There is No Safe Breaking of Encryption

End to End encryption (E2EE) allows for people to communicate securely and privately, protecting participants in text and audio conversations from surveillance. Today, billions of people around the world enjoy the benefits of E2EE on platforms such as WhatsApp and Signal. Unfortunately, lawmakers around the world are working on undermining E2EE.

But a weakening of E2EE somewhere is a risk to the security of people everywhere. We must shield E2EE from any attempt to weaken its protections. These protections allow for the free flow of information among friends, families, and colleagues while ensuring the privacy and security of human rights advocates, journalists, and persecuted minorities. It is not an exaggeration to say that access to free and user-friendly E2EE is one of the greatest civil liberties advances in recent decades.

But E2EE is under threat. At a time of significant geopolitical upheaval and widespread abuses of civil liberties it is vital to quash persistent myths surrounding E2EE and to defend the privacy and security of law-abiding people around the world.

How Did We Get Here?

The Washington Post recently reported that the Home Office had issued a secretive technical capability notice (TCN) to Apple requiring the tech giant to “create a back door allowing [the Home Office] to retrieve all the content any Apple user worldwide has uploaded to the cloud”. As a result of this secret order, British Apple customers are less secure than Apple customers in other liberal democracies.
This news shocked many civil liberties analysts, lawmakers, and technology industry professionals. It was unprecedented: never before had a liberal democracy compelled a technology company to breach its users privacy in such a vast manner.

In the United States, a Democratic senator and a Republican congressman wrote to the Director of National Intelligence Tulsi Gabbard, saying that the TCN represents “effectively a foreign cyberattack waged through political means”. Gabbard responded by saying that the Home Office’s order represented a “clear and egregious violation of Americans’ privacy and civil liberties, and open up a serious vulnerability for cyber exploitation by adversarial actors”. Thanks to the law governing TCNs, Apple is prohibited from discussing the order or their subsequent appeal.

The law in question is the Investigatory Powers Act (IPA), fittingly dubbed the ‘Snooper’s Charter’. Passed in 2016, the IPA allows the Home Secretary to issue TCNs, which require companies to make changes to their products so that their data is technically accessible to the Home Office. Using these powers, the Government can not only issue encryption-breaching orders to companies but also ban companies from discussing such orders in public.

Apple responded to the TCN by saying that it would no longer offer Advanced Data Protection (ADP), which allows Apple iCloud users to encrypt the content they upload to iCloud, to new British customers and would be withdrawing the service from existing British customers in the coming months.

Apple is currently in the midst of appealing the TCN. Unfortunately, the IPA allows for the appeal to be heard in secret, so much of the process surrounding the TCN issued to Apple remains shrouded in secrecy. Big Brother Watch called for the The Investigatory Powers Tribunal to make hearings associated with the appeal public. Fortunately, the tribunal rejected the Home Office’s attempt to keep all details of the hearings secret, but it remains to be seen how much transparency the tribunal will allow for future hearings.

The Role of Encryption in TCNs

E2EE ensures that only the sender and the intended recipients of communications or other data have access to it. If Alice sends Bob a message protected by E2EE, only she and Bob can read the message.

Encryption is based on mathematics that generate keys that ensure safety, security and privacy in communications. This technology scrambles plain text in such a way that makes it virtually impossible for attackers to reverse engineer. This technology is crucial to the safety of journalists, human rights defenders, whistleblowers and vulnerable groups both in the UK and all over the world.

Messages protected by E2EE are different from most emails and text messages. If a police force or an intelligence agency wants to read emails sent with Outlook for example, they need only issue Microsoft a legal order for them, which Microsoft can hand over for investigators to analyse.

Apple protects much of its users’ data with E2EE. If you use iMessage to send content to someone, that content is protected by E2EE. The Government already has powers to allow the police to seize physical devices, like a mobile phone, as a part of a criminal investigation. By investigating a device, the privacy and security of the innocent public remain protected whilst the individual suspected of a crime comes under investigation. On the other hand, building a backdoor to break encryption and access iMessage data would be an overreach.

Governments cannot break the laws of mathematics. Some of the them, including the British government, have passed laws that allow them to threaten companies that choose to protect customers with E2EE. Such an approach is very misguided, putting the privacy and security of law abiding people all over the world at risk.

E2EE and Civil Liberties
At first glance, it might seem that giving a government the technical means to access encrypted content associated with suspected criminals and terrorists. However, while perhaps initially attractive, there are good reasons to oppose this access.

1) There is No Safe Breaking of Encryption: Governments that demand that we all open back doors to our content can provide as many reassurances as they want that they will only access protected data after following the correct legal procedures. But once E2EE has been compromised it is impossible to ensure that only authorised parties will have access to the content. There is no doubt that criminals and foreign adversaries will take advantage of weakened protections and take steps to undermine the privacy and security of law-abiding people. The history of cybersecurity is full of examples of sensitive data ending up in the wrong hands thanks to poor security practices. Only last year, hackers associated with the Chinese government attacked telecommunications firms in the United States, resulting in the theft of text messages and their associated metadata, including data associated with presidential candidates Vice President Kamala Harris and Donald Trump.

2) Security and Privacy Are Preconditions for Free Speech: The free exchange of ideas requires speakers to be able to conceal their identity if they choose to do so. Many people risk incurring significant social, familial, and (in some cases) criminal costs if they express the wrong view on a sensitive cultural or political topic. Yet in order for a diverse and liberal democracy to flourish it needs to protect the ability for residents and citizens to express those views. E2EE allows speakers to express themselves without fear of surveillance from government or attacks from criminals. If E2EE were undermined by a government mandate we would expect for many law abiding people to censor themselves. This effect would no doubt be particularly acute among members of political, sexual, and religious minorities.

– Matthew Feeney, Advocacy Manager

The post There is No Safe Breaking of Encryption appeared first on Big Brother Watch.

Source: https://bigbrotherwatch.org.uk/blog/there-is-no-safe-breaking-of-encryption/