David Cameron is “living in cloud cuckoo land” when he suggests a new Tory government would ban messaging apps that use encryption, security experts have told the Guardian.
The prime minister has pledged anti-terror laws to give the security services the ability to read encrypted communications in extreme circumstances. But experts say such access would mean changing the way internet-based messaging services such as Apple’s iMessage or Facebook’s WhatsApp work.
Independent computer security expert Graham Cluley said: “It’s crazy. Cameron is living in cloud cuckoo land if he thinks that this is a sensible idea, and no it wouldn’t be possible to implement properly.”
Other security experts echo Cluley, describing the approach as “idiocy” and saying Cameron’s plans are “ill-thought out and scary”. The UK’s data watchdog has also spoken out against “knee-jerk reactions”, saying moves could undermine consumer security.
Meanwhile a start-up has warned on the possible effect on Britain’s nascent technology sector of Cameron’s plans. Eris Industries, which uses open-source cryptography, has said it is already making plans to leave the UK if the Conservative party is re-elected with this policy in its programme.
On Monday, Cameron made a speech in which he decried the ability of ordinary people to have conversations on which the security services were unable to eavesdrop.
“In extremis, it has been possible to read someone’s letter, to listen to someone’s call, to mobile communications,” Cameron said. “The question remains: are we going to allow a means of communications where it simply is not possible to do that? My answer to that question is: no, we must not.”
Cluley said either tech companies would have to work with UK government and build backdoors into their software to allow the authorities to intercept messages, or the apps themselves will have to be banned.
“If there are backdoors in the apps, or if weak encryption is used, then you are only opening up opportunities for hackers to break in and steal information too. That’s not going to go down well with businesses or consumers,” Cluley said.
Ross Anderson, professor of security engineering at the University of Cambridge, said: “This is just what the agencies pushed in the late 1990s, after Al Gore persuaded Tony Blair to go back on his pre-election promise not to ban encryption.
“Industry fought back, along with civil society, and the outcome was the Rip Act, which gives a chief constable the power to demand decryption.”
Peter Sommer, professor of cybersecurity and digital evidence at de Montfort and the Open Universities, said: “The National Crime Agency and the people there understand that relationships with people and the companies like Google are important, as they will help you, but passing laws and badmouthing in public is simply not going to work,”
“But at the top there’s been the kind of idiocy exemplified by what happened in the basement of the Guardian, where there were obviously lots of copies of the Snowden material but they insisted on the destruction of a computer that might have been used for storing them.”
“Yes you can pass laws in Westminster until you’re blue in the face but you can’t enforce them,” said Sommer.
The UK’s data watchdog, the Information Commissioner Christopher Graham and data privacy campaigners were equally worried by Cameron’s comments and the implications it could have on data security and privacy.
“We must avoid knee jerk reactions,” said Graham. “In particular, I am concerned about any compromising of effective encryption for consumers of online services.”
“Citizens, businesses, and nation states need to protect themselves. Internet companies are understandably offering their customers online services that are better encrypted following recent security incidents,” said Graham.
“Cameron’s plans appear dangerous, ill-thought out and scary,” said Jim Killock, director of the Open Rights Group. “Having the power to undermine encryption will have consequences for everyone’s personal security. It could affect not only our personal communications but also the security of sensitive information such as bank records, making us all more vulnerable to criminal attacks.”
“The only practicable way forward is a new international treaty on access to communications data and content, which must involve safeguards that will be acceptable to all,” said Anderson.
Preston Byrne, the chief operating officer of Eris Industries, warns that his company will be forced to leave the UK if Cameron’s comments on the technology become policy, and move to “more liberal climes such as Germany, the U.S., the People’s Republic of China, Zimbabwe, or Iraq.”
Byrne, who is also a fellow at the London-based free-market think tank ASI, told the Guardian that “secure open-source cryptography is at the core of our business… so we were able to make the decision more or less immediately.”
Eris Industries uses technology loosely based on the bitcoin cryptocurrency to build a decentralised network, with potential applications in communications, social networking and community governance. But, Byrne warns, “none of these benefits can be realised without secure cryptography, including end-to-end encryption.
“David Cameron has said this measure is designed to ‘modernise’ the law. He fails to understand the full extent of how out of date the law is. The only way you can shut down cryptographic distributed networks today is to either arrest the vast majority of (or in the case of a blockchain database, all) persons running a node and ensure that every single data store containing a copy of that application database is destroyed; or shut down the Internet.”
As a result, he tells the Guardian, “I’d be very surprised if the Conservatives stick to their guns on this.”
One insider at a major US technology firm told the Guardian that “politicians are fond of asking why it is that tech companies don’t base themselves in the UK”.
“I think if you’re saying that encryption is the problem, at a time when consumers and businesses see encryption as a very necessary part of trust online, that’s a very indicative point of view.”
Comments (…)
Sign in or create your Guardian account to join the discussion