Encryption vs. Extremism: We Must Separate the Debates
The encryption debate has reared its head again as the Home Secretary travelled to the US to meet with tech firms to understand the work being done to tackle extremism. In an article in The Telegraph, the Home Secretary appears to restate the Government’s desire for some sort of back-door to end-to-end encryption (albeit indirectly) and uses two arguments to make the case:
- Failure to access encrypted information is “severely limiting” agencies’ ability to stop terrorist attacks.
- “Real people” are less concerned with “perfect, unbreakable security”, rather they are contented with “ease of use and a multitude of features”.
It’s worth taking a closer look at these. As the Home Secretary points out, many of the conversations on this most sensitive and important of issues happen behind closed doors. This is quite right and means that we will never have a complete understanding of the challenges agencies face. In the absence of this information, the next best place to look is at what experts in this area are saying.
So it is interesting that Robert Hannigan, the former head of GCHQ, has specifically recommended that the Government does not call for back doors to encryption. In the Financial Times in June this year, Hannigan wrote that end-to-end encryption “cannot be uninvented and those of us focused on cyber security would not want encryption weakened even if it were possible”. Again in July, Hannigan told the BBC that “building back doors” to encryption services is “a threat to everybody”. Hannigan has been there and held the top job so one assumes he would be the first to point out if end-to-end encryption were “severely limiting” agencies’ ability to stop terrorism.
Hannigan is explicit about the value of end-to-end encryption as it is one of the most effective cyber security tools available. As this excellent article in the New Scientist describes, encryption secures financial transactions that require transferring highly sensitive information and protects private data, such a medical data – so essential in light of the recent global WannaCry attack. These are very real uses that affect real people on a daily basis.
To be fair the Home Secretary recognises the critical role end-to-end encryption plays and it is welcome to see the Government “has no intention of banning end-to-end security”. But then what is the “trade off between security and “usability”” that the Home Secretary points to the Telegraph article? If there is explicit recognition that end-to-end encryption is both binary (you either have it or you don’t) and critical to security, is the implication that companies should consider not using end-to-end encryption?
This leads to a dilemma – security is a key element of what makes a company’s product or service attractive to consumers – consumers do care about the security of their data. Real people will chose those services that offer the best security. As such, it is hard for a company to decide to build a less secure product by not using end-to-end encryption. But if companies are unlikely to compromise their own products and services, is the alternative regulation? Yet the Government appears to have ruled this out. Back to square one.
What next then? Well, part of the reason the debate can appear to be going around in circles is because the crucial discussion about how extremists use the internet is conflated with the technical question about encryption. These must be kept separate. Indeed, as Robert Hannigan has put it, “the hosting of extremist material is a different issue [to that of end-to-end encryption] and goes to the heart of the ideological struggle driving Islamist terrorism”. And the consensus, across Government, industry and the agencies is, in the words of the Home Secretary, for “mature conversations between companies and Government…not about compromising security”.
When the two issues are disentangled, we can see that the recent inaugural meeting of the Global Internet Forum to Counter Terrorism is very much driving forward this mutually recognised ambition. Representatives from the tech industry, government and non-governmental organisations are coming together to share information and best practices about how to counter the threat of terrorist content online. This includes using technological solutions, such as the Shared Industry Hash Database and the use of cutting edge AI and machine learning, alongside work on counter-narratives and counter-extremism, and knowledge-sharing across smaller companies, civil society and leading international terrorism experts.
Encryption is here to stay – it can’t be uninvented – nor would we want it to be. All parties now agree on this issue. For the new approach between Government, industry and civil society to be effective, however, it is vital that the encryption and extremist content debate are not bound together for, in doing so, we lose sight of the important steps being taken to tackle this most urgent of issues.