[Loud and obligatory disclaimer: These are my personal views and do not represent those of my employer, or anyone else]
Yesterday (12th October 2020), the New Zealand Government released this statement regarding end to end encryption:
https://www.beehive.govt.nz/release/international-statement-end-end-encryption-and-public-safety
This provoked a collective WTF amongst many IT professionals, but also some amount of understanding that we can't just shrug and "hide behind" strong encryption. While I can see that angle is absolutely valid, and I'd like there to be a nice answer that could provide security and privacy to people while also not impeding police investigations - there simply isn't. I come down on the side of the fence in favor of security and privacy, and support strong encryption.
After our country's amazing COVID response, my trust in our current Labour government was at an all-time high, and my interpretation of the beehive release was that perhaps they do understand encryption, but are being forced to toe the line behind the US, UK and Australia, as part of the Five-Eyes alliance. Ever the optimist I am! Anyway, as one does, I got involved in some twitter debate, and Andrew Little himself (the minister in charge of this sort of thing) replied with:
I don’t accept you get to dodge responsibility for permitting serious criminal offending on your platform(s). Technology isn’t an excuse to allow others to be abused & exploited. Not unreasonable to expect you to cooperate to investigate criminality at your on-line place.
https://twitter.com/AndrewLittleMP/status/1315566745671757825?s=20
So, clearly Mr Little buys into this. One would think that if the government were just capitulating to the five-eyes, he would have simply said nothing here.
So - where does that leave us? People far smarter and more articulate than I have already explained why banning strong encryption isn't a good idea. Here's a good one for starters: http://cyberlaw.stanford.edu/blog/2019/11/banning-strong-encryption-does-not-mean-catching-criminals-it-only-makes-you-less-safe. As it says, banning strong encryption doesn't mean catching criminals, it just makes you less safe from them. As a professional software developer with experience working on secure systems and having to worry about things like encryption, certificates and other kinds of secrets, I agree with that view. If you prevent everyone from using strong encryption, then the only people remaining who will actually be able to use it are the criminals! They're already breaking the law so they're hardly going to throw away their E2E code because of any new anti-encryption laws that might arise.
One might make an argument perhaps that if we ban E2E, then it at least raises the bar, so only the incredibly rich and powerful crime syndicates would be able to use and obtain strong encryption on the black market! This sounds appealing, but doesn't hold in reality. Anyone can download a free, open source implementation of the Signal Protocol right now from Github. The Signal Protocol is the gold standard in E2E encryption, and with open libraries like that, most reasonable developers could likely hook it all up and have a functioning system in a week or two. If the Signal libraries were to disappear, this kind of thing can always be rebuilt; A junior developer on my team built an ECIES messaging system (which is the same E2E encryption that Apple's iMessage uses) in about three months - and honestly we could have gone faster if we'd wanted to.
The bar is low, and that's only if the existing E2E apps such as WhatsApp, Facebook Messenger, the Signal app, etc. were all wiped from existence. Until that happens, criminals will simply install and use those, and because the software development bar is so low, if one app is wiped out, another will simply pop up to replace it. The cat is out of the proverbial bag.
What about collateral damage? I'm a software developer, and I work on cloud products. E2E is a really powerful tool for me; I can use it to let customers send data from their corporate servers down to client apps (on phones), and vice versa. The data can transit through the cloud, and E2E means that nobody can spy on it. As a software vendor, I want to be able to provide strong security guarantees to my customers, and E2E lets me do that. If I'm banned from using E2E, and I must build a system which is theoretically capable of spying on customers on behalf of law enforcement, then that system is inherently worse.
There's a binary switch here. With E2E, the customers don't have to trust me. They just have to trust that the software that they run on their phones and servers is acting in good faith. We have our software independently audited for that.
Without E2E, as much as we might say "we don't spy on you" or "we won't harvest your personal information" or any other such statements, the fact will always remain that we could if we wanted to, which erodes the entire foundation of trust on which such things are built. Secondarily, we might get hacked or have a data breach, and without E2E the consequences would be a lot more severe.
Where does that leave us?
In spite of the above beehive statement, I don't believe that the NZ Government wants to blindly institute a ban on all E2E (or otherwise "strong") encryption. An outright ban would erode trust internationally in our country, and could hurt export sales of NZ-owned but globally distributed software like Xero. Technology is NZ's third largest export, and I don't think the government wants to ruin that. Australia's anti-encryption laws are already hurting their tech sector, and it would be tragic if we didn't learn from their mistakes.
I hope that the government would allow it, but with consideration that there is an avenue for law enforcement to take in the event of a criminal investigation. In the example above, if I sell software to a business, and that software uses E2E to enable secure messaging between a business and it's employees, then law enforcement has a clear path to follow. They could compel the business to turn over all the audit records from their servers, and proceed.
What I'd like to see is some discussion between the tech community and the government around setting some expectations for where E2E might be appropriate. Clearly the "person-to-person" messaging scenario of WhatsApp/Facebook Messenger is not acceptable in the eyes of Government, but would a "business-to-business" scenario be? How about "business-to-person"? What if the business were overseas? Some guidelines would really help our IT industry navigate these waters.
So, to Andrew Little - let's get a discussion going between NZ software developers and the government.
My inbox is always open. flick me an email - orion.edwards@gmail.com :-)
