Henry Pearce: Some Thoughts on the Encryption Regulatory Debate

Debates about the regulation of encryption technologies and surveillance have been around for decades. It is in unfortunate circumstances that these debates have now been thrust back into the public eye. Following the horrifying Westminster attack which occurred on 22^nd March 2017 Amber Rudd, the UK’s Home Secretary, has been very vocal in suggesting that in order for the police and security services to be able to effectively investigate and prevent future terrorist acts they must be given access to over-the-top messaging services that utilise end-to-end encryption, such as WhatsApp. (End-to-end encryption services can generally be described as those which allows for conversations to be read only by the sender and recipient of individual messages, meaning that such messages cannot be intercepted and read by a third party.) Her comments appeared to have been driven by the fact that Khalid Masood, the perpetrator of the attack, had used WhatsApp shortly before commencing his appalling actions. In particular, Rudd has claimed it is “unacceptable” that governmental agencies were unable to read messages protected by WhatsApp’s end-to-end encryption, and in an interview given to the BBC on Sunday 26^th March, intimated that she would consider pursuing the enactment of new legislation which would require the providers of encrypted messaging services to grant access to the UK intelligence agencies. This sentiment has since broadly been endorsed by the UK government.

Suggestions of increasing state surveillance powers inevitably lead to heated debates pertaining to the competing values of privacy and security. The purpose of this post is not necessarily to engage with this debate, but rather to highlight the dangers of allowing such debates to become dominated by inaccurate and/or irrelevant information. By rounding so aggressively on WhatsApp and other similar services, the Home Secretary appears to have set the blame for Masood’s attack, partially at least, at their feet. A clear inference one can make from her comments regarding how such services give terrorists a place to hide is an underlying belief that, if government agencies were able to access encrypted communications, the Westminster attack could have been prevented. For a variety of reasons, this conclusion is questionable, and appears to be premised on a number of misunderstandings about what encryption is and what it does.

Firstly, there is no empirical evidence to support the notion that if the law compelled providers of encrypted communications services to give the UK intelligence services access to the communications of their users the outcome of the events of 22^nd March would have been any different. Had it been possible for the intelligence services to intercept Khalid Masood’s WhatsApp messages, for instance, it is unlikely that they would have done so. Despite Masood being known to the security services, he was not in their sights as an immediate or probable threat. As a result, there would have been no reason for his communications to be intercepted, and so it is difficult to see how the security services having access to his encrypted messages would have prevented the atrocities for which he was responsible.

Secondly, any implicit suggestions that Whatsapp have prevented or hindered the security services from reading Masood’s messages are divorced from reality. By stating that it was “unacceptable” for WhatsApp to encrypt Masood’s messages one possible inference might be that the Home Secretary was suggesting that, post-event, WhatsApp was, through encryption, not only obstructing the security services’ counter-terrorism endeavours, but to some degree could potentially be accused of being complicit in preventing the security services from reading said messages. The latter is simply not true, and any suggestions in this vein must be resisted. WhatsApp, like the providers of other encrypted communication services, do not have the ability to access the encrypted messages of their users. As they cannot access the messages themselves, they can hardly be accused of attempting to hide them from the security services. These messages can only be accessed by their sender and their intended recipient. Masood’s phone is now presumably in the hands of the security services, and as a result it is highly probable that they have gained access to the phone itself and, as a result, the messages stored within.

Finally, Rudd’s comments regarding the police and security services being given access to encrypted communications services appear to be premised on the belief that a metaphorical “backdoor”, can effectively and securely be built into their operation, or that a “master key” can be granted by the providers of such services exclusively for the authorities’ use. This, however, is a somewhat dubious position. As has been noted elsewhere, for instance, it is doubtful that encrypted communications can ever be made truly secure whilst simultaneously allowing for the incorporation of “backdoors” and “master keys” for state institutions, and that the complexity of their incorporation could lead to new unquantifiable security risks. A “backdoor” or “master key” being built into any messaging services could mean, therefore, that the messages carried over such a service would no longer be truly encrypted, possibly exposing the users of that service to threats from hackers and other nefarious actors. Given that an array of online services, such as online shops and banks, rely on encryption to secure their services, the introduction of “backdoors” and “master keys”, supposedly for the exclusive use of the security services, would not necessarily be a development to be welcomed. On top of this, even if government “backdoors” and “master keys” could be securely built in to encrypted communications services, we would also do well to remember that there may be considerable reservations to be had about entrusting emanations of the state with such responsibilities.

As noted above, the purpose of this post was not to argue either for or against the regulation of encryption-based technologies and services, nor necessarily for or against increased government surveillance powers, but to highlight how debates pertaining to these matters can be hijacked and dominated by misinformed views. If such debates are pervaded with such views, we can surely expect the regulatory endeavours that emerge as a response to leave a lot to be desired. So by all means let’s have debates about encryption and surveillance and how, when, and if they should be regulated, but let’s at least make sure we ground these debates in reality and fact, not hyperbole and rhetoric.

Henry Pearce is a lecturer in the Law at the University of Hertfordshire, and a doctoral researcher at the Institute for Law and the Web at the University of Southampton.

(Suggested citation: H. Pearce, ‘Some Thoughts on the Encryption Regulatory Debate’, U.K. Const. L. Blog (25th Apr 2017) (available at https://ukconstitutionallaw.org/))

5Comments

Add yours

1

Richard Burnett-Hall on April 25, 2017 at 11:13 am

The Home Secretary may indeed originally have been unaware of exactly what encryption technology does (as was I). There must be a few people in the Home Office who do, though (I certainly hope there are), so I suspect she is by now rather better informed. I did not read her original comments as accusing WhatsApp of being complicit in what happened in the Westminster attack. It seems rather that she had supposed that all messages could be accessed, just like e-mails, and that she was distressed, having found out the hard way, that there was a system readily available to all, including terrorists, that allows messages to be sent that the Intelligence services apparently cannot decipher. It is possible that Khalid Masood’s final WhatsApp message may have had little or nothing to do with what he was planning. Nevertheless, checking on what he said, and who he said it to, would clearly be a natural line of enquiry, and Amber Rudd was evidently frustrated by having this line closed off.

I hold no brief for her at all, but understand and sympathise with her initial reaction. There obviously is a considerable danger in having terrorists able to communicate with each other in total secrecy so easily, and I for one would be quite prepared to accept some inconvenience and potential loss of privacy if that would make life harder for society’s enemies. Could there not be some mandatory licensing system that only permits organisations that reasonably need total security, and no-one else, to have access to an encryption system and to send and receive encrypted messages? They, and where they send messages from, would have to be registered, and they would have to be obliged to retain all their messages in accessible form for a minimum period. Members of the public dealing with a registered organisation would still have their privacy protected, but not otherwise. Obviously we should also retain all the safeguards we have now as regards when the state security services could get access to confidential information.
2

Nunn The Wiser on April 25, 2017 at 1:26 pm

Don’t be too hard on Amber Rudd, the U.K.’s current Home Secretary. She is only doing her master’s bidding!

The real target should be the U.K’s Blame Dame, Theresa May, who – with her team of creative backroom boys – finds all manner of ways to either pass the buck after the event or deflect blame before the inevitable happens.

She knows exactly what she is asking for, although she is not asking for it overtly – that would be too precarious. Instead she is trying the sly, stealthy way, hoping that unaware Parliamentarians will repeat their mistakes of the past and approve legislation that later turns out to be more than they bothered to bargain for.

She will even find ways of blaming Parliamentarians if they succeed in blocking her plans for access to encrypted messages. That’s her style. God help the U.K!
3

john young on April 25, 2017 at 2:40 pm

Great article, informative, eye opening and with every sentence erodes my predetermined belief that of course authorities should have access to whatsapp messages. Pearce puts the debate back in the appropriate framing.
4

Some Thoughts on the Encryption Regulatory Debate – University of Hertfordshire Law, Criminology & Politics Blog on April 25, 2017 at 3:12 pm

[…] This article was originally posted on the UKCLA blog […]
5

John on April 25, 2017 at 6:58 pm

It has been said that “Bad cases make bad laws” – and this is a similar case.
Rudd is simply kow-towing to the “Something Must Be Done!” Brigade.
Logic suggests that even if the state authorities had known the contents of Masood’s last message that they would NOT have been able to prevent his actions.
Allowing the state to mass-trawl everyone’s private messages is unfeasible.
The state itself has an appalling record of keeping private data secure.
Why should they be trusted with any way of reading everyone’s private messages?
Could they guarantee the safety and security of all our messages?
I doubt it.
Could they really secure our private messages from others states hacking ops?
I doubt it.
In all probability, some “bright” spark would come up with the idea of selling-on all our private messages to commercial concerns to raise money for the state.
How would our private messages content then be used by them?
Does anyone truly know?
I doubt it.