Euro Security Watch with Mathew J. Schwartz

Governance & Risk Management , Privacy

Cybersecurity, Crypto and the Politics of Blame

Parliament Too Often Sees Technology as an Easy Political Scapegoat
Cybersecurity, Crypto and the Politics of Blame
Jeremy Hunt, the U.K.'s secretary of state for health, blames social networks for children's mental health problems. Photo: NHS Confederation.

The United Kingdom has just passed a mass surveillance and encryption bypass law that includes multiple provisions that will be applied in secret (see Britain's New Mass Surveillance Law Presages Crypto Fight).

See Also: ISO/IEC 27001: The Cybersecurity Swiss Army Knife for Info Guardians

The home secretary, Amber Rudd, claims that the new Investigatory Powers Act will provide "unprecedented transparency and substantial privacy protection."

But can Parliament be trusted to write a law that balances the security services' need to intercept data with our right to privacy, including the presumption of innocence and the human right - as defined by the EU - to not be the subject of untargeted, mass surveillance?

Some say no. World wide web founder Tim Berners-Lee, for one, warns that the new Investigatory Powers Act - derided by critics as the "Snooper's Charter" - "rides roughshod over our right to privacy."

In part, that's because it will require ISPs to store more types of data, and for longer, including subscribers' browsing histories and records of who they communicate with and when. While such information is intended for access only by law enforcement and intelligence agencies, such repositories will also be at risk from outside attackers and unscrupulous insiders.

Forcing Crypto Cracks in Secret

Also worrying: The law will allow the country's security services to compel technology firms that use encryption for data and communications security to add secret backdoors to their products, via what the law blandly describes as a "technical capacity notice."

Previously, many top U.K. politicians have said that encryption should never stand in the way of an investigation.

Unfortunately, once a backdoor is added to software code, anyone may access it. "What a lot of politicians and lawmakers fail to understand is that if the U.K. government has a backdoor into encryption software, so does every other government on the planet," Brian Honan, a Dublin-based information security consultant who advises the EU's law enforcement intelligence agency, Europol, tells me.

How many Members of Parliament understand that immutable fact?

Some Accountability Required

One safeguard in the IP Act is that any demand for a crypto backdoor must first gain the approval of one of the secretaries of state. Per the bill's final language, they must "consider that the conduct required by the notice is proportionate to what is sought to be achieved by that conduct," consult a technical advisory board and gain final approval from a non-independent judge appointed by the prime minister.

Are these safeguards sufficient to protect people's privacy and security, avoid excessive access to innocent people's data by the security services or avoid abuse by any unscrupulous insiders?

Social Media as Scapegoat

One fact that gives me pause is the dearth of legislators who have any IT-related experience. Another is the frequency with which those in power view technology - such as encryption - and technology firms as convenient scapegoats for failed government policies or intractable social challenges (see U.K. Labels Facebook A Terrorist "Haven").

A case in point, occurring just one day after Parliament this week passed the IP Bill, involved Jeremy Hunt, the U.K.'s secretary of state for health, presenting evidence at a Commons Health Committee on suicide prevention efforts.

"I think social media companies need to step up to the plate and show us how they can be the solution to the issue of mental ill health amongst teenagers, and not the cause of the problem," he said, according to the Guardian. "There is a lot of evidence that the technology industry, if they put their mind to it, can do really smart things."

Hunt is a former management consultant and public relations executive with no medical training. Nevertheless, he also suggested that social media companies could find technological ways to prevent minors from sending sexually explicit messages or photographs - "sexting" - to each other.

In response, members of the committee instead urged Hunt to take responsibility for improving the government's approach to suicide prevention.

BlackBerry 'Caused' the London Riots

Another example involved London police fatally shooting Mark Duggan in August 2011, triggering protests and then riots across London, Birmingham, Liverpool, Manchester and other locations around Britain.

Some politicians and police forces, however, were quick to blame Twitter and encrypted BlackBerry Messenger chats for the unrest.

But Chris Geer, a professor of criminology at London's City University, said BBM and social media didn't incite people to protest. "I don't think it is having any impact on the motivation to protest in the first place," he told the BBC. "But once people have mobilized themselves and decided to take to the streets, it is certainly much easier to communicate with each other."

At the time, Tim Godwin, acting police commissioner for London's Metropolitan Police, said the force considered pulling the plug on BBM and social networks to quell the unrest, but legally found that it couldn't. "We did consider seeking the legal authority to switch it off. The legality is questionable, very questionable," Godwin told the Guardian.

Thankfully, cooler heads prevailed, or else there would have been unfortunate parallels with former Egyptian President Hosni Mubarak in early 2011 pulling the plug on the country's internet access, mobile networks and SMS in response to a week of protests.

With the passage of the IP Act, however, has Britain now enshrined technology scapegoating into law?

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.