Amber Rudd’s WhatsApp encryption remarks: Here’s how experts in tech, policy, intelligence and security reacted
Amber Rudd has sparked concern by suggesting that WhatsApp, the Facebook owned messaging service, should give access to encrypted communications to security services (read more about it here).
The remarks came in the wake of the terrorist attack on Parliament and the revelation that the attacker, Khalid Masood, sent a WhatsApp message shortly before.
Experts agree that tech companies must help the security services – and they do as far as they can – however, many have raised concerns that giving access via a “backdoor” weakens security for all: access for security services and authorities gives potential access to anyone, including hackers.
Here’s what the experts had to say…
Read more: WhatsApp encryption is “completely unacceptable” warns home secretary
Politics at play
Major general Jonathan Shaw, formerly in charge of cyber security at the ministry of defence, speaking to BBC Radio 4
“I think there’s a lot of politics at play here. There’s a debate in Parliament about the whole snooper’s charter and the right of the state and I think they’re trying to use this moment to move the debate more in their line.
“It wouldn’t surprise me if that was the case [that this is not coming from the intelligence community]. I think there are different aspects on this. The intelligence services would want more access, but the trouble is that if you crack this nut, you simply move the case onto another level. Terrorists will use different methods, they will use other means of communicating, they’ll use different codes, they’ll use different languages, private languages. I don’t think that necessarily if you have transparency like this that you’ll necessarily crack the problem. The problem will mutate and move on.
“We’re aiming at a very fluid environment here, and we’re in real trouble here if we apply blunt weapons to this and absolutist solutions.
“I think we need to work with the tech companies, I’m all in favour of partnership with technical companies, the Twitters and the Googles, are working with government precisely because they spot the pressure they’re under. They don’t want to be held by regulation so they are working under voluntary agreements, and they are doing more than perhaps the publicity they announce.”
Deja Vu
Jamie Bartlett, Centre for the Analysis of Social Media at Demos and the University of Sussex
“I’ve seen this after every terrorist attack. The problem now is everything is encrypted and people rely on it and most people find it valuable. Without encryption, the police would be inundated with calls about cybercrime. Encryption is also brilliant for the Home Office – the anti-terrorism team will be frustrated they don’t have access but the cybercrime team will welcome it. Even GCHQ is telling business to be encrypted.
“This stuff [products and services] is designed to intentionally not have access. Often they are designed so that you can’t have a backdoor. Companies know that others will try and get in. It would undermine the security of the whole system.
“This [a ban on encryption] would be a short term solution. The rise of these apps will continue. We need a different approach and sometimes that means accepting that they [authorities] won’t be able to access it and we can’t get all the information we would like.”
Encryption fundamental to UK security
Anthony Walker, deputy chief executive of TechUK
“Tech companies take their responsibilities to work with the authorities on extremism and counter terrorism investigations very seriously, operating within the law in daily constructive and proven partnerships with a wide range of policy-makers, the police and security agencies, and wider civil society bodies. Counter-terrorist operations would not succeed without the ongoing assistance and support of tech companies.
“At times like this it is vital to remember that encryption technologies are fundamental to the security of the UK – from storing data on the cloud to identity verification to ensuring that essential services are kept secure, end-to-end encryption is a vital tool for ensuring that security. The importance of encryption technologies is only set to grow as more of our lives move online and the economy becomes increasingly digitised.”
“The government has recently introduced the wide-ranging new Investigatory Powers Act. As a unifying piece of legislation, the Act brings together a range of new government powers relating to interception warrants, equipment interference warrants, and bulk communication data acquisition warrants. This legislation followed an extensive and rigorous scrutiny process through Parliament. As outgoing chief of GCHQ Robert Hannigan said last year, within a transparent legal framework it is for all those involved – Government agencies, tech companies, academia, civil society, to work out what is possible together.”
A problematic message to business
Dan Korski, former government adviser
“It’s totally understandable for governments to want to be able to access everything and anywhere – under democratic rules and political and judicial oversight. But the truth is that the technology is making this harder and harder. Companies often cannot provide so called ‘backdoors’ into their technology lest it weakens the security of their products and encourages customers to abandon them for other options, likely to be offered by companies based in jurisdictions that are willing to accept a different standard.
“Undermining the integrity of products like Whatsapp could also create unintended consequences for industries that rely on various forms of security communication – like banks, charities, insurance companies and retailers. And finally, the message that a hardline position on encryption sends to innovators and businesses about Britain is a problematic one. Like it or not, the digital workforce is highly mobile and prioritises economies that are seen to be technology friendly. So do companies.
“The UK has benefited from being seen as tech-friendly and pro-innovation. The government may be willing to accept the consequences of its message in an effort to strengthen law enforcement but it could in the final instance mean a smaller digital economy, fewer jobs and the end of various applications and services in the UK. The best strategy is therefore not the megaphone but quiet dialogue especially with smaller companies who don’t even understand the challenges on their networks; and a greater investment in more traditional, human-focused intelligence and operations.”
Opportunistic
David Wells, former GCHQ intelligence officer, on Twitter
As many have observed, comments from Rudd appear opportunistic at best, given what we know about London attacker so far— David Wells (@DavidWellsCT) March 26, 2017
“As many have observed, comments from Rudd appear opportunistic at best, given what we know about London attacker so far. Most obviously, he wasn’t under active investigation – access to WhatsApp or other ecrypted services irrelevant in specific case. Comments and reaction to them yet another example of simplistic debate that surrounds encryption issue and conflation of different aspects of problem.
“Access to encrypted communications problem differs pre, during and post investigation – in context of London, only the latter appears to apply. San Bernadino also under this category, but Rudd appears to be referencing ‘terrorist communications’, presumably those under investigation. Few would argue that they should be able to access these communications. But approach to known terrorists differs from assessment of potential leads.
“Former has options beyond direct warranted access – few easy, require significant resource and not available to all. But given range of powers in Investigatory Powers Act and its recency, hard for Rudd to argue that UK ill-equiped to counter threat of known terrorists. Assessing leads a separate issue, given how limited the ntel picture ften is (tip-off from partner agency, write in, link to target, etc. Hard for police/MI5 to adequately prioritise these leads, when ancryption limits value of traditional ‘wire taps’/commuications data analysis.
“Not proportional or resource appropriate to ‘lawfully hack’ to bypass ancryption here – HUMINT (human intelligence) approach similarly difficult/resource heavy. So UK equipped to monitor knowns (even though this remains very difficult) – triaging new leads a separate issue in context of encryption. That doesn’t mean that ‘backdoors’ into encrypted services are the answer – but need to be clear on different problems facing intelligence agencies. And most importantly, have a grown-up conversation about new terrorism realities. Must we always apportion blame beyond the attacker?”