Not Just a Personal Privacy Problem
Sometimes it seems like the world has gone mad. Perfectly intelligent (I use the word advisedly) political representatives have, over the last couple of years, taken leave of their senses when it comes to encryption, state surveillance, and privacy.
From the US to the UK and Australia, governments are doing their best to implement surveillance laws that would make the Oceanic government of Orwell’s 1984 look like a beacon of openness and transparency. This creates a problem not only for law-abiding citizens within these polities, but also for national and trans-national businesses.
In the UK, the Westminster Government recently passed the Investigatory Powers Act (IPA), also colloquially known as the Snoopers’ Charter, which seeks to enable and legalize the mass interception of email, web traffic metadata, and other forms of communication data. Not only this, but the Act also mandates back doors in encryption technology, and legalizes the use of state sponsored hacking. It is, by far, the most audacious intrusion into the life of private citizens by any government in the West.
To back up the IPA, the UK Government is also proposing the implementation of a new Espionage Act that will mandate long prison sentences for journalists and whistle-blowers engaged in the handling of leaked official data. The proposed bill is believed to categorize journalists receiving this kind of information as equivalent to foreign agents, and effectively proposes to charge them with treason. In a world where the Snowden Revelations and the leaks from Chelsea Manning brought to public light the actions of Western powers in illegally surveilling their own populations, this is a truly frightening prospect for democracy and open governance.
Other Western countries are hardly immune from this kind of techno-authoritarianism. In the US, there have been repeated attempts by some national agencies to compromise the use of strong encryption in communications and on personal devices, ultimately leading to technically illiterate demands that “safe” back doors be built into encryption products that secure everything – from our private communications to our financial transactions to the data stored on our devices. This was pursued to a risible extent when the FBI engaged in an ill-conceived attempt to get Apple to break its own encryption on a number of Apple mobile devices in an attempt to support otherwise successful criminal prosecutions.
The Australian government was in some ways ahead of other Western governments in their attempt to suppress the teaching of encryption in 2015, by designating encryption methods as dual-use military munitions. This made the supply of encryption technology – including teaching the fundamentals of encryption algorithms – without a licence a criminal offence.
These are just some of the examples of otherwise relatively enlightened governments degrading the security, freedom and privacy that citizens of these states should enjoy. However, it’s not just a problem for citizens – businesses are affected by these problems too.
You may well be reading this thinking that state security controls, even if they impact the freedoms of the citizen, are hardly a business problem. After all, nation states need to be able to defend us against terrorism and the sacrifice of some freedoms is the price we pay for that kind of safety. That is an entirely valid point of view – to me it seems needlessly simplistic and ignores the impact of governments relieving their citizens of fundamental rights on a false premise, but it is entirely legitimate to hold such views nonetheless. The problem comes when we assume that this is a problem purely for private citizens and has no impact on the business community.
Businesses rely on all sorts of security mechanisms daily in operation. Many security technologies are absolutely business critical – do you want your competitor getting a hold of your customer list and details of all your contracts? Of course not, and I doubt your customers would be too pleased either. The problems that arise from the increase in state surveillance powers and the increasing interference of the state in the cyber security realm can be broken down into four principal areas.
Firstly, attacking and weakening encryption means that it is harder for business to operate in a fundamental manner. How many businesses could operate without at least some of the information and communications that they process daily being secure? How would customers react to business models requiring them to give up sensitive personal information if that personal information wasn’t kept secure?
A logical follow-on from this concern is the impact of governments mandating that communications and software providers must provide ways to circumvent encryption and other security mechanisms to the state. The problem with this is that once one actor has this capability, it is likely (indeed, some would say inevitable) that the capability will become known to others, whether agents of a foreign state or other malicious entities. To provide a concrete example: if you store data within a secure cloud service under the UK Government’s jurisdiction, then that provider can be compelled to provide access to that data to the UK Government without you ever being aware that this is happening. Further, if your business is developing a security product in the UK, you can expect a knock on the door from the state to find out how you propose to circumvent all your good work in providing a secure product so that they can use it for surveillance. In a business context, it is difficult to see how a negative overall impact on the development of innovative products where security is a concern can be avoided.
Even if your innovative new products are not security related, how will you communicate about them in an insecure environment? If governments can tap communications at will, and force the decryption of secure messages, and you cannot store details and blueprints securely, how can businesses be sure that innovations are not stolen by state actors (or others who have gained access to their methods) and given to competitors? Communication and operational security are critical in supporting innovation and development of new products and services globally, meaning that businesses in some jurisdictions will be at a significant disadvantage to others.
The increased costs associated with complying with – or indeed evading – state requests for interception and/or bypassing of security mechanisms are also bound to have an impact on business. Many service providers are working hard to ensure that their customers are as secure as possible, since this drives confidence in products and often makes customers feel safe when buying additional services. Whether governments like it or not, security measures such as encryption are absolutely fundamental to the digital economy. Attacking security measures will undoubtedly have an impact on businesses who rely on digital economic activity to survive. Incidentally, in most developed economies, regardless of whether they are directly involved in e-commerce, most businesses rely on some aspect of the digital economy. Further, many businesses, especially in the tech sector, have a supra-national duty of care to their users. The waste of resources involved in fighting the needless undermining of fundamental aspects of cyber security prevents those businesses from getting on with their main task and affects other businesses that rely on them for provision of business critical services.
Finally, there is the problem of education amongst legislators. Frankly, I have been appalled, over the last few years, by the sheer lack of basic understanding of fundamental aspects of encryption – to name but one technology. Modern encryption is a technology that relies on the factoring of very large prime numbers. It is a mathematical construct that is subject to mathematical laws, which means that if you weaken an encryption method, say to allow state agents access to otherwise secure data, then anyone with the right knowledge can use the same technique to gain the same level of access. It is not good enough to keep that method “secret”. History has shown repeatedly that relying on secrecy and obfuscation on a large scale is dangerous and doomed to failure. Ultimately, we cannot rely on our representatives to get to grips with these fundamental aspects of Computer Science and Mathematics. It then follows that they cannot be reasonably expected to understand the consequences of their actions, and that is hardly conducive to a safe and stable business environment.
Security technology keeps us all safe, whether we are individual citizens, small businesses, or corporate giants. By attacking basic security mechanisms, Western governments and their intelligence communities make life more difficult and less secure for all of us. Their actions risk degrading hard-won liberties both individually and for businesses by restricting our freedom to operate, when they should be creating and protecting a secure online environment for citizens and for business. It is vital that sanity returns to the discourse on state surveillance to support and enhance our digital freedoms.