So once again a Home Secretary (a different one this time) is asking for the government to have a back door into encryption to protect us from terrorists. This is because Khalid Masood sent a What's App message to someone just before carrying out his mission.

Now the police have his phone and they have stated again that he acted alone, which suggests that they have read the message and found it innocuous. But of course if they had intercepted the message at the time, they could not have deciphered it without having access to either his or the recipient's phone. And that could have stopped them from preventing an act of terror and saving people's lives. You can see why Rudd is cheesed off.

The problem is that she doesn't understand how encryption works. For a start, she seems to think that What's App (I think that means Facebook in practice) should have provided her with encryption keys. But as I understand it, the whole point of end-to-end encryption is that the organisation running the servers doesn't know what the keys are.

She also thinks that one can have a back door into encryption which only the government can use. I don't see how that is possible. If there is a back door, organised crime will quickly find it. That would make Internet commerce and Internet banking impossible. It would mean going back to the 1980s. Is our economy ready for that?

It would also mean cutting off the UK from the rest of the Internet since no outside organisation would want to do business with us if they didn't trust our encryption systems.

How can you argue with people like that?

Basically, no. Even though politicians as a breed don't really understand that.

"Encryption with a back door" is ... no encryption at all. Civilians have plenty of very legitimate and very critical needs for encryption which must be as strong as it can be made to be. After all, the nation is composed entirely of civilians, with military matters tacked-on as a defensive afterthought. Your nation is no more secure than the civilians in it can collectively make themselves to be.

What would happen if there was some "escrow key?" Someone would find it ... and they wouldn't tell anyone ... and all the legitimate secrets of the public would be unknowingly laid bare. They would be denied the vital necessity: security and integrity of communication (and storage). This is unworkable.

"Hindsight is always 20/20." Out of billions of messages that are transmitted and received each day, after the fact you can clearly see the one that you "woulda coulda shoulda" have intercepted. Never mind that, absent this prophetic foreknowledge, you could not have made operational use of that message in time, even if you had somehow stumbled upon it, and even if you had had a back-door into its encryption method.

1 members found this post helpful.

Search "clipper chip".

On one hand kids and crooks from third world countries are hacking into all sorts of stuff and spreading mayhem. On the other there are sophisticated teams of hackers backed by both governments and business (legal type and mobster type) who also work 24/7 trying to steal data.

I'd assume that one could create a computer that anomalously captures recorded conversations and makes a weighted judgement about potential terrorist activities.

One part of this deal is the overseas connection. While your conversations on POTS telephones may be legally protected, your wireless is not, along with any that goes outside of your country.

In this case, I think that "the [mandatory] introduction of 'an escrow key,'" even if somehow today it could be done ...

... (it can't) ...

... would simply serve to "by law, insert, 'a soon-to-be-fatally-weak link' into 'all the world's(!)' chains."

But of course, "everyone else in the world," in order to save themselves, would promptly disconnect themselves from "that damned-fool country," long before the inevitable escrow-key-penetration occurred ...

... Because it could "occur" within a matter of mere hours, or at most a few days. (And, even if it turned out to take a little bit longer, it would occur, "astonishingly quickly.")

... and ... "sux to be you, but" I've got an entire rest-of-the planet to still profitably trade with!

"Do you want your trade-arrangement to become 'the proverbial Naked Emperor?'" Yeah, me neither . . .

I've pretty much replied to this already, here:

I bet if they decrypt that message it says "Happy birthday"!

If an encryption method had a backdoor, it'd get exploited, that exploit would get it CVE'ed and then we'd have to move to another form of encryption without a backdoor anyways. Since back doors do generally get discovered and exploited in such systems.

Unfortunately politicians and security agencies seem to think computers are magical things that can trace any and everything, it simply isn't true however as there is only a limited amount of computing power and even with a back door, you'd need to do some level of decryption on every message...

... and so would the thieves.

This would create "One Ring To Rule Them All," and I've just discovered that you know what it is. Here's $100 million in totally un-traceable gold bars which is all yours if you'll reveal the secret. (It won't take long at all...)

This is far worse than "security through obscurity."

Literally trillions of transactions flash through Planet Earth each and every day, all of them protected by encryption, all of them representing a potential crime if they could be trivially revealed, and/or if their message-integrity and provenance could not be proved (as modern cryptographic methods also provide for).

The civilian requirement for strong encryption is just as socially vital as the military's, although the technical parameters of each use-case are "only somewhat" different. (And, given the very different nature of the military's mission and conditions-of-battle in recent years, it might be argued that the characteristics which typify military communication are much less "different" than they used to be.)

So, the answer is "no." We would lose everything and gain nothing.

Yeah, you know that and I know that, but how do we persuade those scientific illiterates in the Home Office?

That's not their concern. They only want power and money. The IT companies bribing them want millions of our money spent on insecure infrastructure in order that they can make more money in future.
Why should Rudd care whether her scheme costs billions of pounds, dollars or lives?

Well, Rudd should care if we are suddenly jerked back into the 1980s, with no functional Internet banking or online commerce. It would cause a slump that would make 2008 look like a minor blip. What would all her banker friends do then?