UK Home Secretary Amber Rudd on Sunday called for greater government access to encrypted content on mobile apps.
Apps with end-to-end encryption, like Facebook’s WhatsApp, should not be allowed to conceal terrorists’ communications from law enforcement, Rudd said in an appearance on The Andrew Marr Show, a BBC broadcast.
“There should be no place for terrorists to hide,” she said. “We need to make sure that organizations like WhatsApp — and there are plenty of others like that — don’t provide a secret place for terrorists to communicate with each other.”
Khalid Masood, who killed four people outside the UK’s parliament building last week before being shot dead, reportedly used WhatsApp a few minutes before going on his murder spree.
“On this situation, we need to make sure that our intelligence services have the ability to get into situations like encrypted WhatsApp,” Rudd maintained.
Backdoor Law in Place?
Even though she supported end-to-end encryption as a cybersecurity measure, Rudd later said in an interview on Sky News, it was “absurd” to have terrorists talking on a formal platform and not have access to those conversations.
“We are horrified at the attack carried out in London and are cooperating with law enforcement as they continue their investigations,” WhatsApp spokesperson Anne Yeh said in a statement provided to TechNewsWorld.
During her appearance on Marr’s show, Rudd disclosed that she would be meeting with Facebook and other technology companies on Thursday to discuss ways to meet the information needs of security officers. She did not rule out new legislation to regulate encrypted messaging if the government and the tech companies were unable to reach an accord.
However, that law may already exist. The UK last year adopted the Investigatory Powers Act, which compels tech companies to “provide a technical capability” to remove “electronic protection” within their products. That law has been interpreted in some quarters to mean that tech companies can be compelled to install “backdoors” into their products in order to decrypt data when necessary.
A backdoor would not have helped prevent Masood’s attack, however.
“To use a backdoor, you have to identify somebody as a target and hack them,” explained Matthew Green, a computer science professor specializing in cryptography at Johns Hopkins University.
“With this terrorist, they identified this person and decided he wasn’t a threat and stopped monitoring him,” he told TechNewsWorld. “Nothing is going to help once you look at a guy then look away.”
No Door Secure Enough
Backdoors have been criticized as a means to meet the information needs of law enforcement because they undermine the purpose of encryption.
“Many technologists and even many in law enforcement have acknowledged there’s no secure backdoor,” said Chris Calabrese, vice president for policy at the Center for Democracy & Technology.
“You simply cannot build a door that only the good guys can walk through,” he told TechNewsWorld. “If you start building backdoors, they will be exploited by hackers; they will be exploited by terrorists.”
Tech companies have been skeptical of creating backdoors to break the encryption used by their products and then turning over the keys to law enforcement.
Another idea floated is that the companies should create the backdoors but retain control of the keys to prevent abuse.
“That won’t work. The systems are too complicated and the backdoors too difficult to keep secure,” Calabrese said.
“Companies don’t want to have to worry about their employees misusing these keys, and they don’t want to have to secure them,” said Johns Hopkins’ Green.
Even if backdoors were installed in applications like WhatsApp, they most likely would miss their mark — assuming that mark is to prevent terrorists from communicating securely.
“If the bad guys feel that this application has been compromised by government officials and backdoors become available, this leads to a simple response by the bad guys — use a different application,” explained Paul Calatayud, CTO at FireMon.
“WhatsApp is a third-party application on a mobile device,” he told TechNewsWorld. “Nothing prevents the bad guys from moving to a lesser known third-party application.”
While WhatsApp can’t crack the encrypted contents on the parliament killer’s phone, it still can provide authorities with information about the terrorist’s phone activity — such as the time a message was sent, who it was sent to, and the physical location of the sender and recipient.
“It doesn’t matter what this guy said before he did this thing,” said Bruce Schneier, CTO of IBM Resilient. “What matters is who it was, and WhatsApp doesn’t protect that.”
Investigators can access all kinds of information without recourse to backdoors, he told TechNewsWorld, “but that would require a real conversation about the problem, which you don’t get from these people who grandstand after tragedies.”