Encrypted Messaging - A Curse or Blessing?

The first thing we need to recognise is that over the last two decades our means and ability to communicate has drastically changed. Where once, to have a confidential conversation meant we used to have to physically meet with the person. Nowadays, we can simply pick-up our phone and tap out a quick message. Apps that advertise this level of security, like WhatsApp, Telegram, KiK, Signal, Facebook Messenger or even Snapchat, have been so well designed and created to be user friendly, that we are also more likely to revert to them than perhaps our standard (native) SMS.  How many of you actually use these as your default means of quick messaging for business, with friends and even your families? I’d guess probably quite a few of you.

But as our means of communication has evolved, so has our consciousness to the cyber risks that also increasingly prevail. Hardly a day goes by without receiving some spurious phishing email or even hearing of some poor soul having their bank account emptied or identity cloned. Everyone’s becoming far more savvy to the risks online which is why we simply must ensure that we password protect and encrypt all of our messages as a standard and, as I would always strongly recommend, install 2 factor authentication on every email and social media account we own.

Encryption is a good thing - it’s there to fundamentally protect us. Naturally, there are always going to be those who will seek to exploit it to conceal their criminal or even terrorist intentions. 

However, let’s address Amber Rudd, the Home Secretary’s, comments today. She wants the Security Services to be able to access and decrypt these secure communications. On the face of it, we might think this is a good idea. Who really wants an individual with terrorist intentions to be able to plot, plan and coordinate an attack through the benefits of a secure messaging environment that, if the Security Services were able to access and monitor, could be foiled and potentially stopped. Great in theory but actually more complicated in reality as to afford access or even create a ‘back-door’ to these encrypted apps, may not only benefit the Intelligence Agencies but also potentially others who may have more insidious intent. 

I’ve heard people today making comparisons to the San Benardino terrorist incident where the FBI requested Apple to provide a means to access the terrorist’s iPhones. Apple point-blankly refused. Not to be difficult, but because they knew if they did (or could, which I’ll come to in a bit), this would then create a ‘back-door’ that cyber criminals and other threats might also discover. On a very basic level, perhaps think about it like a secret door to a house and a huge volume of burglars looking for a way in. If there’s a door, albeit well-hidden, this can and likely will be discovered by one them. They then might (read as probably will) sell the knowledge of this door to other burglars. That house will then be robbed again and again until the owners brick it up. The more technical explanation would be to compare any unpublicised ‘decryption’ as a ‘Zero Day exploit’. A Zero Day is a hole in a well-designed and large scale software, unknown to the developers, that has been discovered by professional hackers which can then be used, traded and sold to other criminals, hackers, oppressive regimes to name a few, until it can be ‘patched’ (fixed/repaired) by the software owners.

There is also the question of whether the Secure App or Software can actually be ‘decrypted’ by the App owners. Many of these apps have been designed in such a way that even their owners can’t decrypt message conversations. FireChat being one such app, a secure messaging system often used by demonstrators and protestors in countries where oppressive regimes reside and state level intrusion is prolific.

Put simply, most Secure Messaging requires two secure encryption keys; one by the sender and one of the receiver. When the sender transmits their message, their key ‘handshakes’ with the receiver so ensuring that only they can read each other’s messages. The platform or app, by which they’re sending their message through, can’t even see content of the message. It simply provides a ‘platform’ through which it travels. So enabling a ‘back-door’ isn’t simply opening a hole for the Security Services to access, albeit with all the right permissions, etc. but would need to be built in to the app itself to allow the App Platform to access/intercept it.  Once built, that hole is then open for potentially anyone else to discover.

In summary, Amber Rudd’s intentions may be great in theory but is actually massively flawed and problematic in practice. It does baffle me that the government supposedly has Cyber Crime as a key initiative and they have the best advisors at hand, yet no one talked her through what I've mentioned above before she made that statement.

So maybe rather than place the majority of us at greater risk to the ever-increasing cyber risks out there by creating weakness in a means that keeps us protected, perhaps these hard efforts might be better first placed and channeled towards lobbying the Search Engines and Social Media platforms to remove and intercept the material that radicalises the minority who mean us harm in the first place?