banner

Thales Blog

Ban Encryption? Should We Ban Envelopes Next?

January 16, 2015

Encryption has been well and truly on the national agenda this week with David Cameron airing his desire to “ban encryption” in the UK. The fact is – you can’t make technology simply ‘go away’ just because it has uncomfortable side effects, it would be like banning MP3 to save vinyl records.

Encryption is the backbone of online security – allowing the safe transfer of passwords, credit card numbers, healthcare data, in fact almost anything of value over the internet. Without encryption, there would be no e-commerce, no online banking, no apps stores (or the phones that use them), no debit cards, no internet of things and certainly no Bitcoin. Outlawing the use of encryption would be the equivalent to imposing a ban on envelopes and forcing all correspondence sent via the Royal Mail to be in the form of postcards!

Needless to say, this isn’t a vison of the future that fits with most people’s expectations for life in the digital world. It also seems to be in direct conflict with Mr Cameron’s vision of establishing the UK as the safest place for e-commerce in the world, as well as the upcoming changes to the EU data protection act. Even if this dream of a simpler more open world could garner support it would require widespread adoption, no single country could go it alone. Would visitors to the UK be expected to handover their phones at the border, replace the software on their laptops, would messages to and from the UK be scrutinized by the government for contamination by encryption?

I’m being facetious, but you get the point. Like it or not the encryption genie is already out of the bottle. The bad guys have been able to get their hands on strong encryption for years, for free. Trying to pretend that encryption doesn’t exist is like going into cyber battle (and even physical battle) with one arm behind your back. If you don’t believe me then go and see The Imitation Game (great movie by the way).

Governments might grudgingly accept that encryption is here to stay and instead focus on ways that enable them to crack the code. They could try to limit the size, force the use of ‘approved’ algorithms or require people to register their keys – but none of these approaches are practical, and even if they were would just serve to make the life of the attacker easier. Worse of all is the idea of backdoors, intentional secret flaws that only the good guys could use. A nice idea, but one that at best has minimal value and at worst could bring the digital world to its knees. If it became known that such backdoors existed, as it surely would, then every hacker worth his or her salt would make it their personal goal to find them, sell the keys to unlock them and enable them to be universally exploited.

In the good old days, the arms race was a hard race to get into – without the right expertise and access to piles of radioactive material you simply couldn’t build a bomb. But in the modern world the bad guys can access the same digital weapons as the good guys. At some point governments have to accept that eavesdropping might be a thing of the past, that’s OK, security is always an evolving science. The conversation now should be focused on how intelligence can be gathered in the future rather than trying to undo the past.

Sensible conversations about data security – “wish you were here”.