So I have been reading two recent think-pieces:<\/p>\n\n\n\n
Security services are in the market for as much information as they can get and if the threat of a decryption order may encourage a hesitant company to offer other useful data in order to avoid this being carried out then they will see this as a useful tool.<\/strong><\/p>\n\n\n\n My emphasis. Hallam further writes in the blogpost:<\/p>\n\n\n\n As policy makers, this is a situation where \u2018cakeism\u2019 is not the answer and we have to make a choice \u2013 either a) to allow companies to offer genuinely secure end-to-end encrypted communications to people in the UK, or b) to make it clear that the only messaging services on offer will allow some third parties to access your messages without your consent. He’s right \u2014 there’s a global hope that someone will cause the “Tech Platform E2EE Consensus” to crack \u2014 but there’s also something here which has been forgotten: <\/p>\n\n\n\n This <\/em>game of chicken is being played in public, and the zealots on both side are watching.<\/p>\n\n\n\n Spying is traditionally done in secret \u2014 I’ve posted an entire E2EE primer<\/a> which can help provide examples \u2014 but what I would like to highlight here is the Technical Capability Notice<\/strong> of the Investigatory Powers Act 2016<\/a> and further legislation<\/a>, where I would like to make a single observation:<\/p>\n\n\n\n When a company or person is coerced with a Technical Capability Notice<\/a> to provide access to communications, they are meant to do so in such a manner that the risk of any unauthorised persons becoming aware of any matter within section 57(4) of the Act is minimised, in particular by ensuring that apparatus, systems or other facilities or services, as well as procedures and policies, are developed and maintained in accordance with security standards or guidance specified in the notice<\/a><\/em><\/p>\n\n\n\n In short: compliance with a TCN and collusion towards leaking message content, is meant to be secret\u2026 but the Android and iOS ecosystems do not work that way. The world of big platform applications is not like telephone companies where a wiretap can be surreptitiously plugged into someone’s line by a discreet visitor to the local phone exchange.<\/p>\n\n\n\n Instead: the world is watching, and there are people \u2014 notably the respected Jane Manchun Wong<\/a> \u2014 who practically make a livelihood by digging through applications and surfacing the creation of new, test, or additional features which appear in the wild.<\/p>\n\n\n\n If code is developed \u2014 if client-side-scanning code is added to an app \u2014 it will be discovered, leaked, and publicised.<\/p>\n\n\n\n And then the fun will start.<\/p>\n\n\n\n The platforms \u2014 even more than Hallam’s perspectives on Government \u2014 do not want to be seen to be compromising their global privacy ethics for some parochial (e.g. merely “British”) purpose; and they also know that there is greater good to end-to-end encryption than even the statistics of actual abused children count against<\/a>. <\/p>\n\n\n\n Thus, they are extremely motivated to not add “British-Government Client-Side Scanning Code”<\/em> to their application, where the likes of Wong (et al) will discover it and publicise it to the world. <\/p>\n\n\n\n Therefore: if the UK Government does pass legislation empowering OFCOM to demand client-side scanning, but it is never implemented<\/em> and never turns up<\/em> in the applications\u2026 what happens next?<\/p>\n\n\n\n To get us to this point the Home Office has been stoking a bunch of child-safety charities<\/a>, telling them that encryption is their biggest bugbear<\/a> and that combating privacy for adults is a disproportionate “win” that will keep children safe.<\/p>\n\n\n\n In the process they have created an information security analogue of UKIP: a small band of zealots with ill-defined goals who are kicking back against what they perceive as a monstrous hugely-funded monolith which impinges upon their lives in every way. <\/p>\n\n\n\n “Tech”, to them, is the new “Europe”<\/em> and the “Platform Duty of Care” is the new “Brexit,”<\/em> i.e. they want to “hurt tech” by harming themselves and everyone else in the process of achieving their halcyon goals of “saving children”<\/em>.<\/p>\n\n\n\n
I believe that the UK Government is still closer to the first position as it is nervous about losing public support if it went fully down the second path and services started to withdraw from the UK market<\/strong>, but with two provisos.
First, if another mainstream country did manage to force service providers to compromise their encryption and they did not withdraw from those markets, then the UK would be encouraged to follow suit.
Second, the UK Government may feel more comfortable issuing orders that would effectively prevent a currently unencrypted service from making the transition to become end-to-end encrypted if it feels this would not lead to withdrawal from the market.
We should also note that there is a strong \u2018game of chicken\u2019 dynamic in all of this that could lead to someone being run over<\/strong> if there are miscalculations on either the government or the industry side.<\/p>\n\n\n\nThis Game is Different: It’s Played in Public<\/h2>\n\n\n\n
What Happens Next\u2026<\/h2>\n\n\n\n