When it comes to messaging end-to-end encryption is a must if you want privacy. But if you’re a guardian of national security, encryption is a big problem: it’s very difficult if not impossible to break modern encryption to catch the bad guys, so they have to attack the end points instead on the encrpytion.
This is often referred to as the great encryption dilemma. Governments make loud noises about their commitment to cybersecurity and data privacy. But you’ll sometimes find the exact same governments pressing the tech industry to build crypto backdoors into their products for state surveillance purposes. Privacy or surveillance: you can have one or the other - but you can’t have both.
Here’s a closer look at the latest policy moves from the EU - and the wider encryption dilemma.
What has the EU announced?
There’s been no formal announcement. Rather, the Council of Europe has produced a ‘draft resolution document’ that was leaked to an Austrian TV channel and was quickly picked up by the tech press. These resolutions are not binding, but tend to be used to signify the EU’s thinking, and to inform future law-making.
- The memo does not include any proposals for an end-to-end encryption ban or for implementing backdoors to encryption protocols.
- On one hand, the memo confirms the EU’s continued support for the “development, implementation and use of strong encryption” to protect the rights of individuals.
- At the same time though, it is recognised that the technology makes it a lot easier for terrorists and other criminals to evade justice. In the context of criminal investigations, it makes analysis of communications “extremely challenging or practically impossible”.
- The resolution does not come up with any solutions. Rather, it offers an open invitation for experts to explore possible new security measures under the framework, “security despite encryption”.
What does “security despite encryption” mean?
No-one knows. The resolution calls for a “discussion” to achieve a better balance between the competing interests of private individuals and criminal investigators. There are no definite policy ideas as yet, and the Council of Europe is basically asking for help in coming up with some.
So why is this a concern?
Despite the fact that there’s nothing concrete under discussion, commentators are concerned that the resolution signifies a worrying direction of travel.
The fear is that any policy proposals will inevitably drift towards some form of secure corridor that law enforcement agencies can use to access encrypted data. Once these corridors are in place, the whole function and value of end-to-end encryption is weakened.
The problem with backdoors
A ‘Backdoor’ refers to any means that enables someone to get around encryption or authentication measures.
Backdoors can arise accidentally through poor coding, or they can be inserted secretly by malicious insiders. Sophisticated hackers can also create their own backdoor; for instance, by using a Trojan to modify code in order to grant access to communications.
But what governments are pressing for is a particular type of backdoor: i.e. one that deliberately enables investigatory authorities to bypass an app’s encryption measures. This gives rise to a couple of issues:
Master key vulnerability
If a responsible encryption-based backdoor system was to exist, what form would it take? It’s likely to be based on the master key concept.
This would involve each provider holding a master key that could be used to override the individual encryption keys secure user communications. Presumably, the idea is that authorities would make a surveillance request and the master key would be deployed to unlock message streams relating to individual accounts.
There are an estimated 2 billion active WhatsApp users across the globe. So it’s reasonable to expect a company of this size to hand thousands of access requests from state authorities each day.
Dealing with the requests would require large teams of staff. In practical terms, that means large numbers of employees handling the master encryption key, and also handling the private keys related to individual users.
You have the scope for error: e.g. access inadvertently being granted to the wrong accounts. There’s also the scope for infiltration, with sophisticated hackers finding a way to exploit the master key processing and deployment process.
Criminals will go elsewhere
Let’s say lawmakers crack down on the major messaging apps. In order for them to operate within their jurisdictions, national governments could insist that the owners of Skype, WhatsApp, Viber and iMessage integrate backdoors into their apps.
But criminal networks tend to be close-knit. They don’t choose a messaging app on the basis of how popular it happens to be. If the big names introduce backdoors in certain countries, gangs will simply choose different tools to use, or use VPNs to route their communications through more ‘privacy-friendly’ jurisdictions.
In fact, it’s not difficult to create a custom messaging app and integrate your own encryption solution through open source tools.
Either way, end-to-end encryption exists - and it’s not going anywhere soon. Mandated backdoors on popular messaging sites will annoy a lot of legitimate users, not least because it deliberately compromises the integrity of the encryption tools in place. But tech-savvy criminals will almost certainly be able to find a way around it.
Looking to advance your career and extend your encryption skillset? Explore our courses to quickly get up to speed.