The uncrackable problem of end-to-end encryption

The government wants a backdoor into WhatsApp. But that won't happen - and it wouldn't fix the problem we have, either.
Written by Steve Ranger, Global News Director
Image: iStockphoto

The UK government has said it wants access to messages sent via encrypted communications apps such as WhatsApp, re-igniting the debate over end-to-end encryption.

"We need to make sure that organisations like WhatsApp, and there are plenty of others like that, don't provide a secret place for terrorists to communicate with each other," Home Secretary Amber Rudd told the BBC, following the attack on Westminster in which four people were killed. It is believed the attacker's phone had connected to WhatsApp two minutes earlier.

"We need to make sure that our intelligence services have the ability to get into situations like encrypted WhatsApp," she added.

It's an argument that has been made a number of times now. A couple of years ago then-Prime Minister David Cameron made a similar call, and various police and spy agencies have warned that end-to end encrypted messaging apps have made it easier for criminals to plot in secret - the so-called 'going dark' problem.

Rudd later told Sky News that she supports the use of end-to-end encryption, but the comments reflect an ongoing debate that has little chance of being resolved.

It's important to acknowledge that there is a genuine problem here for law enforcement: the police and intelligence agencies cannot get access to all the information they need, because the way that some tech companies implement encryption means that no-one apart from the sender and the recipient can read the messages.

This will and does make it easier for criminals and terrorists to plan and communicate securely.

But encryption keeps us safe in many other ways: it keeps your financial transactions secret as they travel across the internet; it keeps government communications secret from foreign spies and your unwise selfies safe from hackers.

As the tech industry body TechUK said, we need to consider the full range of security threats faced by the UK when discussing the use of end-to-end encryption.

"Encryption technologies are a fundamental tool for ensuring the UK remains cyber secure. End-to-end encryption is the best defence we have available to keep the data and services we all rely on safe from misuse. From storing data on the cloud to online banking to identity verification, end-to-end encryption is essential for preventing data being accessed illegally in ways that can harm consumers, business and our national security," it warned.

As such, an outright ban on end-to-end encryption might not make sense, but how about banning the use of end-to-end encryption just for communications apps? That's possible but would have other, problematic, consequences.

Companies like WhatsApp and Apple, which are using end-to-end encryption, do not currently have the ability to read customers' messages at all (unlike other companies which read your messages so they can target you with ads).

To allow police access to those messages, those companies would have to change the way they use encryption, and they would then be able to decode every message. That makes everyone using such a service less secure than they were before. Still, that might be an acceptable trade-off for some.

But it's worth remembering that if tech companies weaken security and allow one government access, they also make it easier for every other regime around the world to trawl through the communications of anyone they want.

Another problem: the UK government has just completed an overhaul of the UK's surveillance legislation, shepherded thought Parliament by the then-Home Secretary and now Prime Minister. It can be read as effectively banning the use of end-to-end encryption by tech companies in the UK, in that it requires them to remove any encryption they have added, if so demanded.

The problem here is that most tech companies aren't based in the UK, and the UK's laws only reach so far.

Companies based in the US -- and many other countries -- may well feel they can ignore demands to change how they use cryptography. And cryptography is widely available -- so preventing big companies in the UK from using it will simply make most people here less secure. It would be all but impossible to stop companies offering such services anyway. And criminals and terrorists will simply move to other encrypted apps based in other countries, and keep their secrets that way.

On top of this, many argue that we are already in a golden age for surveillance. Intelligence agencies already have access to vast amounts of data about us. The smartphones with us all the time constantly leak information about where where we are, what we are doing and even what we are thinking about. Police and spies can now legally hack into smartphones, PCs and other devices for surveillance purposes. The main problem for intelligence agencies is not a lack of information, it's too much.

It's inevitable that after such an incident politicians look for ways of preventing another attack. But stopping the use of encryption is not the best way forward, because it will make us all less safe, with little or no benefit.

More stories on surveillance and cybercrime

Editorial standards