On Tuesday, British Prime Minister David Cameron announced his plan to introduce new surveillance powers in the UK, and ban applications that use end-to-end encryption.
Here are some of the comments Help Net Security received:
Brian Honan, CEO of BH Consulting and Special Advisor to Europol Cybercrime Centre
If introduced, this could have a devastating impact on businesses within the United Kingdom. Any information security companies developing their own products and solutions may have to undermine the security of their products by weakening the encryption employed to allow UK government access which will place them at a competitive disadvantage against products developed in other countries which can employ more robust encryption.
One thing Mr. Cameron perhaps fails to realize is that he is looking to treat the symptoms of a problem and not the root causes of that particular problem, one of which is the severe lack of funding and support many governments provided to police forces and other law enforcement agencies to fight online threats posed by criminals and terrorists.
If the UK government, and other governments, want to tackle cybercime and other online abuses, then they need to look at treating the actual problem itself and provide proper funding, training, and resources to law enforcement agencies.
Governments need to also improve how sharing of information is done between countries and work together in streamlining the problems in prosecuting criminals across multiple jurisdictions. Addressing these problems will yield better long term results than undermining the privacy and security of the online lives of the UK’s citizens.
Lance Cottrell, Chief Scientist at Ntrepid
David Cameron’s proposal to ban encryption they can’t break is understandable, but it’s a knee-jerk reaction to terrorism headed in the wrong direction.
There already exist many strong open source encryption tools which criminals will always be able to access and use. Such a proposal is unlikely to have significant impact on the ability of law enforcement or intelligence organizations to track the serious terrorists.
In most cases there are other ways of gathering the data anyway, like accessing cloud backups or logs stored on their computers. Traffic analysis, which follows who is communicating rather than what they say, is often even more useful than clear text intercepts and can be much more easily automated.
More importantly, the collateral damage from such a proposal would almost certainly be far worse than the small security advantages. As we have seen in the wake of the near constant major breaches, security is hard enough when you are not trying to intentionally build in a back door. Any organization with the ability to read the data will itself become a major target of hackers who want that capability too. That includes nation-states who want to be able to access the communications of dissidents. Such a policy in the UK sets a precedent that governments in repressive countries will be quick to follow.
Will all governments be allowed a set of back door keys? Certainly many other countries will demand such access or ban the use of software form non-cooperating companies. How could any business rely on encryption if the keys are effectively held by their competitors?
This debate is really just a replay of the Clipper Chip discussion from the early 1990s. Even then it was very clear that this was a bad idea, and the value of the data at risk was far less.
With the rapid increase in sophisticated and effective cyber attacks, what we need is more and better security tools, not fewer and weaker ones.
Jean-Philippe Taggart, Senior Security Researcher at Malwarebytes
What Prime Minister Cameron is suggesting is akin to “throwing out the baby with the bath water.’ By disallowing the use of secure messaging apps, he would be weakening every Briton’s security posture. Doing this only to prevent some bad actors from communicating securely demonstrates a spectacular lack of understanding of the issue.
We need only look at the strong crypto export debacle of the 90s to see that such measures simply do not work. His statement is the same old knee-jerk reaction we get every time events such as those that took place in Paris occur.
Bob West, Chief Trust Officer at CipherCloud
This depends on how far the Prime Minister will take the ban. My read is the ban could be applied broadly to the point of creating backdoors so government agencies can decrypt information in all software sold in the UK. This would set a very bad precedent as security concerns are at an all-time high and taking away legitimate privacy technologies inflicts further painpoints for businesses who have compliance and ethical responsibilities to protect customer data.
As I’ve said before, companies that handle customer data are trusted custodians. Forcing them to use compromised security technologies puts them at risk to fall short of EU and ICO privacy mandates, which carry stiff penalties. Even if the ban only applied to messaging applications, it would still take away trusted platform choices from businesses that are exchanging sensitive information.
Richard Moulds, VP of Strategy at Thales e-Security
The genie is already out of the bottle, so making changes now won’t have much effect if the bad guys can already get their hands on strong encryption for free. People can’t make the technology simply “go away’ just because it has unwanted uses.
Governments could try to make encryption illegal or employ measures such as limiting the size of encryption keys or requiring people to register their keys, but realistically none of these approaches are practical. At some point governments have to accept that encrypted communications can’t reliably be broken, and that lawful interception will become less useful over time. Other intelligence gathering techniques will need to be developed.