A few weeks ago, I wrote a post called The Backdoor Fallacy: explaining it slowly for governments. I wish that it hadn’t been so popular. Not that I don’t like the page views – I do – but because it seems that it was very timely, and this issue isn’t going away. The German government is making the same sort of noises that the British government* was making when I wrote that post**. In other words, they’re talking about forcing backdoors in encryption. There was also an amusing/worrying story from slashdot which alleges that “US intelligence agencies” attempted to bribe the developers of Telegram to weaken the encryption in their app.
Given some of the recent press on this, and some conversations I’ve had with colleagues, I thought it was worth delving a little deeper***. There seem to be three sets of use cases that it’s worth addressing, and I’m going to call them TSPs, CSPs and Other. I’d also like to make it clear here that I’m talking about “above the board” access to encrypted messages: access that has been condoned by the relevant local legal system. Not, in other words, the case of the “spooks”. What they get up to is for another blog post entirely****. So, let’s look at our three cases.
TSPs – telecommunications service providers
In order to get permission to run a telecommunications service(wired or wireless) in most (all?) jurisdictions, you need to get approval from the local regulator: a licence. This licence is likely to include lots of requirements: a typical one is that you, the telco (telecoms company) must provide access at all times to emergency numbers (999, 911, 112, etc.). And another is likely to be that, when local law enforcement come knocking with a legal warrant, you must give them access to data and call information so that they can basically do wire-taps. There are well-established ways to do this, and fairly standard legal frameworks within which it happens: basically, if a call or data stream is happening on a telco’s network, they must provide access to it to legal authorities. I don’t see an enormous change to this provision in what we’re talking about.
CSPs – cloud service providers
Things get a little more tricky where cloud service providers are concerned. Now, I’m being rather broad with my definition, and I’m going to lump your Amazons, Googles, Rackspaces and such in with folks like Facebook, Microsoft and other providers who could be said to be providing “OTT” (Over-The-Top – in that they provide services over the top of infrastructure that they don’t own) services. Here things are a little greyer*****. As many of these companies (some of who are telcos, how also have a business operating cloud services, just to muddy the waters further) are running messaging, email services and the like, governments are very keen to apply similar rules to them as those regulating the telcos. The CSPs aren’t keen, and the legal issues around jurisdiction, geography and what the services are complicate matter. And companies have a duty to their shareholders, many of whom are of the opinion that keeping data private from government view is to be encouraged. I’m not sure how this is going to pan out, to be honest, but I watch it with interest. It’s a legal battle that these folks need to fight, and I think it’s generally more about cryptographic key management – who controls the keys to decrypt customer information – than about backdoors in protocols or applications.
And so we come to other. This bucket includes everything else. And sadly, our friends the governments want their hands on all of that everything else. Here’s a little list of some of that everything else. Just a subset. See if you can see anything on the list that you don’t think there should be unfettered access to (and remember my previous post about how once access is granted, it’s basically game over, as I don’t believe that backdoors end up staying secret only to “approved” parties…):
- the messages you send via apps on your phone, or tablet, or laptop or PC;
- what you buy on Amazon;
- your banking records – whether on your phone or at the bank;
- your emails via your company VPN;
- the stored texts on your phone when you enquired about the woman’s shelter
- your emails to your doctor;
- your health records – whether stored at your insurers, your hospital or your doctor’s surgery;
- your browser records about emergency contraception services;
- access to your video doorbell;
- access to your home wifi network;
- your neighbour’s child’s chat message to the ChildLine (a charity for abused children in the UK – similar exist elsewhere)
- the woman’s shelter’s records;
- the rape crisis charity’s records;
- your mortgage details.
This is a short list. I’ve chosen emotive issues, of course I have, but they’re all legal. They don’t even include issues like extra-marital affairs or access to legal pornography or organising dissent against oppressive regimes, all of which might well edge into any list that many people might compile. But remember – if a backdoor is put into encryption, or applications, then these sorts of information will start leaking. And they will leak to people you don’t want to have them.
Our lives revolve around the Internet and the services that run on top of it. We have expectations of privacy. Governments have an expectation that they can breach that privacy when occasion demands. And I don’t dispute that such an expectation is valid. The problem that this is not the way to do it, because of that phrase “when occasion demands”, and the mechanisms that they want to put in place to allow that. If those mechanisms break just once, then that becomes always, and not just to “friendly” governments. To unfriendly governments, to criminals, to abusive partners and abusive adults and bad, bad people. This is not a fight for us to lose.
*I’m giving the UK the benefit of the doubt here: as I write, it’s unclear whether we really have a government, and if we do, for how long it’ll last, but let’s just with it for now.
**to be fair, we did have a government then.
***and not just because I like the word “delving”. Del-ving. Lovely.
****one which I probably won’t be writing if I know what’s good for me.
*****I’m a Brit, so I use British spelling: get over it.