Dr Andrew Whiting, lecturer in Security Studies at Birmingham City University, responds to Home Secretary Amber Rudd’s comments that strong encryption is “completely unacceptable” without the possibility of access by the state and that the authorities must be given access to messages sent through encrypted platforms such as WhatsApp.

Cultural theorist Paul Virilio remarked that ‘to invent the sailing ship or steamer is to invent the shipwreck’ (Virilio, 2006, p. 10).  I always liked this quote and while conducting my doctoral research into cyber‑security, cyber-terrorism and terrorist use of the internet I kept coming back to it when considering the ‘doubled edged’ nature of technology.

Whether it be the sailing ship, air travel or the internet, technology brings tremendous benefits for those it reaches as well as the unsavoury, nefarious, catastrophic and illegal.  This isn’t to say it’s an even split between the good and the bad (after all there are far fewer shipping accidents than there are safe passages) but shipwrecks and air disasters do occasionally occur on our boats and planes as does piracy, hijacking and terrorism.

Similarly, the proliferation of the internet has brought with it benefits in access, speed, efficiency, reliability and capacity across the personal, public and private spheres.  In the UK we enjoy and utilise a whole host of services online from news and current affairs, banking, entertainment, communication and various social platforms.  The reality is that a range of nefarious actors have access to many of the same benefits be they fraudsters, paedophiles or people like Westminster attacker Khalid Masood, who have the intention to commit physical violence against members of the public.

The controversy around end-to-end encryption

In fact, terrorist organisations have embraced the benefits of the internet and their use of this space has been the focus of academic research for some time (See: Conway, 2006; Weimann, 2006, 2015; UN 2012; Gill et al, 2017).

Terrorists have used the internet for propaganda, recruitment, information gathering, finance, training and communication to name but a few functions.  Communication has garnered a lot of attention this week after the revelation that Masood received a message via WhatsApp (an online messaging platform) just prior to conducting his attack outside Westminster.  The controversy here surrounds the ‘end-to-end encryption’ that WhatsApp users enjoy when they use this messaging platform.  What this means is that when you send messages using WhatsApp you can be confident it is not finding its way into the hands of criminals or being ‘snooped’ on by the likes of GCHQ or the NSA.

Security studies bcu

As the diagram above demonstrates when a message is sent it exists as ‘plaintext’ (e.g. English) before becoming encrypted via a “public key” housed on a public server.  At this point the message is unintelligible to everyone and can only be decrypted via a unique “private key” housed on the message recipient’s device.  Once it arrives on our recipient’s device it is converted back into plaintext and its content is only known to the sender and the recipient.  In this sense both “ends” of the communication are required in the encryption and decryption process making it incredibly difficult for external actors and agencies to reveal the content of any message, picture, voice clip or video sent via this service.

A clear justification exists for such encryption when savvy criminals and prying security services have demonstrated their ability and willingness to gain unauthorised access to public data.  However, what happens when those guilty of murdering members of the public also use the service?  Accessing their messages could provide insight into the suspect, potential networks or even future attacks?

On Sunday on The Andrew Marr show, Home Secretary Amber Rudd spoke about how Masood’s use of encrypted communication via WhatsApp was ‘completely unacceptable’.

Whose security are we talking about here?

In the interview Marr pressed Rudd on pressuring companies like Apple and WhatsApp to build a ‘backdoor’ into their encryption to allow the security services and law enforcement privileged access to information relevant to their investigations.

This might sound like an uncontroversial solution but the innocuous sounding ‘backdoor’ is ultimately a backdoor for everyone regardless of intended usage.  That backdoor may be set up for ‘our’ security services and law enforcement but once it’s in place the guarantee of secure communication is gone; the backdoor will serve as a point of access to whoever discovers it and thus essentially undermines the entire purpose of the encryption.

The desire to stop violence like we saw at Westminster is an uncontroversial one, however, violence like this shouldn’t justify carte blanche for the government and the security services.

Underpinning all of this are a range of questions central to the study of security, such as: What is security? Who or what is security for? Who or what do we need securing from? Is security even a possibility? Is it desirable?

Rudd’s desire to undermine encryption by providing external access to the security services relies on an understanding of security that privileges the state and purports that security will be enhanced if the guarantors of security have enhanced powers to combat existential threats such as terrorism.  However, adopt a different position in relation to the above questions and you could conceivably come to a very different conclusion.  For example, that broken encryption represents an encroachment by the state on civil liberties, sets a dangerous precedent on encryption more broadly and creates vulnerabilities for nefarious actors to exploit.  In fact, it appears to contradict other security priorities the Government laid out as recently as November 2016 in their updated Cybersecurity Strategy (a summary of which can be found here).

This document recognised citizens and their data as needing protection as well as the necessity for UK citizens to, ‘defend themselves’.  The document also stated the Government’s desire to ‘rigorously protect and promote our core values…[to]…preserve and protect citizens’ privacy’ (National Cyber Security Strategy, 2016, p. 25).

How confident are we that undermining the core values the government itself reasserts in the 2016 Strategy is the best way to respond to a threat that (at least in part) is considered so threatening due to how it attacks these core ‘British values’?

Moreover, while Masood admittedly appears to have taken advantage of WhatsApp’s end‑to‑end encryption, how confident are we that breaking encryption would stop these individuals and terrorist organisations in their tracks?  The history of modern terrorism goes back to the late 18th century and the groups that have emerged and developed since then have shown themselves to be nothing if not resourceful and adaptable.  Be it utilising dynamite in the late 19th century, manipulating the mass media or harnessing the opportunities of the internet – terrorists have found ways to adapt with the times and continue their operations.

Of course this does not negate some of the important work that the government, security services and law enforcement do in preventing this sort of violence but it should get us to think carefully about the very ‘knee jerk’ responses that the Home Secretary and Prime Minister warned against after the Westminster attack (BBC News, 2017).

Violence like we saw outside Westminster is a tragedy and always an emotive topic that needs to be considered carefully and with sensitivity.  With four people dead and over 50 injured in the attack, it is inevitable and right to reflect upon and reassess the security measures currently in place.  However, we must strive to remain critical in our assessment, be realistic about what level of security is achievable and desirable and not allow security to become synonymous with protection against terrorism at all costs.

The Home Secretary’s comments in relation to encryption threaten to undermine security online and infringe upon the citizenry’s right to privacy.

References

BBC News (2017) London attack: Home secretary says don’t blame intelligence agencies, available at: http://www.bbc.co.uk/news/uk-politics-39373867 (accessed, 30/03/2017).

Conway, M. (2006) ‘Terrorist ‘use’ of the internet and fighting back’, Information and Security, 19, pp. 9-30.

Gill, P., Corner, E., Conway, M., Thornton, A., Bloom, M., and Horgan, J. (2017) ‘Terrorist use of the internet by numbers’, Criminology and Public Policy, 16(1), pp. 99-117.

Her Majesty’s Government (2016) National Cyber Security Strategy 2016-2021, available at: https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/567242/national_cyber_security_strategy_2016.pdf, (accessed, 30/03/2017).

United Nations Office on Drugs and Crime (2012) The use of the internet for terrorist purposes.  Vienna: United Nations.

Virilio, P. (2006) The original accident. Translated from French by Julie Rose. Cambridge: Polity Press.

Weimann, G. (2006) Terror on the internet: The new arena the new challenges. Washington, DC: United institute of peace press.

Weiman, G. (2015) Terrorism in cyberspace: The next generation.  New York, N.Y.: Columbia University Press.

Whiting, A. (2016) Defend, deter and develop: Exploring the UK’s cybersecurity strategy, available at: http://blogs.bcu.ac.uk/views/2016/11/14/defend-deter-and-develop-exploring-the-uks-cybersecurity-strategy/, (accessed, 30/03/2017).

The following two tabs change content below.