Ministers in the UK and Australian governments are making moves to try to prevent the use of strong encryption techniques in messaging apps and more. Their belief is that terrorist groups and other criminals are using encryption to organise their activities without fear of being detected.
It’s an understandable response – but one that is flawed in its assumptions about how encryption can be used. Applied in a different way, in a new infrastructure, encryption can do its job and guarantee the rights to privacy that have been so battered by current digital social networks. And it can do so without undermining the rule of law.
That is far from the case right now. Encryption proliferation, through popular messaging services – available for free, to anyone – makes it impossible for our security services to exercise their investigatory powers in the digital world in the same way they can in the physical domain.
>See also: Understanding the motives behind cyber attacks can help prevent them
In the physical domain, we expect privacy, of course. We expect to be able to come into our houses and bolt the door behind us, and no-one is allowed to come in. Quite right, too.
Unless we’ve broken the law and it demands we either be arrested or our property investigated.
But those actions are no longer available to our peacekeepers in the digital realm. The doors they have a legal warrant to breach won’t break down. The wire-tap that was obtained through the courts yields only gibberish.
This isn’t an acceptable state of affairs: we can’t live safely in a society in which our security forces work with their hands tied.
Flawed by design
The Internet’s weakness when it comes to both security and privacy are born out of design. The outer layers of the internet, where social networks and messaging apps exist, have moved faster than its lowest levels, where the fundamentals of how information is transmitted have remained unchanged.
There was no thought, when the Net was first established in 1969, around maintaining personal privacy on these systems back then, nor was there any thought given to the widespread use of sophisticated encryption systems.
>See also: Tech firms will be urged to fight terror content by Theresa May
Much the same thing is true of our laws which, in the UK and many countries whose systems it has influenced, relies on a complex system of precedents and legal acts, dating back centuries.
Many current lawmakers continue to have a weak grasp of technology, and are prone to making over-generalisations that are neither practical, nor ultimately in their nation’s best interest.
An internet for security and privacy
In short, we need to retrofit our beloved, but rather under-engineered, 1969 communications network with the powers it needs to continue to provide the amazing benefits it has done to date, but with safety and privacy embedded. We need a blanket policy that will treat everyone the same, and give everyone their rightly deserved privacy.
A mechanism for privacy should be provided at the application layer of the Internet and this involves several steps, and some caveats.
To join future networks, identities ought to be verified. This is a complex area, and the verification credentials required of a 10-year-old girl might not be the same ones required of a 30-year-old man. But the broad proposition is that everyone should have a verifiable identity on the Internet that remains the same throughout one’s life, much like your passport.
>See also: Cyber populism: is social media damaging democracy?
That, in itself, poses questions about privacy. If I were a teenage, closeted gay man, for example, then I may be looking for information and connections on the Internet that means a verified identity could threaten my privacy, and have further ramifications for my private life. That needs to be protected against.
Or ‘what if I am now a 35-year-old businessman, who perhaps made some regrettable choices in my youth that are still evident online?’ Again, people deserve that degree of privacy, just as they would normally find it in the physical world.
Encrypted by default
So, everything should be encrypted by law. Everything. Nobody, and no commercial organisation, will be allowed to read or identify your messages, browsing history or any other content you have produced on the Internet through any kind of scanning without your explicit consent.
The condition is that when your actions and your content are encrypted, very securely, then the keys to that encryption action are retained by the licensed service provider.
If law enforcement or national security authorities require access to those keys, and have obtained a judicial warrant, then the regulated service provider will yield them, for the specific actions for which they have a warrant. Only people with something to hide should have anything to fear – again, only warranted authorities would be allowed access.
>See also: Keeping the enterprise secure in the age of mass encryption
This is the only solution. We need privacy. We need security. We cannot continue as a free, democratic society without a balance between those two things. At Scentrics, we’ve put years of research into the problem, and we believe that legitimised key escrow, through agencies regulated by government, as mobile networks and ISPs already are, is the only solution.
Fear of change
There’s no doubt that a transition to such a state will be resisted by some, and from well-meaning intentions. People, by-and-large, don’t want to change. There’s a reactionary lobby ready to resist any change to the status quo perceived as any infringement to existing rights. And not least, be sure that such a change would require a considerable body of legislation, communication and reassurance. It will be a long, hard road.
>See also: Understanding mobile encryption
But consider the alternative. Across the internet, private networks are harvesting everything you do, say and post. And make no mistake that state authorities are not equally interested in probing your digital persona on a mass scale. You have no privacy whatsoever in the current environment. Encryption will change the rules for that engagement – in the favour of private citizens.
The encryption tools we have now are empowering terrorists, who currently face no checks to their organisation, recruitment, and operational efforts. That cannot be allowed. Whereas server-centric encryption against verified identities will make it very hard for them to continue.
Sourced by Paran Chandrasekaran, CEO of Scentrics