RevK's Encryption Petition

An Eccentric Anomaly: Ed Davies's Blog

Adrian Kennard submitted a petition to the parliament web site asking (implicitly) that the government not ban strong encryption. I and about 11'000 others signed this petition so the government felt obliged to respond.

Regrettably, they didn't seem to feel the obligation to make much sense in the response.

The response starts:

The Government is not seeking to ban or limit encryption.

Well, it's nice that they aren't planning to limit encryption but nobody thought they were trying to ban it. The original petition is rather poorly worded in that it just makes a few statements without actually making a specific request but it's clear that the point being made is that the government should not attempt to ban strong encryption.

What I, and I suspect most who take even a passing interest in the subject, mean by strong encryption is encryption where messages cannot feasibly be understood by parties other than the intended recipients other than by obtaining keys from receiving devices by some form of intrusion, whether it by hacking, covert intrusion or more overtly, presumably with a search warrant, or by directly requesting the keys from one or more of the recipients, presumably with some sort of enticement such as not going to prison or keeping their fingernails.

Examples of systems designed to provide strong encryption in this sense include PGP and Apple's iMessage. (Whether the implementations are good enough that the encryption is strong in practice is a separate matter.)

Apart from using public-key cryptography with sufficient key lengths (as pretty much everybody does, these days) the distinguishing feature of systems like these is that the private keys are generated and held on the the participants' devices and that communications intermediaries see only the encrypted messages so are unable to provide decrypts however big a warrant is waved at them. This is generally referred to as end-to-end encryption though it's the privacy of the private keys that matters most.

The response goes on to say:

…the Government does not require the provision of a back-door key or support arbitrarily weakening the security of internet services.

Again, this is pleasing. But then they say:

The Government is clear we need to find a way to work with industry as technology develops to ensure that, with clear oversight and a robust legal framework, the police and intelligence agencies can, subject to a warrant which can only be issued using a strict authorisation process where it is necessary and proportionate, access the content of communications of terrorists and criminals in order to resolve police investigations and prevent criminal acts.

If people are using end-to-end encryption then they can't; at least not without the intrusion methods mentioned above. Communications service providers cannot simply decode the messages. They then say:

There are already requirements in law for Communication Service Providers in certain circumstances to remove encryption that they have themselves applied from intercepted communications.

which is fine in itself but totally fails to account for the fact that the CSPs would likely often have not applied the encryption in the first place.

So, the question is: does the government intend to ban end-to-end encryption? They say, repeatedly, in this response that do not intend to limit encryption which would indicate that they will not yet they want a facility (access with an appropriate warrant) which is not feasible in its presence.

It's clear they're being wilfully obtuse here. I'm sure many in the government understand this issue perfectly well so this response can only be interpreted as a desire to avoid the subject. Perhaps the intention is to somehow push people away from providing or using end-to-end encryption without specifically making it illegal.

If so, I think that'll backfire. PGP is already out there and in fairly widespread use (though there's plenty of room for expansion) and even if the US and other governments can bully Apple out of providing iMessage in its current form other organizations (probably not in Five Eyes countries) will happily provide appropriate software.