Dear politicians, you cannot create a one-way panopticon

Repeated calls for a government skeleton key to decrypt communications is the sort of fairyland thinking that is best left to Hollywood.
Written by Chris Duckett, Contributor

In the realm of fairytales and movie magic, it's possible to take a photo of a car's licence plate from a spy satellite with a 48 by 48 pixel resolution camera and yell "enhance" a number of times to your law-enforcement partner, and suddenly have the information you seek come into focus. In the real world, though, no such operation is possible.

Similarly, the ability to have a universal decryption key locked away in the cybervaults of the spy agencies across the Western world deserves to remain in a land of fantasy.

Yet, political leaders across the globe continue to entertain the thought as though it will provide an instant fix to all that ails us on the national security front, and no harm will ever come to us because of it.

It should be no surprise to learn that nothing could be further from the truth. To put it plainly, an encryption scheme that has a universal key is no encryption scheme at all; it is merely a system to make the user feel better.

"Security credentials that unlock the data would have to be retained by the platform provider, law-enforcement agencies, or some other trusted third party. If law enforcements' keys guaranteed access to everything, an attacker who gained access to these keys would enjoy the same privilege," a group of security experts said in July.

"Recent attacks on the United States Government Office of Personnel Management (OPM) show how much harm can arise when many organizations rely on a single institution that itself has security vulnerabilities."

In the OPM breach, almost 22 million federal employee personnel and security records were accessed and taken in two separate attacks.

But it is not the attacks that are noticed that we would need to fear under this proposed system; it is those that go unnoticed, where an attacker would be able to steal away with the almighty universal key, and no one would be wiser of the intrusion.

In that instance, the attacker would be able to decrypt any communication they wanted, man-in-the-middle to their heart's delight, and be as knowledgeable as the spy agencies wish to be.

For any government, department, or agency to think that they could somehow forestall such an incident forever is sheer arrogance mixed in with an unhealthy dose of hubris and topped off with a thick coating of ignorance.

The insatiable appetite by the powers that be for the personal communications of citizens does little to deter the "bad guys", who often happen to be on a death wish, and therefore the idea of getting caught is hardly a deterrent -- instead, it only serves to lower the privacy and protection of the general populace. It's the very opposite of how politicians attempt to sell the idea to the electorate.

We live in an extraordinary times when politicians are using words such as "agility" and "disruption" to push their agenda, promise to spend billions to promote coding and science, technology, engineering and mathematics subjects in schools, and then turn around and label disruptive technologies as genuine national security threats, and believe that this thinking is somehow consistent.

As large technology giants look to generate profits from the exploitation of personal and behavioural information, there will naturally be a counter push to protect that information, and encryption will be part of the solution.

Rather than try to structurally weaken the foundations upon which encryption schemes are built on, law enforcement would be better off focusing on the weaknesses injected into the system by humans. If people can count on one thing, it is to take actions that compromise an otherwise workable solution.

Whether this is using SMS instead of encrypted communications, buying a piece of hardware off a company that installs its own root certificates, or simply good old social engineering, there is a better and cheaper way to access information than to allow anyone the ability to decrypt any item at will.

The sooner the political class realises that information technology and widespread encryption is not a looming bogeyman, but rather a societal good, the safer we will all be.

ZDNet's Monday Morning Opener is our opening salvo for the week in tech. As a global site, this editorial publishes on Monday at 8am AEST in Sydney, Australia, which is 6pm Eastern Time on Sunday in the US. It is written by a member of ZDNet's global editorial board, which is comprised of our lead editors across Asia, Australia, Europe, and the US.

Previously on the Monday Morning Opener:

Editorial standards