Here we go again: the Australian government is the latest to plan new laws that will require companies to be able to unscramble encrypted communications.
In particular, the government wants tech companies to be able to hand over communications currently protected by end-to-end encryption, which scrambles messages so they can only be read by the sender and the recipient, and not by the tech company itself.
“The laws of Australia prevail in Australia, I can assure you of that,” Australian Prime Minister Malcolm Turnbull told reporters. “The laws of mathematics are very commendable, but the only law that applies in Australia is the law of Australia.”
The Australian stance is modelled on the one taken by the UK government, which last year passed the Investigatory Powers Act that aims to do something similar. At the time it was making its way through Parliament there were warning the law, known either as the ‘Snoopers Charter’ or “the most extreme surveillance in the history of western democracy“, would spark copycat legislation elsewhere and this was clearly correct.
The argument that criminals should not be allowed to plot in secret is a legitimate one. When the UK law was being debated, the government said that intercepted communications form between 15 and 20 percent of the intelligence picture in counter-terrorism investigations.
Here’s the problem. It’s not realistic to legislate encryption out of existence. You can’t outlaw the application of maths. Even 20 years ago, when it was relatively rare and harder to use, governments accepted that that the benefits of encryption — like privacy and security — vastly outweighed the genuine concerns that encryption could help bad people to do evil in secret.
And it’s worth remembering that many companies started to use end-to-end encryption recently to protect their customers’ data precisely because intelligence agencies around the world have been shown to have a tendency to scoop up as much data as they can, whenever they can.
The new UK law demonstrates these difficulties, and it’s worth looking at how it has played out. This law requires UK internet companies to be able to remove any encryption they apply to messages. That makes it hard for any UK company to offer an end-to-end encrypted service themselves, but there’s at least one major issue with this: UK law only extends so far, and the tech industry is a global one.
Few of the companies that offer the secure (end-to-end encrypted) services that worry the government are actually based in the UK.
Persuading companies to change the way they run their business just for the UK market is unlikely to succeed. And, even if the biggest companies could be forced to change their policies, which is deeply unlikely, then criminals could easily find another company, somewhere in the world, that will offer them an encrypted service. Or they could even build one themselves.
Banning end-to-end encryption would make it easier to snoop on some conversations, for sure. But it’s likely to have a bigger effect on disorganised crime — crooks that don’t know how to or care about covering their tracks.
There is a benefit in being able to tackle any crime, of course, but it’s worth being at least aware that any local — that is, national — ban on encryption is likely to have an extremely limited impact on organised criminals.
But what a ban will certainly do is weaken security for tens of millions of people.
We already know far too well that both cyber-crooks out for cash and hackers backed by governments are trying to snoop on and steal data from political parties, businesses, and individuals on a daily basis. Weakening the security that protects those communications will make it much easier.
The tech companies that hold those ‘golden keys’ that can decode all the messages that flow over their networks will be a huge target for hackers and history has shown us that few organisations are capable of protecting themselves forever.
There is perhaps an outside chance that there will be a domino effect: that as successive governments start passing legislation like this, that we could eventually end up in a position where end-to-end encryption is effectively outlawed worldwide. But that is extremely, extremely unlikely. Realistically, without the same legislation in the US (which has up to now rejected such a move) the impact of any other nations’ laws will be limited.
What is better is for governments to accept the existence of end-to-end encryption as something that is, for the most part, a beneficial part of the landscape.
And there are ways to get round it. For example, many PCs and smartphones are inherently insecure and relatively easy to hack into; in the UK police and intelligence agencies now have the powers to hack individual devices should they need to. That means investigators can get access to most communications but can’t routinely access everything.
This seems to me to be a much better, targeted use of powers rather than making us all insecure. It’s the equivalent of giving the police a battering ram versus requiring everyone to hand in a copy of their front door key. In addition, investigators already have access to huge amounts of metadata — information about the communications if not the actual contents. The problem in many cases is not too little information, but too much.
In reality it is unlikely to be possible to prevent the use of end-to-end encryption, and even if it were, the side-effects of doing so could be very significant for modern, connected, societies.
In a fight between maths and politics it’s unlikely the politicians are going to emerge the winners: they should instead think of better ways to get access to communications to keep us all safer.