The UK’s bad encryption law can’t withstand global contempt

Opinion Around the world, a vital technology is failing. Just as massive solar flares fry satellites and climate-change superstorms overwhelm flood defences, so a new surge of ridiculous IT-related events is burning out irony meters across the globe.

Let’s start with a couple of plums from the US, where – hold onto your peaked caps – law enforcement officials have been breaking the law, wholesale. Secret Service and immigration officers have been caught using fake cell phone towers to intercept and monitor communications, without bothering to get permission or follow the rules. Then it was the turn of the FBI, the body charged with things like cybersecurity and detecting online pedophile activity, which saw – ah, you’re there already – its child abuse unit hacked.

Both these events are of course intrinsically highly ironic, but nothing a modern irony meter can’t deal with. Heroic engineering efforts have produced hardened front-end sensors in response to years of Trump and Brexit that work well at ironic flux levels that smoke devices of just a decade old.

No, the new crisis exists because these prime examples of lawlessness and incompetence in state agencies charged with dealing with the most sensitive data come at exactly the same time as state claims that there is no danger in stripping citizens of the sole means to protect against such things. Meter go bang.

We speak of course of the UK’s Online Safety Bill, which is working its way through Parliament. The government says, with a straight face, that to Protect the Children it must install back doors in end-to-end encryption. Removing safety features does not compromise safety. It is possible to have encryption that protects only the righteous. And no agency will ever be corrupt, lazy or incompetent, no criminals will ever get access to our most private data, because… because… no, there is no because. Magical thinking needs no “because”.

In the time-honored technical terminology, this is utter bollocks. Even before it has passed, it’s causing damage. The prospect of having to compromise user security or face massive fines has got Signal saying it’ll leave the UK if this law goes through, with WhatsApp heading in the same direction.

It’s all for naught anyway. The list of reasons it cannot work are as long as Elon Musk’s face when he checks his portfolio: criminals will use whatever software they like, just not known compromised software. What about VPNs? In-browser end-to-end encryption hosted outside the state? Open source that no organization controls?

Such arguments only work if you know what you’re talking about, so it’s no good hoping for reason and logic to carry the day. Instead, it’s time to combine good engineering with good citizenship, and prepare to defeat the idiocy with a classic rule of computer security: you’re only secure when it costs the bad guys too much to defeat you.

In this case, this means using, encouraging the use of, and helping to develop and deploy, solid end-to-end encryption that outsmarts the law. We must use end-to-end encryption ourselves at every opportunity – as we are already, right? – and prepare ways to patch or replace any popular system that has to shut up shop because of mandated compromise.

All skilled digital citizens know how to avoid geo-locked software restrictions, or how to package up open source products for use by the laity. Generate enough traffic, and the costs of using the law become disproportionate to the results. Short of making it a crime to use strong encryption, a step too dystopian, counterproductive and unenforceable to be even given the honor of having a kite flown in its name, there’s no way to stop it.

Any law whose spirit can be defeated while abiding by the letter is a bad law that is bound to fail if enough people saw away at its legs. Our job will be to saw for ourselves while giving saws to others.

If the law is passed, it must be seen to fail. Give the money that would have been spent using it to those agencies who know how to practically detect and reduce child abuse where it’s actually happening, in the community and the family. Good old-fashioned gumshoe policing and anti-crime agencies are regularly rounding up online pedophiles, but are also limited by resources. They too would Protect the Children better with more money, but it’s not about that, is it?

The UK cannot be allowed to have even the smallest apparent success in breaking user security, as other countries will surely follow – the urge of the state to snoop on its citizens is as universal as it is corrosive. Those of you in saner states will need to do your bit too in supporting systems and set-ups that bypass the bonkers.

It’s not civil disobedience if you’re following the rules, but it can certainly be a rebellion. Without a trace of irony, the Encryption Rebellion starts here. ®

Read More

Rupert Goodwins