Lecturer in Law, University of Hertfordshire, and Doctoral Researcher at the Institute for Law and the Web at the University of Southampton.
This article was originally posted on the UKCLA blog
Debates about the regulation of encryption technologies and surveillance have been around for decades. It is in unfortunate circumstances that these debates have now been thrust back into the public eye. Following the horrifying Westminster attack which occurred on 22nd March 2017 Amber Rudd, the UK’s Home Secretary, has been very vocal in suggesting that in order for the police and security services to be able to effectively investigate and prevent future terrorist acts they must be given access to over-the-top messaging services that utilise end-to-end encryption, such as WhatsApp. (End-to-end encryption services can generally be described as those which allows for conversations to be read only by the sender and recipient of individual messages, meaning that such messages cannot be intercepted and read by a third party.) Her comments appeared to have been driven by the fact that Khalid Masood, the perpetrator of the attack, had used WhatsApp shortly before commencing his appalling actions. In particular, Rudd has claimed it is “unacceptable” that governmental agencies were unable to read messages protected by WhatsApp’s end-to-end encryption, and in an interview given to the BBC on Sunday 26th March, intimated that she would consider pursuing the enactment of new legislation which would require the providers of encrypted messaging services to grant access to the UK intelligence agencies. This sentiment has since broadly been endorsed by the UK government.
Suggestions of increasing state surveillance powers inevitably lead to heated debates pertaining to the competing values of privacy and security. The purpose of this post is not necessarily to engage with this debate, but rather to highlight the dangers of allowing such debates to become dominated by inaccurate and/or irrelevant information. By rounding so aggressively on WhatsApp and other similar services, the Home Secretary appears to have set the blame for Masood’s attack, partially at least, at their feet. A clear inference one can make from her comments regarding how such services give terrorists a place to hide is an underlying belief that, if government agencies were able to access encrypted communications, the Westminster attack could have been prevented. For a variety of reasons, this conclusion is questionable, and appears to be premised on a number of misunderstandings about what encryption is and what it does.
Firstly, there is no empirical evidence to support the notion that if the law compelled providers of encrypted communications services to give the UK intelligence services access to the communications of their users the outcome of the events of 22nd March would have been any different. Had it been possible for the intelligence services to intercept Khalid Masood’s WhatsApp messages, for instance, it is unlikely that they would have done so. Despite Masood being known to the security services, he was not in their sights as an immediate or probable threat. As a result, there would have been no reason for his communications to be intercepted, and so it is difficult to see how the security services having access to his encrypted messages would have prevented the atrocities for which he was responsible.
Secondly, any implicit suggestions that Whatsapp have prevented or hindered the security services from reading Masood’s messages are divorced from reality. By stating that it was “unacceptable” for WhatsApp to encrypt Masood’s messages one possible inference might be that the Home Secretary was suggesting that, post-event, WhatsApp was, through encryption, not only obstructing the security services’ counter-terrorism endeavours, but to some degree could potentially be accused of being complicit in preventing the security services from reading said messages. The latter is simply not true, and any suggestions in this vein must be resisted. WhatsApp, like the providers of other encrypted communication services, do not have the ability to access the encrypted messages of their users. As they cannot access the messages themselves, they can hardly be accused of attempting to hide them from the security services. These messages can only be accessed by their sender and their intended recipient. Masood’s phone is now presumably in the hands of the security services, and as a result it is highly probable that they have gained access to the phone itself and, as a result, the messages stored within.
Finally, Rudd’s comments regarding the police and security services being given access to encrypted communications services appear to be premised on the belief that a metaphorical “backdoor”, can effectively and securely be built into their operation, or that a “master key” can be granted by the providers of such services exclusively for the authorities’ use. This, however, is a somewhat dubious position. As has been noted elsewhere, for instance, it is doubtful that encrypted communications can ever be made truly secure whilst simultaneously allowing for the incorporation of “backdoors” and “master keys” for state institutions, and that the complexity of their incorporation could lead to new unquantifiable security risks. A “backdoor” or “master key” being built into any messaging services could mean, therefore, that the messages carried over such a service would no longer be truly encrypted, possibly exposing the users of that service to threats from hackers and other nefarious actors. Given that an array of online services, such as online shops and banks, rely on encryption to secure their services, the introduction of “backdoors” and “master keys”, supposedly for the exclusive use of the security services, would not necessarily be a development to be welcomed. On top of this, even if government “backdoors” and “master keys” could be securely built in to encrypted communications services, we would also do well to remember that there may be considerable reservations to be had about entrusting emanations of the state with such responsibilities.
As noted above, the purpose of this post was not to argue either for or against the regulation of encryption-based technologies and services, nor necessarily for or against increased government surveillance powers, but to highlight how debates pertaining to these matters can be hijacked and dominated by misinformed views. If such debates are pervaded with such views, we can surely expect the regulatory endeavours that emerge as a response to leave a lot to be desired. So by all means let’s have debates about encryption and surveillance and how, when, and if they should be regulated, but let’s at least make sure we ground these debates in reality and fact, not hyperbole and rhetoric.
(Suggested citation: H. Pearce, ‘Some Thoughts on the Encryption Regulatory Debate’, U.K. Const. L. Blog (25th Apr 2017) (available at https://ukconstitutionallaw.org/))