Encryption & Key Management , Fraud Management & Cybercrime , Governance & Risk Management
Cameron to Ask Obama to Help Weaken CryptoBritish Leader Also Wants Greater Social Network Monitoring
British Prime Minister David Cameron reportedly plans to lobby U.S. President Barack Obama to criticize technology companies that offer encrypted communications that cannot be cracked by law enforcement or intelligence agencies.
See Also: Live Webinar | Breaking Down Security Challenges so Your Day Doesn’t Start at 3pm
Cameron, who is slated to meet with Obama in the Oval Office on Jan. 16, also wants the White House to help him push social networks to monitor for any unfolding national security threats, including better tracking potential Islamist extremists, the The Wall Street Journal reports. In particular, Cameron will reportedly suggest that social networks store users' messages - and related tracking data - and turn this over the authorities, upon demand.
Cameron has also argued that new U.K. laws are needed that will ensure intelligence services have the right, after obtaining a court order, to read encrypted communications. "I think we cannot allow modern forms of communication to be exempt from [that] ability, in extremis, with a warrant signed by the Home Secretary," he said in a Jan. 11 speech.
To make that happen, however, he arguably needs U.S. support. "The U.K. government can only enforce within the U.K., whereas the Internet is global and many of the service providers they are anxious about are based in the U.S.," Peter Sommer, professor of cybersecurity and digital evidence at Britain's de Montfort and the Open Universities, tells Information Security Media Group.
Meanwhile, Obama is pushing for cybersecurity legislation that would entice businesses to share threat-related information with the Department of Homeland Security, as well as create a national breach-notification law to replace the current patchwork of state notification laws.
U.K. Wants White House Buy-In
"The prime minister's objective here is to get the U.S. companies to cooperate with us more, to make sure that our intelligence agencies get the information they need to keep us safe," an unnamed U.K. "government source" tells the Guardian. "That will be his approach in the discussion with President Obama: How can we work together to get them to cooperate more? What is the best approach to encourage them to do more?"
U.S. technology firms have previously rejected those U.K requests, noting that governments can already subpoena such information. But a similar debate has also been occurring in the United States, with Attorney General Eric Holder and FBI Director James Comey, in particular, advancing arguments that parallel Cameron's. Last year, Comey accused Apple and Google of having gone "too far" by offering strong encryption, by default, that prevents the government - after it has obtained a warrant - from reading some communications. To date, however, Congress has balked at passing any laws that would outlaw such systems or mandate that back doors be added to them.
Experts: Anti-Crypto Moves Would Fail
From a technical standpoint, however, many security experts say that any attempt to undermine crypto, for example by mandating that back doors be added to encrypted services, would fail on numerous fronts - not least because of the availability of free tools for encrypting communications. Indeed, Sommer says the introduction of PGP - a free public key encryption program that promises Pretty Good Privacy for data - helped scuttle the last so-called Crypto Wars in the 1990s, when similar questions were being debated.
Enterprising terrorists, furthermore, don't need to encrypt their communications, Sommer adds. Instead, they could communicate using prearranged signals, such as changing an innocuous-looking word on a website.
Undercutting encryption could upend parts of the economy, including the e-commerce and banking sectors, consumer advocates argue. "Having the power to undermine encryption will have consequences for everyone's personal security," says Jim Killock, executive director of the Open Rights Group, which campaigns for digital rights, in a statement. "It could affect not only our personal communications but also the security of sensitive information such as bank records, making us all more vulnerable to criminal attacks."
Data Retention Defense
Beyond seeking to rein in the use of strong crypto, the U.K. government has also made reference to the recent terrorist attacks in Paris when reintroducing controversial mass-surveillance legislation. Home Secretary Theresa May warned the House of Commons in a Jan. 14 address that "innocent lives will be put at risk" unless Parliament passes the draft Communications Data Bill, which critics have derided as being a "snooper's charter." The bill, which was blocked in 2013, would require Internet and mobile phone service providers to retain extensive details relating to their subscribers' Internet browsing, voice call, e-mail, text, Internet gaming and mobile phone usage - although not the content of their communications - for 12 months.
May, however, argued that such capabilities are essential for law enforcement. "This is not, as I have heard it said, 'letting the government snoop on your e-mails,'" May told Parliament. "It is allowing the police and the security services, under a tightly regulated and controlled regime, to find out the who, where, when and how of a communication but not its content, so that they can prove and disprove alibis, identify associations between suspects, and tie suspects and victims to specific locations."
May said it was likely such information was employed by the French authorities as they investigated the Charlie Hebdo massacre in Paris. "Quite simply, if we want the police and the security services to protect the public and save lives, they need this capability."
In the wake of the Paris attacks, German Chancellor Angela Merkel has also called for new EU data retention rules to be passed. Addressing the lower house of the German parliament on Jan. 15, she said Internet service providers should be required to retain subscribers' records for a "minimum period" in case they were required by law enforcement agencies in the course of an investigation, the BBC reports. But Merkel has yet to specify what that retention period might be.
Privacy rights groups, meanwhile, have questioned governments' demands for expanded surveillance programs and pointed to a European Court of Justice ruling in April 2014 that blanket - as opposed to targeted - data retention violates Europeans' right to privacy and the protection of their personal information.
"Nothing about the Paris attacks points to a need for more blanket surveillance powers," Isabella Sankey, director of policy for the U.K.'s National Council for Civil Liberties, says in a blog post, highlighting that in many cases - including the Paris attacks - the perpetrators were already been known to the intelligence services.
"Surveillance per se is not wrong. It's the vital task of the government and security agencies to protect life through targeted and effective monitoring," Sankey says. But she argues that the intelligence services already have the monitoring powers they need and should make better use of them, instead of attempting to further strengthen their powers, which risks compromising people's privacy.
"Invading the privacy of suspected terrorists is justified. Invading the privacy of every single person in the U.K. is not," she says.