The encryption debate has taken another turn, a turn for the worse if the opinions of security professionals are anything to go by.
In efforts to help terror investigations, the European Union’s executive body has been urged to push through new rules that would require internet messaging services to help authorities decrypt messages. The call to action was led by ministers from France and Germany, countries whose intelligence services are struggling to intercept messages from terrorists who are increasingly using chat apps like WhatsApp and Telegram.
Speaking at a joint press conference with German counterpart Thomas de Maizière, French Interior Minister Bernard Cazeneuve said: “Messages exchanged through certain apps such as Telegram must be decrypted and used as evidence by magistrates and investigators as part of legal proceedings.” Mr Cazeneuve went on to say that new laws could force “obligations on operators deemed uncooperative in the removal of illegal content or decryption of messages.”
This latest call for the weakening in encryption echoes efforts by the UK to bring the controversial IP Bill, or Snooper’s Charter, into law. A recent report backed bulk spying powers in the fight against terrorism, calling mass surveillance a ‘vital utility’. The Investigatory Powers Bill also seeks to weaken encryption and let encrypted data be easily accessible to authorities.
As governments align in their stance towards electronic surveillance and encryption, detractors of the proposed legislation have been vocal in expressing the consequences and dangers of such laws. The privacy of every citizen is threatened by the new laws, with the trust between citizen and government shifting towards that of Orwell’s 1984. For Kevin Bocek, Chief Security Strategist at Venafi, we would be coming to the beginning of the end in the encryption and surveillance debate, with trust and privacy exchanged for data.
“This meeting is yet another chapter in the encryption debate which has rumbled on for years and is now drawing to a crescendo that could result in the foundations of online trust being irreconcilably damaged. We are potentially sleepwalking to a situation where Europe becomes more like Russia with its new Yarovaya law that attacks foundation of Internet and privacy by requiring keys to be sent to government.”
It is clear the government wants access, access to everything – but it could prove to be their Pandora’s box.
“Our online world is predicated on a system of crypto keys and digital certificates, which has formed the bedrock of secure communications for 20 years. They allow our machines to talk to one another, know who or what can and can’t be trusted: breaking encryption and getting the God Key allows you to take control of these communications and access whatever data you want. It is therefore understandable why governments have become so obsessed with getting them, but can governments really be trusted to look after the God Key given past experience?
"The fact is, we are already seeing a global phenomenon of governments over-stepping boundaries and gaining data on citizens, many of whom have committed no crime or infringement, without their knowledge or consent.” Bocek said.
“Take Stuxnet, for example: here, we saw the US government creating a vulnerability that leveraged misused keys and certificates for their own means, which was soon hi-jacked and put to use in the worst possible way, an attempt to tamper with critical infrastructure. That government attack formed the basis for an attack blueprint that common cyber criminals now use. If in the wrong hands, these keys and certificates can become potent weapons of mass destruction – do we really want more WMD blueprints to flood the market?”