By Mike Knight
With the Online Safety Bill threatening to undermine end-to-end encryption, we look at the strengths and weaknesses of this security trade-off.
Encryption comes from the science of cryptography. In today’s digital world, encryption refers to using electronic devices to generate unique encryption algorithms which essentially scramble messages and data, making them unintelligible to anyone who tries to intercept them, whilst also providing an effective way to lock electronic devices.
Encryption can be used for most things which have an internet connection, such as messaging apps, personal banking apps, websites, online payment methods, files and more.
Two Main Types
There are two main encryption methods, symmetric and asymmetric, both of which are made up of encryption algorithms and use prime numbers. It is worth noting that there are many other encryption algorithms and methods including RSA, Triple DES, Blowfish, Twofish, and AES.
Symmetric encryption uses the same (identical) key for encrypting and decrypting data. With symmetric encryption, two or more parties have access to the same key. This means that although it is still secure, anyone who knows how to put the code in place can also reverse engineer it.
Asymmetric encryption uses a pair of keys, one for encrypting the data and the other for decrypting it. For the first key (used to encrypt data), ‘public key’ cryptography uses an algorithm to generate very complex keys, which is why asymmetric encryption is considered to be more secure than symmetric encryption – the process can’t be run backwards. With asymmetric encryption, the public key is shared with the servers to enable the message to be sent, however the private key, owned by the possessor of the public key, is kept secret. The message can only be decrypted by a person with the private key that matches the public one. Different public-key systems can use different algorithms.
The ‘key’ refers to a random but unique string of bits that are generated by an algorithm to scramble and unscramble data. The longer the key, the harder it is to break the encryption code.
Over The Internet – HTTPS
Public key encryption is widely used and is useful for establishing secure communications over the Internet, e.g. for TLS/SSL, which enables HTTPS. For example, A website’s SSL/TLS certificate is shared publicly and contains the public key, but the private key is on the originating server, i.e. it is “owned” by the website.
Some of the main criticism around the Online Safety Bill’s requirement that platform operators, such as WhatsApp, will have a “duty of care” to “moderate illegal and harmful content on their platforms” is that this will require weakening encryption, i.e. essentially not having end-to-end encryption, thereby creating a major security (and privacy) risk for users.
End-to-end encryption, which is an example of asymmetric encryption (i.e. more secure than symmetric), is used to encode and scramble information so only the sender and receiver can see it, thereby making it highly secure. WhatsApp uses end-to-end encryption and although the messages go through a server, none of those messages can be read by anyone other than the sender and receiver. Allowing content (i.e. messages) to be ‘moderated’ would, therefore, mean that there would need to be a way in, e.g. a ‘back door’, or some other means to view messages between the sender and receiver.
Why Weaken Encryption?
The arguments for weakening encryption (e.g. end-to-end encryption), usually come from governments saying that they need to monitor content for criminal activity and dangerous behaviour; e.g. terrorism, child sexual abuse and grooming, hate speech, criminal gang communications, and more. This could be considered a reason to support the idea of weakening encryption. Examples include:
- When it was revealed that the first London Bridge terror attackers used WhatsApp in 2017 to plan the attack and to communicate, there were calls from the government (Amber Rudd) for ‘back-doors’ to be built-in to WhatsApp and other end-to-end encrypted communications tools to allow government monitoring.
- In June 2021, Police secretly distributed phones with a supposed encrypted app called ANOM installed. The app, however, allowed police to monitor communications about crime including drugs, weapons, money laundering and murder. It led to the arrest of 800 people in a global sting operation.
- In July 2022, Home Secretary, Priti Patel, said “Things like end-to-end encryption significantly reduce the ability for platforms to detect child sexual abuse”.
The Arguments For Not Weakening Encryption
The arguments for not weakening encryption include:
- Consumer protection, e.g. banks protecting financial information and stopping it being accessed or misused when UK citizens bank or make purchases online.
- Many businesses use end-to-end encrypted apps such as WhatsApp and other encrypted communications and VPNs. Encryption, therefore, protects sensitive company data, data privacy, and can reduce cybercrime risks.
- Providing reliable and safe communications in war situations, e.g. secure communication channels in Ukraine allowing broadcasted appeals to the world and recruiting support. Also, encryption has helped Ukrainians to combat disinformation, organise relief efforts, and protect evacuees. The first thing many Russian soldiers are reported to be doing when capturing people is to look at their phones to study their communications and track down associates. This is a good argument for encryption and features like disappearing messages sent via WhatsApp.
- Protection for journalists who need to keep information channels open despite government censorship.
- Protection for activists (human rights) and commentators in oppressive and dangerous regimes.
What Is Being Proposed?
The Online Safety Bill requires tech companies to be able to moderate their platforms or face fines. The government says, with the Bill, the “onus is on tech companies to develop or source technology to mitigate the risks, regardless of their design choices. If they fail to do so, Ofcom will be able to impose fines of up to £18 million or 10% of the company’s global annual turnover – depending on which is higher.”
However, although the UK government says it “wholeheartedly supports the responsible use of encryption technologies” and that it does “not want to censor anyone or restrict free speech,” it is less clear how the government intends to replace protections such as end-to-end encryption with a robust but weaker alternative. For example, the government says “We, and other child safety and tech experts, believe that it is possible to implement end-to-end encryption in a way that preserves users’ right to privacy, while ensuring children remain safe online” and that “tech companies, working in partnership with governments, child protection organisations and law enforcement” appears to be the big idea. The responsibility, backed up with the threat of fines, to come up with a way to enable weakened encryption that is still somehow effective, is being placed on the shoulders of the tech companies who, according to Priti Patel, “now need to stand up and use their resources and engineering expertise” to create a solution.
What Does This Mean For Your Business?
Everyone recognises the need to find ways to stop cybercrime, child exploitation and sexual abuse, and other organised crime that could hide behind encryption to avoid detection. However, encryption also protects the interests and assets of those involved in legal and legitimate activities from criminals and, as Ukraine illustrates, can protect citizens, and provide vital communications in dire situations such as war.
Encryption also plays an important role in protecting the sharing of significant news and information, freedom of speech and human rights where there are oppressive regimes. Some would say that the idea of weakening encryption and/or making back doors into apps and allowing monitoring defeats the object of encryption and creates not just a way to stop criminals, but also a way for criminals to get in and steal data.
Tech businesses have faced calls from governments to be allowed access before but this time, in the UK, they not only face fines and legislation, but also appear to be under pressure to come up with solutions that could create their own risks. It remains to be seen how the Bill progresses and what the effects of weakened encryption in the UK could be both on those here and in other countries.