Two bold pronouncements—one in the United States and the other in the U.K.—have poured kerosene onto the flickering debate about privacy vs. the need for surveillance.
First came President Trump’s executive order, issued March 6, signaling that travelers entering the U.S.—including attorneys with cloud access to client information—could have their digital devices subjected to search without a warrant.
Then on March 26, conservative British politician Amber Rudd called for law enforcement and intelligence agencies to be granted access to WhatsApp and other encrypted messaging services. Rudd reacted to reports that the British extremist who killed four people outside Parliament used WhatsApp a few minutes before he began his attack.
Proponents of deeper surveillance argue that unfettered government access to digital content is needed to combat terrorism. That includes data stored in a cloud service, and accessible via a smartphone. Civil liberties advocates say such policies are draconian. Here’s how cybersecurity experts reacted to Rudd’s proposal:
WhatsApp is a communication application that has built-in security enabling end-to-end encryption. If the bad guys feel that this application has been compromised by government officials and backdoors become available, this leads to a simple response by the bad guys—use a different application.
WhatsApp is a third-party application on a mobile device. Nothing prevents the bad guys from moving to a lesser-known third-party application. Plus, anyone who is looking to compete with WhatsApp may see this new backdoor feature as an opportunity to challenge their rivals, promoting the lack of backdoor in their product as a true “for-the-people” product.
You can have true end-to-end encryption that nobody but the participants can read, or you can have a system where a central authority can decrypt any message they want. It doesn’t make any sense to suggest that you can have both. It is either one or the other.
It is a reasonable policy position to believe you should have a government backdoor in messaging systems, but this always worries security experts because that same backdoor you create for the government inevitably creates the potential for misuse, abuse and being exploited by others.
Governments can read WhatsApp streams and most other applications running on Android and iPhone. But the capability requires the use of techniques to subvert the inherent security of those devices. The decision to forcibly override the inherent security of a device is generally done without the cooperation of the device manufacturer.
The demand that all software and devices be easily and conveniently controlled for surveillance as a feature of the device is a nonstarter for most western societies. As with most things in government, the death of citizens has a way of changing public opinion about privacy.
Tragedies such as the recent London attack touch us all, but many people have the mistaken impression that if mobile OS and app providers are forced to build-in backdoors, then suddenly law enforcement officials will have a magical and lasting backdoor to all encrypted information.
If backdoors are forced upon us, then two things will happen: Criminals and terrorists will still keep their secrets using any one of the more than 100 third-party encryption products, and average citizens will be left more vulnerable to criminal and state-sponsored hacking.