Message to Amber Rudd

Dear Ms Rudd,

A few days ago I read a headline on the Independent “Amber Rudd admits she doesn’t understand WhatsApp technology but intends to ‘combat it’’.

(http://www.independent.co.uk/life-style/gadgets-and-tech/news/whatsapp-imessage-encryption-facebook-apple-amber-rudd-conservative-conference-a7979811.html)

Headline writers do tend to over emphasise stories to get readers’ interest, but the story contains a quote from you, apparently uttered at a party conference event, “I don’t need to understand how encryption works to understand how it’s helping – end-to-end encryption – the criminals. I will engage with the security services to find the best way to combat that”.

Then two more quotes from the Indy,

“It’s so easy to be patronised in this business,” she said. “We will do our best to understand it.”

“We will take advice from other people but I do feel that there is a sea of criticism for any of us who try and legislate in new areas, who will automatically be sneered at and laughed at for not getting it right.”

If I promise not to sneer or laugh, can I help you understand it? Before you say or do anything that will get you both sneered and laughed at, and could have more serious consequences.

Encryption is based on maths and you can’t ban maths. Now the principle is understood any decent mathematician could re-invent a similar system anytime he/she chose. When PGP (https://en.wikipedia.org/wiki/Pretty_Good_Privacy)

was invented in 1991 the US government tried to classify it as a military secret and prevent its export outside the USA, but by then the inventor had already shared it with friends and colleagues and the secret was out. Even if he hadn’t some other mathematician would have come up with the same idea sooner or later. It’s not the only encryption method but it’s common and it can be used by anyone.

The first thing to note is that encryption of some sort is vital to how much of modern life functions, the little padlock symbol you see in the address bar of your browser shows that encryption is being used when you visit a secure website, your online bank for example, or the .gov.uk site where one pays tax or claims benefits. Banning encryption is impossible unless you want North Korean levels of surveillance and control.

You could of course ban companies that provide encrypted messaging services from operating in the UK. Or you could allow such companies to operate only if they introduced a system whereby messages were recorded unencrypted somewhere before being encrypted and sent, and ensuring that that stash of unencrypted messages could be viewed by law enforcement officers with the right warrants.

There are several snags to this apparently simple plan. Wherever the messages are stored they will sooner or later be hacked. The threat of that happening will deter anyone with something to hide, whether it’s information of use to terrorists or A Level exam questions from using the system, they will look for something more secure. The knowledge that messages can be read by law enforcement officers provides an even stronger deterrent to use by miscreants. That’s nothing new, when criminals realised the police could intercept their letters and steam open the envelopes they stopped planning bank robberies by post. Similarly once wire tapping became standard practice for investigators criminals became careful about what they said on the phone. If you ban Facebook or WhatsApp from using encryption people will find an alternative.

Probably the simplest is to virtually offshore your communications. You might be aware that many British ex-pats like to watch BBC TV, and that BBC output is freely available online in the UK using iPlayer. But not to expats, if you try to access iPlayer from an IP address outside the UK, it is assumed you are not paying a UK TV licence fee and the service is blocked. Unless you use a UK based proxy server, which many, many ex-pats do.

In essence it’s very simple. Someone sets up a webserver (or lots of them) in the UK to which ex-pats can subscribe, paying a small fee or being subject to adverts to pay for the service. The server lists BBC programs available from iPlayer. The ex-pat chooses one and the UK-based server connects to iPlayer, receives the stream of data then resends to the cheating ex-pat. I suspect one could quite easily do something similar with other communications systems.

You could try to ban proxy servers in the UK to stop abuse of the BBCs service, but there are legitimate business and privacy reasons for using them, people don’t always want others to know who they are or where they are. In the case of foreign proxies, they are way beyond your jurisdiction. If someone in, say, DePfefflistan set up a website where one could download the .boris version of WhatsApp there would be little you could do.

Then you get into the Whack-a-mole scenario, you ban WhatsApp and within days, if not hours, someone launches Wotzapp, WattsApp and so on. Encryption is easy to use, web developers are two a dollar in most of the world and the internet runs on free software. And then even if you could find a way to stop all these new messaging services springing up, there’s email.

I’m not a mathematician, I’m not a software developer or IT expert, so let me give you the non-maths, low tech version of how PGP can be used with old-fashioned email.

To use PGP you need a piece of software, freely available online (http://openpgp.org/), that creates two encryption keys, known as a keypair. One key is a ‘private key’ the other a ‘public key’. The former you store on your computer (phone, tablet, whatever) the latter you give out to friends, contacts or broadcast on the internet if you wish. The keys are created such that any message encrypted using the public key can only be decrypted using the private key. Anyone can have the public key, but only the person with the private key can read the message. It is impossible to figure out from the public key what the private key looks like.

You need to make sure your email client software is aware of the private key and where you filed it, but this is usually just a point and click affair. When you receive an encrypted message the software uses your private key to decrypt the message.

You can also append your contacts public keys to your addressbook system so that you can encode a message to them.

This system is the basis of secure email as used by governments and commercial organisations everywhere, in most cases the IT department sets it up and user knows nothing about it. Something similar happens when you use a messaging app or online banking, your web browser sends your public key to your contact, bank, whatever and it uses that key to send you an encrypted message with its public key which your browser uses to confirm that you are now securely connected.

PGP it is simple to implement, if I can do it in a few minutes so can terrorists and other criminals. Unlike commercial applications such as WhatsApp, email is universal and operates on standard protocols. Anyone can set up an email server, it doesn’t have to be one of the big IT corporations where you might have some influence, it can be a £20 computer in a shed somewhere.

Don’t despair though. You cannot un-invent encryption, and you can’t stop people using it but the law enforcement and security organisations can and do get a lot of information by simply finding out who is sending messages to whom, where from and how often. And who is responding. On the web that’s hard to hide, though using systems like Tor do make it tricky. There is probably more info to be gleaned from looking at suspects’ use of readily available private messaging systems than there is from trying to gain access to these systems and driving the people of interest into using even harder to trace methods.

Finally, please stop making statements that suggest that you don’t need to understand something in order to combat it. It may win plaudits from a few technophobes but anyone who thinks for a moment will see how stupid it is. You don’t need to be an expert any more than the health secretary needs to be an oncologist to combat cancer, but you do need to have some concept of what you are trying to achieve. Mandating the impossible just leads to disappointment.

I’ve written to a couple of MPs in the past, and in most cases received a standard, ‘Mr/Ms xxx wishes to thank you for your communication…’ from their office. One never knows if the MP actually read it, I assume they didn’t and I suspect you won’t either. I’ll just have to wait and see if you make any more ill informed comments about encryption, or worse still try to enact legislation on the matter.

Digital Britain? Bah Humbug!

One in an occasional series of pieces rejected by various publishers…

Digital Britain
(…or get your finger out minister)

If there is one thing politicians like even more than talking about doing something, it’s having their civil servants put out a press release about them planning on talking about doing something1. So much easier than actually doing something.

One of these meandered slowly into my inbox recently, released at 10.41 on October the 17th, the email ‘heads-up’ to journalists arrived at 16.18. Why am I making an issue of a five and a half hour delay? Because the announcement is entitled ‘Digital Britain – The Future of Communications’.

It’s a joint release from DCMS and BERR, the Department for Culture Media and Sport and the Department for Business and Regulatory Reform. It’s a model of it’s type starting:

An action plan to secure the UK’s place at the forefront of innovation, investment and quality in the digital and communications industries will be developed by Stephen Carter, the first Minister for Communications, Technology and Broadcasting.

Stephen who? Well a “Note for editors” explains:

The new position of Minister for Communications, Technology and Broadcasting was created by the Prime Minister in recognition of the important role these sectors play in our economy and our society. There is no change to the respective responsibilities of BERR and DCMS in this area. The Minister for Communications, Technology and Broadcasting is a joint appointment to both BERR and DCMS and will report to both Secretaries of State.

Clear now? A bloke you’ve never heard of is going to develop a plan. And that’s news?

Most press releases come with ready made quotes for journalists in a hurry, you didn’t think when you read “Mr X said” or “Ms Y commented” in a paper that some journalist actually heard them and carefully wrote it down do you? In most cases the words were never said at all, they were written by civil servant and may have been approved by the minister. Possibly.

This one has:

Stephen Carter said:
Culture Secretary Andy Burnham said:

and if that’s not enough
Secretary of State for Business Peter Mandelson said:

I won’t bore you with what they are alleged to have said, if you want the full text it’s here: there are platitudes about Convergence, the Digital Economy, Universal Access, Digital Radio, Innovation and Investment. What they didn’t say was:

UK Internet access is almost as bad the US and well behind many so-called developing nations. The digital divide between rich and poor, and between cities and the rest is widening. DAB Radio is dead on it’s feet and broadcast digital TV is irrelevant.

But the real issue is ignored, probably because it’s Environment or Transport or Planning or Employment not DCMS/BERR. The day before this release Environment David Miliband pledged to cut carbon emissions by 80% by 2050, far enough in the future for even a youngish minister to be safely retired or dozing in the Lords before anyone can hold him to account. If he, or anyone else was serious about reducing energy consumption they would do something about the millions of people who commute huge distances every day in order to work on a computer or telephone. In a real Digital Britain we would only travel when it was absolutely necessary for our body to be present. For a haircut maybe, or a medical, to try on clothes or select fresh meat and veg. But to answer the phone and send emails? Surely even a politician can see that’s a nonsense.

Give us the fastest, fattest cabled Internet technology and whack up fuel prices and tax on transport companies to pay for it. Give grants to companies that close call centres and offices and set up virtual private networks for their staff to work at home, or in small local offices. Price sales people off the road and tell them to email a catalogue instead. Make retail chains centralised distribution depots a thing of the past and insist they use IT to organise the shortest possible route between suppliers and local shops, we don’t need Cheshire potatoes in Lincolnshire and vice versa. Decrease school attendance, but increase on-line learning, evening out the discrepancies between “good” and “bad” schools.

In a nutshell, everything will be done on-line if it can be, and nothing moves unless it has to.

It would apply to politicians too, once the infrastructure is right they could cancel the summits and conferences and fact finding trips. Think of the energy that would save.

Politics & Economics

Watching our politicians, economists and journalists arguing about the best, quickest least painful way to restore the world economy to what it was a year or two ago is intensely depressing.

Maybe we should borrow and spend, or maybe we should save and repay. Maybe we should prop up some industries, or all, or none. Maybe we should impose import tarrifs to protect our local producers, or not.

There is no way the public can judge who is right, in the previous crises all of these options have been tried and in the end the economy recovered, but no-one really knows why or how. Nor can we trust the experts who got us into this in the first place, but in the end it doesn’t really matter. The blunt fact is the previous economic and political system was unsustainable, restoring it it like patching up an old car to squeeze it through one more MOT test. Sooner or later the floor will fall out.

I don’t have a slick answer, and I don’t trust anyone who says he has but as a starting point I want politicians and economists to acknowledge that a system that relies on continuous growth is nothing more than the biggest Ponzi scheme of all time. Sooner or later it runs out of resources.

It may be unpalatable but I think it’s about time we started planning a system based on  shrinkage. Fewer people, less manufacturing, less agriculture, less mining, less travel, less energy consumption. I want to hear politicians debating ways of reducing birth rates and figuring out how to manage a declining population. I want them to encourage emigration from over populated, under-resourced regions and stop pandering to out-dated nationalism.

I’m not advocating a return to the dark ages, I want to see the highest possible standard of living for everyone. To achieve that we are going to have to reduce the human population worldwide and share out our resources more equitably.