Is Tackling End-to-End Encryption Really the Solution to Fighting Online Terrorism?

I am never going to forget this weekend past, late on the 3ʳᵈ June I happened to be watching Sky News when the story of the attack at London Bridge and Borough Market broke.  What followed was 4 hours of continuous news footage as the story unfolded and the horror of seeing a part of London that I know very well progressively locked down by the police and security services. It was clear that off the back of the loss of life in mainland Europe, Westminster, and Manchester that our emergency services had planned and rehearsed all aspects of their response.

However, as the dust settles, questions are being asked by the media and the general public to understand why it was allowed to happen in the first place.

Several commentators have called for new legislation to grant security services “back door” access to popular messaging services in the hope that terrorists would no longer be able to hide their actions within encrypted messaging services.  The desire of this law is to provide law enforcement and intelligence communities with the capability to order a virtual wiretap on the messages sent and received by individuals suspected of planning to execute acts of terror.

While this legislation may reassure the public that security services have the tools they need, it doesn’t make it technically or socially feasible, not to mention the risk of this level of access falling into the wrong hands.

Richard Slater, Principal Consultant

Unlocking End-to-End Encryption is not an easy fix

Modern messaging platforms such as WhatsApp, Telegram and Facebook Messenger implement end-to-end encryption. Think of this as every message being sent in a box with a padlock that only the receiver can open. Not even the service provider who, in this scenario, acts as a courier between the participants in a conversation, can open this padlock.

To make this a little more complicated WhatsApp and Facebook implement something called perfect forward secrecy – this means that even if a government agency or attacker obtained an encryption key, it would only be able to decrypt one message therefore making it difficult for anyone other than the recipient to unlock it.  Consider the analogy where every padlock-key combination was unique; if there was a process whereby a court could grant access keys to these padlocks, the request would need to know which specific messages they wanted to decrypt or, alternatively, request all encryption keys for a given recipient.

Social considerations of legislation

If we move past the technical challenges inherent to any regulation, we also have to consider what would happen next.  Chances are anyone using these platforms for nefarious purposes is going to go further underground, making them harder to monitor and creating even more untraceable networks of communication that any anti-terror legislation sets out to tackle.

More recently we have seen the FBI seize assets and make arrests based upon the use of the Darknet service Silk Road. What’s clear is that there are already places on the internet that are invisible to the general public and completely unregulated; if terrorist organisations are not already using them for communication, they soon will be. Potential regulation could be used to make it a criminal offence to operate or use the Darknet which would give the security services an opportunity to arrest and prosecute people for the utilisation of these networks on the assumption that they are otherwise unregulatable. Broad regulation feels like the beginning of the infringement of civil liberties and would be bogged down in red tape; let’s not forget the UK rejected a National ID card.

Regulation (probably) isn’t the answer

The security services have lost their ability to transparently request an order from the courts for a wiretap to intercept communication from individuals or groups for intelligence gathering purposes.  Through the pursuit of user privacy, social networks and secure messaging have taken away this capability. End-to-end encryption and perfect forward secrecy are technologies designed to protect customer data from outside attacks; this is an essential line of defence to protect consumer privacy.

Creating back doors to end-to-encryption is not the ‘catch-all’ solution some politicians claim it to be but we can look to technology for other solutions.

Richard Slater, Principal Consultant

There may be a future in Machine Learning and Artificial Intelligence; we are in a position where we need to balance individual security with state security and if we can build an artificial intelligence that can objectively make assessments of singular and group behaviour, we could develop the capability to identify and prevent the kind of horror we witnessed on the streets of Southwark.

Trying to predict the future with Artificial Intelligence is a different type of challenge; as it stands there may simply not be enough good signals within the data. However, if we invest in it sooner rather than later, it has great potential to become an alternative technical solution to an international problem, one that the security services desperately need in order monitor and evaluate threats from within and outside our borders.

Leave a Reply

Your email address will not be published. Required fields are marked *