What Andrew Marr doesn’t understand about end-to-end encryption

I like Andrew Marr. He usually comes across as intelligent, and well informed. Not so much today.

In this mornings show, Marr repeatedly raised the prospect of banning end-to-end encryption, and putting back-doors in apps like whatsapp.

A couple of thoughts.


Putting a backdoor in apps like whatsapp is dangerous

The wannacrypt (or wannacry) ransomware that affected the NHS earlier this month was born out of a Windows exploit which the NSA had discovered and not told Microsoft about because they were using it for surveillance and wanted it to remain unpatched.

Unfortunately for them (and everybody else) they were hacked, and that exploit was released into the wild. Criminals were then able to use the exploit to build ransomware, which affected the computers of the NHS, as well as many other companies around the world.

Let’s say you put a backdoor in whatsapp and give it to the security services. If they get hacked again, or a disgruntled insider decides to leak it, criminals and terrorists may suddenly have access to the message history of everybody.

You put a backdoor in whatsapp to track terrorists and criminals, that backdoor gets leaked, and the terrorists and criminals you were trying to track use it to get sensitive, private information on ordinary people which they could use in any number of ways.

The terrorists aren’t using whatsapp

Any serious terrorist or criminal isn’t using whatsapp. It is much more likely that they are communicating with each other using a darkweb messaging service, and manually encrypting their messages with something like PGP to boot, using private/public keypairs exchanged in person.

There are many open source encryption standards (OpenSSL, PGP, etc), which do not have backdoors and which we do not currently have the computing power to crack. There are also open source tools built around these encryption standards, which aren’t overly difficult to use.

As crime and terrorism becomes more high-tech, it isn’t outside the realms of possibility that sophisticated criminals and terrorists will even build their own end-to-end encryption messaging apps, based around one of these standards.

Many politicians don’t understand technology, and Marr isn’t helping

It is clear that many politicians don’t have a good understanding of technology or encryption. As far as I am aware, none of the MPs from any of the mainstream political parties come from a computer science background (feel free to correct me in the comments if I am wrong!)

This is problematic because despite having a poor understanding, they are expected to legislate on encryption and technology in Parliament.

If people like Andrew Marr keep parroting this idea that banning encryption and adding backdoors to messaging apps is a good idea, less tech-savvy politicians (most of them) will believe it and vote that way when it comes up in parliament.

Terrorists and criminals aren’t using these apps, but ordinary people do so every day for every aspect of their life (from planning their day, to sending pictures of their genitals).

If a backdoor is added to a messaging app and details of the backdoor get hacked or leaked, and into the hands of terrorists or criminals, that makes everybody less safe.

As usual, people like Andrew Marr are ten steps behind the bad guys. They are using encryption tools and darknet messaging services, Andrew Marr is talking about whatsapp.

The lack of technical expertise and understanding among politicians is getting dangerous. We need to start taking technical competency into account when deciding who to vote for.

It doesn’t have to be this way

Here is a video of Canadian Prime Minister, Justin Trudeau, answering a question on quantum computing:

That’s pretty good.

The Prime Minister of Singapore hacks in C++. The former Prime Minister of Thailand is into bitcoin.

In a world where technology dominates every aspect of our lives, other Countries are beginning to see the value of having politicians who understand it, and we need to do so as well.