system with backdoor access, I have to install some sort of policy overlay to try to ensure that only the police can get at the backdoor and only when they are authorized. I can design and build procedures and other measures intended to prevent those bad guys from getting access, but anyone who has followed all of the high-profile hacking over the past few years knows how futile that would be.
There is an important principle here: we have one world and one Internet. Protecting communications means protecting them from everybody. Making communications vulnerable to one group means making them vulnerable to all. There just isn't any way around that.
BI: Won't the proliferation of encryption help terrorists?
BS: No. It's the exact opposite: encryption is one of the things that protects us from terrorists, criminals, foreign intelligence, and every other threat on the Internet, and against our data and communications. Encryption protects our trade secrets, our financial transactions, our medical records, and our conversations. In a world where cyberattacks are becoming more common and more catastrophic, encryption is one of our most important defenses.In 2010, the US Deputy Secretary of Defense William Lynn wrote: "Although the threat to intellectual property is less dramatic than the threat to critical national infrastructure, it may be the most significant cyberthreat that the United States will face over the long term." Encryption protects against intellectual property theft, and it also protects critical national infrastructure.
This is simply reality. And there are two reasons it's okay. One, good people far outnumber bad people in society, so we manage to thrive nonetheless. And two, the bad guys trip themselves up in so many other ways that allowing them access to automobiles, telephones, late-night restaurants, and encryption isn't enough to make them successful.
Most of the time we recognize that harming the overwhelming number of honest people in society to try to harm the few bad people is a dumb trade-off. Consider an analogy: Cameron is unlikely to demand that cars redesign their engines so as to limit their speeds to 60 kph so bank robbers can't get away so fast. But he doesn't understand the comparable trade-offs in his proposed legislation.
BI: Are there any less obvious ways in which encryption helps people on a day-to-day basis?
BI: What encryption products would you recommend our readers to protect their communications online?
BS: I am a fan of Off-the-Record for encrypting IM conversations on your computer, and Signal for encrypting both text and voice conversations on your smart phone. The encryption built in to the iPhone for both iMessage and FaceTime is also very good.
I strongly recommend turning disk encryption on wherever you can: on your computer, on your smart phone, everywhere. When you browse the Internet, use TLS on the web whenever you can. Download the plug-in HTTPS Everywhere. GPG is the best e-mail encryption program, but my advice is to stick to text and voice.Bruce Schneier is a security technologist, and CTO of Resilient Systems, Inc. His latest New York Times best-seller is "Data and Goliath: The Hidden Battles to Collect Your Data and Control Your World." He blogs, and tweets at @schneierblog.