Encryption & Key Management , Next-Generation Technologies & Secure Development , Security Operations
British Home Secretary Demands Backdoored Communications
Following Westminster Attack, Minister Seeks On-Demand WhatsApp AccessFollowing last week's Westminster attack in London, another senior British official is now calling for "backdoor" access to end-to-end encrypted communications. But security experts have long warned that weak crypto could also be easily cracked by criminals, unscrupulous business competitors and unfriendly nation states, amongst others.
See Also: Securing Your Business Begins with Password Security
On March 26, Home Secretary Amber Rudd took to weekend talk shows in Britain to demand that police and intelligence agencies be given access to encrypted communications services such as WhatsApp, when required during an investigation.
"There should be no place for terrorists to hide," she said on BBC's Andrew Marr Show, the Guardian reports. "We need to make sure that organizations like WhatsApp, and there are plenty of others like that, don't provide a secret place for terrorists to communicate with each other."
Rudd is the Conservative politician who serves as Home Secretary - the U.K. cabinet-level position responsible for immigration, security, and law and order. The role was previously held by Theresa May, before she became prime minister in July 2016.
Westminster Attack
Rudd's appeal comes on the heels of the March 22 Westminster attack. London's Metropolitan Police said the domestic "terrorist attack" attack, which lasted just 82 seconds, began at 2:40:08 p.m. GMT on March 22, when British national Khalid Masood, 52, drove a rental SUV over Westminster Bridge and onto its northbound sidewalk, continuing along it and colliding with numerous individuals, until he crashed into the perimeter fence of the Palace of Westminster, which is where Britain's two houses of Parliament meet. After exiting his car, Masood was shot by a police firearms officer inside the Palace of Westminster boundary.
Five people died as a result of the attack, including Masood, while 50 more people were injured. Police say they believe Masood "acted alone." According to press reports, furthermore, he was known to the intelligence services, who began investigating him in 2010.
In her interview with Andrew Marr, Rudd said "this terrorist sent a WhatsApp message and it can't be accessed," apparently suggesting that Masood had sent a message via WhatsApp in the moments before his attack. But the Home Office later said her comments were misconstrued, and that she had been decrying the use of WhatsApp by terrorists in general.
WhatsApp couldn't be immediately reached for comment on Rudd's pronouncements. But the service, owned by Facebook, released a statement saying that "we are horrified by the attack carried out in London earlier this week and are cooperating with law enforcement as they continue their investigations."
MP Brian Paddick, a Liberal Democrat who formerly served as a senior officer in the Met Police, has blasted Rudd's push for crypto backdoors.
"There are ways security services could view the content of suspected terrorists' encrypted messages and establish who they are communicating with. Having the power to read everyone's text messages is neither a proportionate nor an effective response," Paddick said.
"The real question is, could lives have been saved in London last week if end-to-end encryption had been banned? All the evidence suggests that the answer is no," he said.
IP Act Already Applies
In fact, many security watchers have noted that everything Rudd says she's demanding is already available to the government via last year's controversial Investigatory Powers Act 2016. The IP Act - long derided by critics as a "Snooper's Charter"- allows the government to demand, in the law's language, that any telecommunications operator remove any "electronic protections" on encrypted communications. The government can also legally prevent the organization from publicly discussing that it's been served with such a notice.
In other words, the government can already legally force a firm to remove - or otherwise bypass or circumvent - encryption, says Cambridge University cryptographer Ross Anderson.
Was just on Radio 5 live, said Amber Rudd grandstanding, as IP Act already lets her secretly order anything that's practical https://t.co/ULd23VDvvn
— Ross Anderson (@rossjanderson) March 27, 2017
Crypto Appeals Follow Attacks
Law-and-order appeals for weak encryption in the wake of terror tragedies - committed by suspects already known to security or intelligence services - and the scapegoating of service providers are nothing new (see Cybersecurity, Crypto and the Politics of Blame).
Following the January 2015 Charlie Hebdo attacks in Paris, former Prime Minister David Cameron said he wanted all social networks to retain all users' communications indefinitely, and called on President Barack Obama to push for similar legislation. Such plans never came to fruition.
After the December 2015 shootings in San Bernardino, Calif., when Syed Rizwan Farook and his wife shot and killed 14 people, FBI Director James Comey called on Apple to help it crack an iPhone 5c used by Farook. The FBI took Apple to court, saying there was no way to access Farook's device unless Apple developed a crypto-free version of iOS and installed it on the device. But the FBI suddenly dropped the case, reportedly because it had found a technological workaround (see Could FBI Have Cracked Shooter's iPhone for Less Than $100?).
In response to the FBI's move, many firms - including Apple - appeared to accelerate plans to create devices and services that couldn't be unlocked.
The push for end-to-end encryption for communications services, meanwhile, was a direct reaction to former National Security Agency contractor Edward Snowden's leaks, which revealed that the NSA and Britain's GCHQ, among other intelligence agencies, were regularly intercepting those communications.