In Cybersecurity, There’s No Magic Wand That The Good People Can Only Use
In Cybersecurity, There’s No Magic Wand That The Good People Can Only Use
The UK is debating the Online Safety Bill, and which focuses on the removal of harmful content and the breaking of end-to-end encryption (E2E). Why break E2E? Well, if you want to detect and remove harmful content, you must look into encrypted messaging and detect its contents. This would enact on UK citizens and also for all of the software and services that are provided to them. Internet Service Providers, such as Meta, Instagram and WhatsApp would then be responsible for the content they host, and face massive fines for breaches of the act.
Some dub it as a mass surveillance system, and where E2E messages will require a backdoor into the encryption process. With fines of up to 10% of global revenue, many messaging providers have said that they would rather ban their apps in the UK than break their encryption. This would put the UK in a strange league of those countries that ban messaging apps.
As a worst case, it could (perhaps) turn the security of the Internet back many decades in the UK, and see the UK move to being one of the most backward countries in the World in their control of the Internet. But, on the other hand, we must protect our citizens.
Why we need encryption and trust
Perhaps the worry is that politicians and lawmakers do not really understand the technology that playing with, and why we have advanced our application of E2E. Before the implementation of HTTPs (which Google Chrome moved forward at scale), the contents of every single Web access could be viewed and changed. The usage of digital certificates also stopped fake sites from tricking users.
But, HTTPs, and its TLS underpinnings, is not that good in creating a proper end-to-end encryption tunnel, and where a proxy can be set up at either end of the applications. Along with this, we can trick a client into thinking that we are connecting to a remote site, but where there is a WAF (Web Application Firewall) in-between, and which can break the tunnel and inspect the traffic. While TLS 1.3 addressed some of the problems with encrypted tunnels, it is a long way off in providing the trust and security of true E2E. In fact, if the Internet was created today, it would perhaps use E2E rather than the message Internet stack we have created. This would encrypt data at its source, rather than in the network stack. It is all just a legacy of a digital world that did not have any worry about security, privacy and trust.
Conclusions
I’m a technologist, but I feel there is a massive gap between those who build technology and those who regulate them. For those in government, there’s a feeling that there’s a magic wand that the good people can use and that can never be used by bad people. The magic wand doesn’t exist, unfortunately. That’s why we have cybercrime.
If it goes ahead it is going to be strange to live in a technologically advanced country, which is going to be strange to live in a country where you can’t use WhatsApp. Hopefully, our politicians will find a way forward that does not restrict our lives but can protect our society. But, they do have to talk to technologists and understand how the whole thing will work.
I won’t mention George Orwell here, but he is always in our thoughts when we discuss the difficult area of mass surveillance.