Dear Ms Rudd,
A few days ago I read a headline on the Independent “Amber Rudd admits she doesn’t understand WhatsApp technology but intends to ‘combat it’’.
(http://www.independent.co.uk/life-style/gadgets-and-tech/news/whatsapp-imessage-encryption-facebook-apple-amber-rudd-conservative-conference-a7979811.html)
Headline writers do tend to over emphasise stories to get readers’ interest, but the story contains a quote from you, apparently uttered at a party conference event, “I don’t need to understand how encryption works to understand how it’s helping – end-to-end encryption – the criminals. I will engage with the security services to find the best way to combat that”.
Then two more quotes from the Indy,
“It’s so easy to be patronised in this business,” she said. “We will do our best to understand it.”
“We will take advice from other people but I do feel that there is a sea of criticism for any of us who try and legislate in new areas, who will automatically be sneered at and laughed at for not getting it right.”
If I promise not to sneer or laugh, can I help you understand it? Before you say or do anything that will get you both sneered and laughed at, and could have more serious consequences.
Encryption is based on maths and you can’t ban maths. Now the principle is understood any decent mathematician could re-invent a similar system anytime he/she chose. When PGP (https://en.wikipedia.org/wiki/Pretty_Good_Privacy)
was invented in 1991 the US government tried to classify it as a military secret and prevent its export outside the USA, but by then the inventor had already shared it with friends and colleagues and the secret was out. Even if he hadn’t some other mathematician would have come up with the same idea sooner or later. It’s not the only encryption method but it’s common and it can be used by anyone.
The first thing to note is that encryption of some sort is vital to how much of modern life functions, the little padlock symbol you see in the address bar of your browser shows that encryption is being used when you visit a secure website, your online bank for example, or the .gov.uk site where one pays tax or claims benefits. Banning encryption is impossible unless you want North Korean levels of surveillance and control.
You could of course ban companies that provide encrypted messaging services from operating in the UK. Or you could allow such companies to operate only if they introduced a system whereby messages were recorded unencrypted somewhere before being encrypted and sent, and ensuring that that stash of unencrypted messages could be viewed by law enforcement officers with the right warrants.
There are several snags to this apparently simple plan. Wherever the messages are stored they will sooner or later be hacked. The threat of that happening will deter anyone with something to hide, whether it’s information of use to terrorists or A Level exam questions from using the system, they will look for something more secure. The knowledge that messages can be read by law enforcement officers provides an even stronger deterrent to use by miscreants. That’s nothing new, when criminals realised the police could intercept their letters and steam open the envelopes they stopped planning bank robberies by post. Similarly once wire tapping became standard practice for investigators criminals became careful about what they said on the phone. If you ban Facebook or WhatsApp from using encryption people will find an alternative.
Probably the simplest is to virtually offshore your communications. You might be aware that many British ex-pats like to watch BBC TV, and that BBC output is freely available online in the UK using iPlayer. But not to expats, if you try to access iPlayer from an IP address outside the UK, it is assumed you are not paying a UK TV licence fee and the service is blocked. Unless you use a UK based proxy server, which many, many ex-pats do.
In essence it’s very simple. Someone sets up a webserver (or lots of them) in the UK to which ex-pats can subscribe, paying a small fee or being subject to adverts to pay for the service. The server lists BBC programs available from iPlayer. The ex-pat chooses one and the UK-based server connects to iPlayer, receives the stream of data then resends to the cheating ex-pat. I suspect one could quite easily do something similar with other communications systems.
You could try to ban proxy servers in the UK to stop abuse of the BBCs service, but there are legitimate business and privacy reasons for using them, people don’t always want others to know who they are or where they are. In the case of foreign proxies, they are way beyond your jurisdiction. If someone in, say, DePfefflistan set up a website where one could download the .boris version of WhatsApp there would be little you could do.
Then you get into the Whack-a-mole scenario, you ban WhatsApp and within days, if not hours, someone launches Wotzapp, WattsApp and so on. Encryption is easy to use, web developers are two a dollar in most of the world and the internet runs on free software. And then even if you could find a way to stop all these new messaging services springing up, there’s email.
I’m not a mathematician, I’m not a software developer or IT expert, so let me give you the non-maths, low tech version of how PGP can be used with old-fashioned email.
To use PGP you need a piece of software, freely available online (http://openpgp.org/), that creates two encryption keys, known as a keypair. One key is a ‘private key’ the other a ‘public key’. The former you store on your computer (phone, tablet, whatever) the latter you give out to friends, contacts or broadcast on the internet if you wish. The keys are created such that any message encrypted using the public key can only be decrypted using the private key. Anyone can have the public key, but only the person with the private key can read the message. It is impossible to figure out from the public key what the private key looks like.
You need to make sure your email client software is aware of the private key and where you filed it, but this is usually just a point and click affair. When you receive an encrypted message the software uses your private key to decrypt the message.
You can also append your contacts public keys to your addressbook system so that you can encode a message to them.
This system is the basis of secure email as used by governments and commercial organisations everywhere, in most cases the IT department sets it up and user knows nothing about it. Something similar happens when you use a messaging app or online banking, your web browser sends your public key to your contact, bank, whatever and it uses that key to send you an encrypted message with its public key which your browser uses to confirm that you are now securely connected.
PGP it is simple to implement, if I can do it in a few minutes so can terrorists and other criminals. Unlike commercial applications such as WhatsApp, email is universal and operates on standard protocols. Anyone can set up an email server, it doesn’t have to be one of the big IT corporations where you might have some influence, it can be a £20 computer in a shed somewhere.
Don’t despair though. You cannot un-invent encryption, and you can’t stop people using it but the law enforcement and security organisations can and do get a lot of information by simply finding out who is sending messages to whom, where from and how often. And who is responding. On the web that’s hard to hide, though using systems like Tor do make it tricky. There is probably more info to be gleaned from looking at suspects’ use of readily available private messaging systems than there is from trying to gain access to these systems and driving the people of interest into using even harder to trace methods.
Finally, please stop making statements that suggest that you don’t need to understand something in order to combat it. It may win plaudits from a few technophobes but anyone who thinks for a moment will see how stupid it is. You don’t need to be an expert any more than the health secretary needs to be an oncologist to combat cancer, but you do need to have some concept of what you are trying to achieve. Mandating the impossible just leads to disappointment.
I’ve written to a couple of MPs in the past, and in most cases received a standard, ‘Mr/Ms xxx wishes to thank you for your communication…’ from their office. One never knows if the MP actually read it, I assume they didn’t and I suspect you won’t either. I’ll just have to wait and see if you make any more ill informed comments about encryption, or worse still try to enact legislation on the matter.