Debate surrounding encryption, defined as the most effective way to achieve data security and achieved through having a secret key or password to unlock encrypted files, has entered 2016 in a similar way to how it left 2015 – with uncertainty and with a lack of clarity.
The row over encryption has pitted governments from across the world against tech giants, with the latter championing privacy and encryption and the former pushing national security and backdoors.
The quest to weaken encryption is being driven by the UK and the US, with both countries engaging in efforts to force technology companies to technically alter their services by building back doors for authorities.
The US started its encryption offensive in April of last year, with Defense Secretary Ashton Carter failing to secure Silicon Valley co-operation despite the veiled threat of legislation forcing government access to encrypted messages. Since then, the US has, for the time being, stopped in its efforts to mandate encryption backdoors into law – a move not shared by the UK government across the Atlantic.
The UK government keeps pressing ahead in their efforts to enshrine encryption backdoors into law, with the draft Investigatory Powers Bill having been presented at the end of 2015.
Although the Draft Bill does not seek to ban end-to-end encryption, it would force the likes of third-party services like Apple iMessage, WhatsApp, Blackberry BBM and Cisco Spark to change their services in order to give access to enforcement agencies.
However, the majority of security experts agree that these back-doors would undoubtedly be used and exploited by hackers, as well as by government agencies.
John Michael, CEO of iStorage, explained to CBR how back-doors can be likened to physical home security.
"The introduction of compulsory back doors is like leaving your front door key under the doormat and your house alarm code printed next to the alarm console. Not only can the good guys get in but much more worryingly so can the bad guys."
However, the obvious flaws have been downplayed by governments by impressing the importance of national security and the safety of citizens. This argument was bolstered following the 2015 Paris terror attacks, where security professionals and government argued that encrypted messaging services aided the terrorists in carrying out the attacks.
Former CIA Deputy Director Michael Morell said in an interview on American new programme Face the Nation: "I think what we’re going to learn is that these guys are communicating via these encrypted apps, this commercial encryption which is very difficult or nearly impossible for governments to break, and the producers of which don’t produce the keys necessary for law enforcement to read the encrypted messages."
While the UK and US governments continue in their efforts to discredit encryption for the sake of national security, there has been one government who has taken a definitive stance – potentially setting a massive precedent for many countries and governments who lack clarity when it comes to encryption.
The Dutch government has, this week, officially declared no to back-door encryption. In a letter published on Monday, the Dutch Ministry of Security and Justice said: "The government believes that it is not desirable at this time to take restrictive regulatory measures with respect to the development, availability, and use of encryption within the Netherlands."
Advocating strong encryption, the Dutch government has garnered much praise from security and technology experts, with many praising the positive development and a decision which was based on technical facts. Jamie Graves, CEO at ZoneFox, told CBR:
"The Dutch stance goes against the political grain – the UK government and Hilary Clinton advocated ‘back doors and other such measures’ – which makes it refreshing. It also demonstrates a sophisticated understanding of the security threat landscape."
Many are looking at the Dutch Cabinet’s ruling on encryption as an important precedent – one that experts are urging the UK government to follow.
Justin Harvey, CSO at Fidelis Cybersecurity, said: "I think the UK, US and the EU should consider following in the footsteps of the Dutch and come to the realisation that encryption backdoor isn’t merely a legislative or privacy mandate, but a technical impossibility to enact and enforce."
Echoing Harvey’s sentiments, Covata CEO Trent Telford said that the Dutch ruling could increase pressure in the UK for a similar stance on encryption.
"The Dutch Government will bring a welcome voice of reason into the discussion around strong encryption in the EU and we encourage other member states to follow its lead. For the UK – where David Cameron continues to stand by his opinion that the Government should be able to access encrypted communication – this latest move will further increase pressure on the Prime Minister to soften his stance."
However, there remains the possibility that Cameron and the UK government will not soften their stance towards encryption, which may mean that businesses will have to look overseas to protect their data – arguably one of the most important assets of any business today.
Jonathan Parker-Bray, CEO and founder of Pryvate, explained to CBR that a law enforcing back-door encryption could prove detrimental to the UK’s economy, with businesses and consumers looking elsewhere to store and protect their data.
"If this technology isn’t available to businesses in the UK then they will consider placing their data overseas, as has been seen with datacentres in Switzerland and when the French government limited browsers to 40-bit encryption, rather than 128-bit.
"Consumers are also likely to want to use companies that protect their data fully, and do not allow backdoors, which could also drive UK consumer business to overseas companies."
This moving of data overseas is being dubbed ‘jurisdictional shopping’, where businesses consider countries where it is attractive to store data safely, and securely, on their soil. Evidence of this potential data exodus from the UK comes in the form of John Michael, CEO of iStorage, who told CBR:
"As a company based in the UK, we would much rather relocate outside of the UK than implement backdoors on our products. Our customers would neither trust nor would they purchase iStorage products were this the case."
However, this jurisdictional shopping has the potential to cloud the data landscape and make it more difficult to navigate – especially if different countries have differing laws regarding encryption. This would result in, what ZoneFox’s Jamie Graves calls, ‘a fragmented political global response that would be detrimental overall to the war on cybercrime.’
"The result would be that it would become even harder to track cyber criminals who will be able to use a myriad of rabbit runs to hide which burrow they’re hiding in."
This fragmented response to encryption and cybercrime is again reflected by Robert Hansen, VP Security at WhiteHat Security, who looks at the impact on business between countries with differing encryption laws.
"Does that mean weakened encryption cannot be sold to the Netherlands and how will that impact the United States economy if other countries adopt the same Dutch laws? That could have huge economic impacts on US-based companies beyond just the perception issues associated with backdooring their traffic."
While the impact of UK encryption laws will undoubtedly hit businesses and consumers – the encryption argument, as always, comes back to one key concern – the privacy of citizens. Mass snooping and surveillance has fuelled the encryption debate from the start – though many would argue that we should not be under any illusions that the government is lacking for data.
Jacob Ginsberg, Senior Director at Echoworx, said: "The most ironic thing about anti-encryption laws is the false idea that additional data will actually help government authorities keep us safe. Governments today have more data at their disposal than any time in history and their capacity to mine it for intelligence is limited by resources, not access."
The debate regarding privacy has drawn the voices of Human Rights campaigners who, campaigning for free speech, have publicly criticised the move by the Chinese government to pass a law weakening encryption. With the law coming into force just after Christmas, this could illustrate a future reality for the UK if the encryption laws are passed.
Mass consensus from tech giants to security experts points to weakening encryption as a huge mistake – a mistake which will have a profound impact on privacy, human rights, UK business and economy. David Cameron and the UK government have made huge in-roads into establishing the UK as a tech hub of Europe, and the government needs to follow in the steps of the Dutch in order to maintain that reputation.
Ultimately we can put the encryption debate down to one word: trust. As we build a digital economy, both in the UK and globally, intentionally introducing a weakness and putting trust between government and citizens in the shadows can only serve to harm said digital economy.
Jason Hart, CTO, Data Protection at Gemalto, told CBR: "Encryption is a fundamental part of this digital economy – protecting a vast majority of the data, identities and financial transactions around the world.
"Compromising encryption could undermine both the system and the trust individual citizens have in the products and services they use every day, whether it be mobile devices, communications, banking, ID documents or shopping".
Let’s hope, as Simon Crosby, CTO and Co-Founder at Bromium, puts it that the UK government does not let the encryption genie out of the bottle – as there’s no putting it back.