We were concerned, but sadly not surprised, to learn of Amber Rudd’s comments yesterday (2 October) on encryption. These comments, which came at a fringe event at the Conservative Party conference, included the following declaration:
Home secretary Amber Rudd tells Conservative fringe "I don't need to understand how encryption works to want to deny its use to criminals."
— Alan Travis (@alantravis40) October 2, 2017
In a worrisome display of psychological projection, the Home Secretary further responded to a question on whether she understands how encryption works by accusing tech businesses and professionals of patronising and sneering.
As tech and digital professionals, we are happy to clarify why these comments are so concerning.
What is encryption?
At its simplest, encryption is the process by which information can be securely stored, or transferred securely between two parties. It involves complex mathematics to obscure data so that it is almost impossible to read without the correct decryption keys or passwords.
“End-to-end” encryption is commonly used when transferring information that needs to be kept secret over a public system such as the internet.
Critically, encryption provides the following assurances:
Identity – You can be sure that only the intended sender sent that message. The message has not come from anyone else.
Integrity – The message has not been changed on the way to you by someone malicious.
Interception – Nobody except you and the sender can understand the message.
Why is it important?
Without encryption the internet loses many of its functions:
1. Home Finance
Without being able to confirm both parties’ identities and communicate information securely, banks would be unable to provide internet banking in the UK.
2. Online Retail
Without being able to transfer payment details online securely, online retailers would no longer be able to sell to UK citizens without risking high levels of fraud. Your bank will also want to avoid insecure online payments, as this exposes them to fraud.
3. Secure Commmunication
Online messaging applications such as iMessage, WhatsApp, Telegram, and Facebook Messenger would not be able to work without potentially allowing third parties to view the contents of messages.
4. All websites with logins
Logging into a website without encryption would expose your credentials to anyone who is connected to your network, either by wire or wirelessly.
5. Back to Cash
All card payments and ATMs use the internet to verify payments and balance. Like Online Retail, without encryption these messages would be insecure and we would have to go back to using only cash.
What’s happening with encryption?
Government officials like Amber Rudd say that the internet is providing communication channels for terrorists and other malicious parties, and that being unable to break encryption is hampering investigations and allowing terrorists to plan attacks.
There has been talk of banning or licensing encryption, or requiring companies to create back doors so that government agencies can circumvent encryption to view the content of messages.
There are strong arguments against these ideas:
Banning or licensing encryption
Only allowing certain individuals to communicate securely is akin to licensing speech and could constitute a violation of the right to privacy and freedom of expression. As encryption itself is based around the use of complex mathematics, trying to ban it would be as difficult as trying to ban some mathematical functions.
Creating “back doors”
One of the more disturbing aspects of the Home Secretary’s repeated attacks on encryption is the fact that she already has the ability to seek “back doors”. These powers are already wide, sweeping, and disproportionate to their need.
We must, at this point, ask why the Home Secretary is so vehemently determined to expand those powers, and why attacks on the integrity of our industry and those who work within it are key to her rhetoric.
International data adequacy
It is important to realise that the UK does not stand on its own. If the UK government were to require a weakening of encryption, this would affect any data about citizens of other countries stored or transmitted through the UK too.
It is doubtful that the governments and citizens of other countries would accept this, given how the UK’s future adequacy as a third country for post-EU data transfers already hangs in the balance.
The Web Matters position
The nature of encryption is that it is just mathematics; as soon as someone other than the parties communicating have the original keys used to encrypt the message — in Amber Rudd’s wishes, GCHQ — so as to crack that encryption, it becomes possible for everyone else too. Not only will GCHQ will be able to read the messages of all suspected terrorists, but all suspected terrorists, foreign government agents, the shadow government, political enemies and more will be able to circumvent the encryption used by government officials and the secret service.
There’s no different mathematics for the UK and other countries, or select people. There’s just one, which works across all borders, all people, all ideologies, and all intents.
Encryption is only as strong as its weakest link. That weak link, at this point, is not a line of code – it is the Home Secretary.
We call on the UK government to end its attacks on encryption; we call on the Home Secretary personally to find a route forward which involves respectful cooperation with industry as opposed to constant accusations of complicity in terrorism and criminality; and we call on both parties to cease their gaslighting attacks on the digital industry and the professionals who work in it.