Eris Industries’ position is that this proposed bill would impinge vital and legitimate business interests of our company. It is also a threat to national security and the well-being of the people of the United Kingdom. The “compromise” reported by the Telegraph on encryption is nothing of the sort and, if enacted, will present an unacceptable risk to doing digital business. We call on the business community to join us in opposing it.
Those of you who have followed Eris Industries for a little while will know that the members of our team are long-standing opponents of the Snooper’s Charter.
It was thus with some disappointment that we discovered today - as reported in the Telegraph - that the British government isn’t going to seek to “ban encryption,” but - if the reporting is correct - merely mandate that the encryption that telecommunications firms provide must be breakable.
This has been marketed as the Government “backing down.” This is spin: they have done anything but.
Make no mistake that the “compromise” position is, in practice, exactly the same as the previous one. It is only more precisely-worded. Mandating breakable encryption is the same thing as banning encryption. The difference is one of degree.
Note section 189(4)(d). This bill doesn't mandate backdoors. It merely gives gov't power to order them long-term. Preston J. Byrne November 4
Where a corporate such as Apple, Google, or WhatsApp knows about or engineers a weakness in encryption, this will allow an attacker to discover and exploit that same weakness, no matter who the attacker is. Whether the Home Secretary, a foreign state, a terrorist, or that most insidious of threats, a bored teen-ager, all are equal in the eyes of mathematics, which does not care who you are, whether you have a warrant, or whether your actions proceed from good or bad intentions.
The only prerequisite is that you’re clever enough to find these weaknesses. As indeed many people are.
What is proposed by the Government is like putting an unguarded back door on Fort Knox. Walking in the front door is impossible. But take your time and patiently look for it, and once you’ve gotten into the vault, you can do whatever you please.
There is a civil liberties angle which I could harp on about all day. However, being an entrepreneur, first and foremost I have a business to run. And my business provides cryptographically-secure software for financial services firms, among others.
Even placing civil liberties concerns to one side, there is no escaping the fact that this bill - as described in the press - is unfit for enterprise. Financial services, in particular, is a data-driven business: storing data, guaranteeing its integrity, and communicating it faithfully and far from prying eyes. Which people do a rather great deal of, whether sending a payment instruction or sending an e-mail negotiating the terms of an upcoming deal.
For a modern economy to function, the integrity of data cannot be questioned and the privacy of these communications - across the many channels people use to send them - must be assured.
Secure, untampered end-to-end encryption is the only technology that accomplishes this.
It is possible, of course, that a carve-out for industry has been included - which would mean that there is one law of the land for corporate infrastructure, and another one for everybody else. If this were the case, this would be a profoundly unjust law.
However, even if it were, I find it difficult to see how the Government will be able to distinguish between a WhatsApp or BlackBerry message sent in the context of some bankers putting together an IPO, by a couple of rambunctious teen-agers gossiping, by yuppie hipsters debating the merits of flannel, or by a gang of criminals. SSL is not built to know the difference.
If it is not the case, and this rule is to apply equally to everyone, it means that SSL, VPNs, PGP, and all manner of everyday communications infrastructure upon which business relies would be compromised.
The attack vector on these services would be straight through the top: compromising the companies that provide them. In other words, the attack vector is your business.
The extent widespread backdoors are paired with data retention requirements, this also means the digital life of every man, woman and child in Britain could not be safely stored. These data too would need their own statutory back door. The personal information and private lives of everyone would be subject to an unprecedented, and frankly almost indescribable, level of threat.
If the security services can get to these files, so can anyone else. If this data were to be compromised, the TalkTalk hack would look like a tea party by comparison.
When we look at the incalculable harm to members of the British public caused by the TalkTalk hack - particularly considering that this attack was allegedly carried out by a couple of children - we should understand that what the Government proposes will not make us safer. It will make us less safe. It will make our businesses less safe. It will make our country less safe. If public safety is the issue, the agenda being put to Parliament by the Conservatives should be the adoption of more and stronger cryptography, not less.
Furthermore, because cryptography is open-source (i.e., the tools are freely available to anyone) banning Google or WhatsApp from providing unbreakable, end-to-end encryption will do nothing to stop bad actors from using other, nigh-unbreakable, tools.
Put differently, anyone who is willing to comply with this legislation is thus likely also to be the sort of person whose communications are deserving of the strongest possible protection. Such as a bank and its customers, or a lawyer and her clients.
We must ask ourselves why the Government really wants this legislation. British police already have the power to compel someone, on penalty of imprisonment, to disclose cryptographic keys under RIPA (i.e., to compel decryption on the order of intelligence or police authorities - no judicial warrant required).
Journalists should ask the Government how many times, in practice, anyone has refused to do so since that law entered into force. Presumably if mass encryption is a major issue for the police, then refusals to comply with RIPA would happen all the time. I think they will find the answer is a little different (I cannot find the link, but I believe it was so few as to be countable on one hand). Or how many times the Home Secretary has required such extraordinary warrants to date, or plans to require them in the future.
This legislation solves a problem no-one has with a law that no-one wants. And it - if it contains the provision as reported - makes very little commercial sense. If passed, it would have the result that nobody should trust software that has the “Made in Britain” mark on it. Furthermore, it would present a serious risk to anyone doing business in the UK in a legally compliant way.
We have, on several occasions this year, encouraged the businesses and the people of the United Kingdom to join us in opposing the Snooper’s Charter. We do so again today.