We could soon be in for a new round of the encryption wars, but this time governments are taking a different approach.
Seven governments from across the world have started a new campaign to try persuade big tech companies to reduce the level of security they offer to customers using their services.
The seven — US, UK, Canada, Australia , New Zealand, India and Japan — are worried that the use of end-to-end encryption makes it impossible for tech companies to identify dangerous content like terrorist propaganda and attack planning, and makes it harder for police to investigate serious crimes and protect national security.
Their statement starts boldly: “We, the undersigned, support strong encryption”, saying that it plays a crucial role in protecting personal data, privacy, intellectual property, trade secrets and cyber security, and in repressive states protects journalists, human rights defenders and other vulnerable people.
Then, of course, comes the big caveat: “We urge industry to address our serious concerns where encryption is applied in a way that wholly precludes any legal access to content.” The sort of end-to-end encryption that means messages can’t be intercepted, or that a hard drive can never be read without the key, “pose significant challenges to public safety”, the seven governments warn.
This of course is where things get trickier. These governments want tech companies to make it possible to act against illegal content and activity, but with no reduction to safety — something that tech companies insist is impossible.
“We challenge the assertion that public safety cannot be protected without compromising privacy or cyber security. We strongly believe that approaches protecting each of these important values are possible and strive to work with industry to collaborate on mutually agreeable solutions,” the statement concludes.
Tech companies argue that end-to-end encryption protects users’ privacy rights, and it to weaken it — by creating a so-called ‘backdoor’ that would allow the authorities to look at messages — would put all sorts of private communications at risk from hackers and force them to decide whether to hand over messages to oppressive regimes. End-to-end encryption makes the tech companies’ lives easier, and also allows them to claim the moral high-ground when it comes to privacy.
So it there anything new in this? Governments have been half-heartedly trying to refight the cryptowars for years now, with little success — largely because they know that coming up with a fix for this is hard.
They know it’s all but impossible to ban the use of end-to-end encryption. Sure, you could pass laws to ban it, and maybe block encrypted apps from local app stores if they used it, or make it illegal to posses them. But that’s insanely hard to justify and even harder to enforce — even for states like Russia, which have tried to ban encrypted services.
And even if you did go for a ban, organised crime would simply get hold of encryption on the black market or from abroad, and would be just as well-protected as ever. But the average person on the street would be unable to access strong encryption, and would be more at risk of hacking as a result.
A policy that makes the average person less secure, while doing little to tackle the real problem, seems unlikely to gain much support. Imagine being the politician who has to explain to the country that their data has just been scooped up by a foreign power as a result.
The UK’s GCHQ has come up with an idea called ‘ghost protocol’, which would add the government as a secret eavesdropper into every call. But although GCHQ’s scheme has technical merit, if tech companies said ‘yes’ to one agency they would struggle to exclude others — that chat with your mates about what to watch on Netflix could quickly become crowded with spies from around the world.
That’s because governments will inevitably over-reach and use such powers to increase their general surveillance. It’s worth remembering that many of these tech companies introduced end-to-end encryption precisely because governments were cheerfully snooping on everyone’s conversations in the first place. Many would say it’s brazen of governments to now ask us to trust them again.
A new approach
So what’s going on here? Adding two new countries — Japan and India — to the statement suggests that more governments are getting worried, but the tone is slightly different now. Perhaps governments are trying a less direct approach this time, and hoping to put pressure on tech companies in a different way.
“I find it interesting that the rhetoric has softened slightly,” says Professor Alan Woodward of the University of Surrey. “They are no longer saying ‘do something or else'”.
What this note tries to do is put the ball firmly back in the tech companies’ court, Woodward says, by implying that big tech is putting people at risk by not acceding to their demands — a potentially effective tactic in building a public consensus against the tech companies.
“It seems extraordinary that we’re having this discussion yet again, but I think that the politicians feel they are gathering a head of steam with which to put pressure on the big tech companies.”
Even if police and intelligence agencies can’t always get encrypted messages from tech companies, they certainly aren’t without other powers. The UK recently passed legislation giving
law enforcement wide-ranging powers
to hack into computer systems in search of data.
So will governments find more success with their new softer approach? In the short term, probably not. End-to-end encryption creates real and tragic problems for police and the victims of crime, yet governments have not made a decent case for making us all less secure in response to those problems. Still, governments are increasingly conscious of the impact of big tech companies, and are increasingly willing to take them on. It may only take a few high-profile situations where strong encryption prevents a terrible crime from being stopped or investigated, for governments to think that public opinion can be shifted in their direction.
ZDNET’S MONDAY MORNING OPENER
The Monday Morning Opener is our opening salvo for the week in tech. Since we run a global site, this editorial publishes on Monday at 8:00am AEST in Sydney, Australia, which is 6:00pm Eastern Time on Sunday in the US. It is written by a member of ZDNet’s global editorial board, which is comprised of our lead editors across Asia, Australia, Europe, and North America.