BerandaComputers and TechnologyEnd to End Encryption and Law Enforcement

End to End Encryption and Law Enforcement

Around a million years ago (it feels like) but actually 9 months ago I
delivered a brief talk on end to end encryption for the European Internet
Forum at the European
Parliament
.

Because of my new job, I will soon no longer be able
to opine on these things as easily. Given the upheaval caused this
week
by
the end-to-end encryption paper from the Council of the European Union, I thought it
timely to re-up my little speech now.


If you can spare 9 minutes, I recommend watching the video.

To make life easier, I’ve used the astoundingly great otter.ai
transcription service
to produce this lightly edited
transcript.

Here goes.

So thank you for inviting me here. And we’ll try to keep this brief. So
who am I? Why am I here? I spent like half of my career working for
open source software, privacy, enhancing strong encryption, I spent the
other half working for a law enforcement, intelligence agencies and selling
stuff to them.

As you can imagine, this leads to some conflicts among my
friends, and sometimes even among myself. And you will notice this in my
presentation, because if I do my job right, this presentation will upset
everyone, just not the same people at the same time.

First, I want to talk a little bit about backdoored encryption. And I don’t
know, actually, who is proposing that. I tried looking it up who came up
with it and we only see a little bit from the UK Government.

It has never worked.

And let me add one concrete example of how it’s backfired spectacularly. When
the GSM protocol was developed, the Berlin Wall was still a thing. And we
needed the GSM encryption to be good enough to keep the Russians out.

So strong encryption was designed. Because there were all kinds of
receivers around Berlin receiving West-Germans, and they did not want that.
So they designed the strength of the GSM encryption protocol to be good
enough to keep out the Russians.

And then at some point, someone from the US came along and said “you need to make
the encryption 1000 times weaker”. And that’s what happened. And that put
the encryption level of GSM at the point that the NSA could decrypt it, and
the rest of the world could not. And they got it right. We know
that they got it right, they calibrated it correctly.

The problem is, in 2020, GSM is still here. And my PlayStation could probably now decrypt
it, because we are still faced with that backdoored encryption from the
Berlin Wall era. So it never works.

So I should now have upset half of you. I will start working on the other half now.

One story I’d like to mention is, if you do backdoored encryption, who gets
the real encryption? Is there is there a board that decides that who gets
the non-backdoored encryption?

In my family, we have a typewriter that belonged to my grandfather. And it
was a licensed typewriter for official company use during the Second World
War, because typewriters were a means of resistance. My grandfather was
allowed to have one for his administration. So apparently there was a
typewriter licensing Bureau.

If we if we mandate backdoored encryption, I mean, I assume all of you want
an exception to this rule? And it’s going to be a very strange situation,
because you might not get it!

Balance.

This is where it gets tricky. We’ve heard two previous speakers
argue

basically that the police should leave the Internet, and should in general,
leave communications.

So every communication should be as private as communication in your own
house. That’s a wonderful thing. Even in the European Convention on Human
Rights, article 8, which enshrines our right to privacy, it says there
actually are limits to privacy.

And if we argue for a world in which we say, look, everything needs to be
private all the time for everyone, no exceptions, we will not have a just
and functioning society.

And it’s disingenuous to stand here and say, the police should
just do their work in bars and pubs and other places like they used to,
whereas the whole world has now moved to digital.

So there is a matter of balance. So where is the balance? According to
police forces, the balance is where every communication is easily
available with no undue delay, and cheaply, by the way. So we want to get
access to all data. And quickly, and no one must ever be able to evade
surveillance.

That is really what police people would want, because it would make their life super
easy. Solving crimes that way is like life on easy mode. I mean, it’s almost
as easy that way as if you were Google.

Because if you look at the data hoard that companies like Google and
Facebook have, they could probably solve most crimes on their own, simply
based because they know where everyone was all the time, where they show up,
who they talk to, the contents of their communications.

If you would have this sort of God’s eye view of Google, you could probably
solve most crimes in an afternoon!

That’s also not good, by the way.

So there is a balance, and the balance is good when police and law
enforcement have sufficient access to communications, that society is happy
with the results.

Society might not be happy if trivial crimes become unsolvable, because we
simply say sorry, we try to do investigations, but everything is encrypted.
There’s nothing we can do. That’s not something society will accept.

At the same time, we should also not accept that it should be
super easy to access all communications all the time.

Now, we’ve been here before. In 2003, a company called Skype was launched. And Skype came from
very gifted Estonians and Ukrainians and Kazakhstan people. And they
were quite wonderful. They were hiding out in a small office in Amsterdam. I
visited them, some of their guys also slept there.

They built a communication platform that was not only fully end to end
encrypted, it also had no metadata. Oh, and they also did not respond to
law enforcement requests. So they created a complete black hole for law
enforcement, you could not serve a warrant on them.

If you looked at the traffic, you could not see who was communicating with who, in fact, it was
pretty difficult to figure out that someone was even using Skype. This was
2003. By 2005, Skype had 40 million users. and law enforcement
was in a blind panic.

Because this was the nightmare for everyone. Unreadable communications, no
metadata, nothing. In 2005, Skype was acquired by eBay, in a very strange
move, for many, many billions. And later through Edward Snowden, we learned
that that acquisition had a remarkable effect on the privacy operations of
Skype.

We live in a Golden Age of Law Enforcement.

Now, I realize this is strange to say, because it might sound like some kind
of emergency is happening. But rarely has more information been available
than is now. If you manage to get your hands on it, the big cloud providers
have all the answers.

Back when I was an active law enforcement, we need to actually put a beacon in your car to
figure out where you were. Now, you can just ask, it’s very nice.

So actually, law enforcement does not have it that badly right now. Law
enforcement has always complained about new technology, whenever something
new gets invented, they have always complained.

I looked it up as an example, when the car was invented. And indeed, when
the car was invented, the police said, this is a big problem, because
[criminals] will outrun our horses now.

And then they tried to regulate cars. So the natural response of law
enforcement to new technology is to say, look, it’s going to change the way
we work, and we don’t want that. And actually, from their perspective, I
see where they’re coming from.

The big change we’re seeing now, and that’s why people are so
worried and coming up with proposals like backdoored encryption, is that
things are changing.

Until 1990 good encryption was scarce, and it was also frankly illegal. After 1990
good, encryption became available, but it was terrifically difficult to
use. Everyone messed it up, law enforcement themselves messed it up. It
was very difficult to get right. But now we are living in an era where good
encryption is becoming a standard.

Just like back when Skype came around, you don’t need to do anything to
encrypt your WhatsApp messages. They are just encrypted out of the box.
And the reason why people are in such a panic is that they see a future
ahead of themselves where every communication is fully encrypted all the
time.

And that would deliver the dream of some people that the police can get out of the internet. But
law enforcement sees it as a challenge to them doing their job.

Wrapping up.

In seven minutes, or nine by now, I know I cannot settle the debate. Would probably take nine
days!

But I hope that in this little talk I have challenged some of your
assumptions about why encryption is bad or good.

And I would argue strongly that whenever someone argues for backdoored
encryption, ask them for specific details. So how does it work? Who is
proposing that? Could you write down how that would work?

Because as
long as we’re just sitting here telling each other how terrible backdoored
encryption is, no progress is being made.

And any real solution always has to keep in mind the much vaunted article eight of the European Convention
on Human Rights.

How do we balance privacy with the rule of law?

Thank you.

Read More

RELATED ARTICLES

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Most Popular

Recent Comments