In early October I wrote a blog posting on my academic blog about the need for strong encryption for academics; when tweeting this posting, I noted that it actually applied to all areas of life.
Now, according to an article in the Daily Telegraph, our dreadful Conservative government at Westminster wants to prevent anyone in the UK from having proper encryption. That is not how they describe it, but it is very clearly what they intend. They want to ensure that nobody can use encryption services that the government cannot access – in other words, the government is going to ban you from securely encrypting your data. This is not what they say they are doing, but: if your data can be read by anyone other than the intended recipient (another person or yourself), then it is not securely encrypted.
You may think this does not matter to you, because you have no deep dark secrets that you communicate on Facetime or iMessage (the Apple examples given in the Telegraph). I would dispute that view (see below), but even if that is not a concern to you, bear in mind that all your financial transactions are put at risk by idiocy such as this: if secure encryption is no longer allowed in this country, it is certain that not only will the government be able to access your data as it is transmitted, but before long others will be able to do so as well – others with aims at least as nefarious as those of the government. Think about the implications of this next time you enter your credit card details to buy a book online, or transfer money using your online banking, or give someone (your employer?) your bank details so they can give you money.
The Telegraph article says:
Companies such as Apple, Google and others will no longer be able to offer encryption so advanced that even they cannot decipher it when asked to, the Daily Telegraph can disclose.
Measures in the Investigatory Powers Bill will place in law a requirement on tech firms and service providers to be able to provide unencrypted communications to the police or spy agencies if requested through a warrant.
But data is either securely encrypted or it is not. Semi-secured encryption is an oxymoron. To be sure, there are different levels of encryption (see the note below), but that is not the same as allowing a backdoor that can bypass the encryption altogether – that’s simply insecure.
If the government is allowed to pursue this madness, no communications in the UK can possibly be trusted, nor will it be possible to trust devices or software bought here. The economic and computing argument is lucidly laid out in this blog posting.
More generally, as the leaks from Edward Snowden and others have shown, governments are absolutely not to be trusted with personal data. I believe we have a duty as members of the public to not be a totally predictable or transparent population. As soon as we are transparent in our lives – whether this be our shopping patterns or our political views – we are tearing at the fabric of democracy, and governments of all kinds will appreciate us doing that for them! As responsible individuals, we must use encryption for ourselves in order to maintain the appropriate balance between our personal lives and the public good. The government seeks to make the personal public by removing our right to privacy, whilst at the same time taking what is public away from us as persons. This proposed removal of the right to secure encryption coupled with the current attacks on civil liberties – whether cuts to legal aid, restrictions on trade union activity, or the ever-diminishing space for public protest etc. – is a profoundly worrying situation. Responsible citizens should use secure encryption, and we should resist the government’s attempts to take that away from us. The Electronic Frontier Foundation has a very good guide to all kinds of security issues on its Surveillance Self-Defense pages – I highly recommend going through these and seeing what might apply to you.
I also strongly encourage you to write to your MP about this issue; you can find out who this is by clicking here.
Note: Regarding the different levels of encryption: this is about determining the ease with which an attacker could break the keys, perhaps by trying to reverse-engineer or brute force guessing of the password/passphrase etc. Different levels of activity warrant different key lengths: clicking on the padlock in my browser bar shows that the WordPress site I am typing this text on uses 128 bit keys, which is ok for a simple blog:
My online banking uses 256 bit keys which is better; my GPG encryption uses 4096 bit keys, which as far as anyone knows, means it is practically unbreakable at the present time: the only way to read something I have encrypted with GPG is by asking (or torturing…!) me or the recipient to provide our respective passphrases. Of course, even GPG (which is based on Phil Zimmermann’s Pretty Good Privacy, or PGP) is not going to be secure forever, but at the moment it is the best there is for email (even Edward Snowden uses it), particularly because the code is open-source meaning that countless experts have studied and reviewed it and found it to be secure.
The EFF link above makes useful suggestions for other forms of communication, including text messaging (eg Signal/TextSecure), chat (eg ChatSecure), and more.