Backdoors, encryption and internet surveillance: Which way now?

The UK government still wants more power over the internet, but it's unclear what form it will take.

theresa-may-election-2.jpg

Theresa May wants the UK government to get a backdoor into devices.

The UK government has once again raised the issue of online surveillance and internet regulation. But it's unclear exactly what the Conservatives want to do, while cybersecurity experts accuse the government of naivety in its current approach.

"We cannot allow this ideology the safe space it needs to breed -- yet that is precisely what the internet, and the big companies that provide internet-based services provide," said Prime Minister Theresa May, following the recent terrorist attacks in Manchester and London.

"We need to work with allied democratic governments to reach international agreements to regulate cyberspace to prevent the spread of extremist and terrorism planning," May added.

A similar statement appeared in a section of the Conservative Party manifesto for the recent election, which resulted in a hung parliament: "Some people say that it is not for government to regulate when it comes to technology and the internet. We disagree," it read.

However, there's little clarity on what the new minority government intends to do: that will have to wait for the Queen's Speech, which is due next week. Another factor is whether, lacking an overall majority, the government will want to expend limited political capital on this controversial topic.

It's also worth remembering that the UK government massively expanded its surveillance powers only recently. This policy was introduced by Theresa May herself when serving as Home Secretary; the resulting Investigatory Powers Act 2016 was dubbed the 'snooper's charter' by critics because it forces tech companies to store the 'internet connection records' (websites visited) of every UK internet user for a year.

Another area that the government seems keen to gain control over is is end-to-end encryption.

Neither of these moves met with a positive response from those in the information security sector at the recent Infosecurity Europe conference in London.

Knowledge gap

"Where I think it goes wrong is that when a government starts to talk about regulating the internet, they don't get it. We don't own the internet and no one nation, no one government, and no one state owns and can influence the internet," said Rik Ferguson, VP of security research at Trend Micro.

Part of the problem is that governments and legislation haven't caught up with the fast-paced evolution of the internet and the services built around it.

"A lot of the world's governments were formed at a time when we were still largely an agricultural society: 120 years ago if you worked for the government at the US Postal Service, you were probably better educated than anyone within 100 miles of your post office," said Paul Vixie, CEO at Farsight Security.

But now, the expertise of individuals within the technology and internet sectors has far outstripped the knowledge of the lawmakers -- and governments don't necessarily have the wherewithal to catch up.

"The assumption that the government should know and should see what everyone is doing has to be reopened. We have to ask that question again," argued Vixie.

Even those with some understanding of the situation "don't necessarily have the right security tools to keep your information secure" -- especially in situations where zero-day exploits are being stockpiled.

That was clearly demonstrated by the WannaCry ransomware attack, which was so effective because the US National Security Agency (NSA) lost control of hacking tools which were then used to make the ransomware spread even faster.

The encryption question

If internet regulation is tricky, then what to do about the widespread use of end-to-end encryption is even harder to deal with. If the UK or US insist on tech companies introducing a backdoor into the encryption they currently use to protect communications across the internet, then more authoritarian nations will certainly demand the same.

"I don't think the option of completely dismantling encryption is an option. There's privacy implications that need to be considered, individual rights which need to be considered," said Liviu Arsene, Senior E-threat Analyst at Bitdefender.

Then there's also the risk that severe regulation of the internet will only hamper regular users, while criminals remain unaffected as they continue to find new ways of staying under the radar.

"How completely stupid is that? Every time we see regulation, we see regular folks being impacted and criminals not being impacted", said Peter Wood, an ethical hacker and member the ISACA London Security Advisory Group.

"How is banning an encrypted algorithm from the US going to sort out criminals in any way? Do they really think terrorists will think 'I'm not allowed to, so I won't use it," he continued. "The naivety astounds me."

That's not to say the government shouldn't be able to regulate anything at all. There are numerous aspects of the internet on which governments have established rules and procedures -- including hate speech, exploitation and more -- that help to keep people safe, said Ferguson.

"These are illegal, people do get prosecuted. That's regulation and I'm happy with that, we need that -- many people need to be protected from themselves," he said.

However, Ferguson continued, "It's got to be with public agreement and it's got to be targeted. There is a line we have to be careful not to cross when regulation becomes censorship."

Not only is large-scale censorship a massive infringement on individual civil liberties, it could also also have large-scale economic consequences. According to Vixie, China's 'Great Firewall' is harming its economy and any leaders -- like Theresa May -- who are looking to follow suit should heed that warning.

"If China's experiment is ending by teaching them they should be more open and the government should have less control, then I'd like Theresa May to talk to some of the people that are there and find out what they've learned, rather than insisting Britain run its own parallel experiment to get the same results."

"In other words," Vixie said, "it's crazy talk".

READ MORE ON CYBERSECURITY

Newsletters

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
See All
See All