I remember, 13 years ago, when the US Government dropped the controls on export of "strong" cryptography. I was working on a secure communication product at the time, and it had been getting to seem a really silly restriction, for a variety of reasons, which I won't go into here. The security community breathed a sigh of relief: everybody who cared - or knew enough to care - was already using strong crypto wherever we could, and we felt that this would allow online commerce, banking and personal data storage to flourish on the Internet, and we were right. There was some concern that the US Government's decision meant that they could already break the crypto based on the longer key lengths which were now allowed, but the general view, if I recall correctly, was that they probably couldn't. They would probably rely on other methods of intelligence, legal measures and the rest to ensure that when they needed access to material that might be encrypted, they'd still be able to get it. The UK Government introduced legislation with harsh penalties for people who refused to give up key material for exactly this sort of reason.
We discovered last week that the NSA and GCHQ have are in a position where they can break most of the cryptography used on the Internet. It seems that the main way they have of doing this is by "backdoors" in most software used for cryptography, including almost certainly that provided by Windows, and probably (sadly) that used by most Open Source software. There are a number of ways that they could be doing this, and speculation here is probably neither helpful nor healthy.
At one level, that they are using this technique is a relief: it suggests that they had to do it this way because the basic cryptography - based on some pretty clever mathematics - is sound, and we (the software community) can build something pretty good out of it. On another level, this is both worrying and disappointing.
It is disappointing because it means that the companies that we trust to provide us with secure solutions have colluded with the US Government - and plausibly the UK Government - to undermine the security that we expect.
It is worrying for many, many reasons. I understand the reasoning that our Security Services require the ability to investigate the Bad Guys, and I applaud the great work that they often perform. But my life - your life, I would warrant - resides in the security that they have undermined. My banking details. My communications with my loved ones. The messages and emails that I exchange with my colleagues. My National Health records - the list goes on and on. Even if the UK Government security services might have some defensible right to these, what right does the US Government have to such data? And I don't believe them when they say that they can be trusted with it. The history and the behaviour of such organisations doesn't give me the luxury of such belief. William Hague's "law-abiding Britons have nothing to fear" speech is laughable. Not only because history shows it not to be true, but also because I work with, interact with and have friendships with non-Britons. Do they have something to fear, even if they are law-abiding, like me? Governments have little history of - and even less reason to practice - moderation.
And this leads us to my final point: please take a moment to scroll to the top of this page, if you can't see it already. You will see, under "The ETHOS Network" banner, three words. Without privacy and security that I am sure of, how can I manage collaboration and trust with you, the other members of this network? I cannot be sure that the security services are not looking into all of our "private" communications, discussions and secrets, and neither can you.
I welcome your thoughts on the impact on our core values - collaboration, trust and moderation - that this news occasions. I'm not sure what we need to do - other than fix the security we use to try to make it more difficult for our governments to intercept and read our data so nonchalantly - but we do need a conversation and discussion on it, and it is people like us who need to make these happen.
Add a Comment