President Donald J. Trump is being advised to regulate encryption. This advice is misguided, and betrays a fundamentally computer illiterate approach. His adviser’s knee jerk reaction to recent events is irrational, and a convenient pretext to legislate for long sought after powers to break encryption. They are ignorant of the history of computing and encryption, and their plans will damage America. N.B. This is not a criticism of the Trump administration it applies equally to any government anywhere that wants to regulate encryption in their jurisdiction.
The Background and Facts
President Donald Trump, perhaps the greatest president since the Founding Fathers of America, like all politicians, knows next to nothing about computers and software. In his busy world, computers are the tools of secretaries and assistants, and not something he has a particular interest in.
Professionals in the Security Services on the other hand do understand computers, and are asking for software to be crippled so that no communication can be transmitted in private. They know the complete history of encryption, and how previous attempts to have it outlawed or weakened have failed. They are hijacking the mass hysteria over terrorism to make a fresh attempt to take encryption away from the public.
The Electronic Communications Act 2000 in the UK was an early example of an attempt to make it illegal to sell a software product that did not have a back door for government access. It was defeated and removed from the statutes.
In the USA, several attempts have been made to mandate government access to all private communications; some via new hardware devices like the Clipper Chip, and others through setting legal precedent. They also tried to chill the release of encryption tools by the three year harassment of Phillip Zimmerman, the author of “Pretty Good Privacy”, the tool that Edward Snowden has admitted that the NSA and GCHQ cannot break.
Even today, any encryption system with key lengths longer than 64bits must be approved by the US Department of Commerce’s Bureau of Industry and Security before they can be exported. This is patently absurd, since key lengths of 4095bits are available to everyone globally without restriction, and all SSL is 128bits by default at a minimum world-wide.
The Current Situation
Today, Apple and Google with their iOS and Android operating systems have rolled out full device encryption so that no one can read the contents of a user’s phone. This was done in direct response to the NSA’s mass intrusion into the communications and devices of millions of innocent people.
Now President Donald Trump, is under pressure from IT professionals who are exploiting his computer illiteracy, trying once again to revive their decades old attempts to cripple the public’s access to encryption and privacy. They failed in the late 1990s and they will fail again, because the iPhone saturated, “selfie” taking world is a very different place today.
Everyone uses encryption, whether they know it or not, on a daily basis. All eCommerce depends on it. If the US government makes it law that all encryption must have a back door, then criminals will have default access to all websites that sell anything, together with easy access to the personal information of billions of net users on all devices.
The demands being made to Trump are unworkable and ineffective because different jurisdictions will not follow the USA, and any software developer in the world can use both the old and new absolutely reliable tools to have secure chat and email and file storage, or simply move their services to a free jurisdiction, avoiding the anti-tech anti-American laws.
The men advising Trump can demand that encryption has back doors in America, but they cannot demand that anyone anywhere else follows her. This would mean that only US web sites and services are vulnerable; the entire US internet would be globally recognized as an unsafe zone for e-commerce. It would be a disaster for the tech sector of the US.
The UK Tried This, and Failed
The messages that came out of the British government on this subject were not coherent, and its clear that Theresa May was nothing more than the unhappy messenger. On the one hand, her government wanted “Silicon Roundabout” to be the centre of the tech explosion in Europe, but on the other hand, they were being told to cripple the key tool used in making that tech work. Clearly, this is the sound of two voices at odds with each other.
And its not only eCommerce that was threatened by the UK’s anti progress stance. There is a vast movement online to put all internet services no matter what they are behind HTTPS by default. Mandating that the government has backdoor access to every website is literally impossible. It means fundamentally re-engineering the entire web, and no one is going to agree to this. If you access a foreign email service from the UK, like Gmail, the SSL will not be back doored, and the communications will be private. In the reverse direction, they will not be private. This means that no company will host their email services in any country passing an anti-encryption law, and the money, brains and tech will flow away from those countries. The “Tech Drain”.
Now that the world depends on encryption for the movement of all of the money in circulation globally, it is not possible to weaken the tools that protect the movement of that money without destroying commerce itself. You cannot weaken the tools that protect everyone without giving blanket access to criminals. Theresa May was badly briefed, and was forced to back down, or give up any hope of Britain becoming a centre for global tech.
The Flawed Rationale
The public pretext for this new push to break global ecommerce is the recent spate of anomalous killings by “Jihadists”. Criminal events, especially the more horrifying ones, are always outliers and statistical anomalies. The vast majority of the world’s people never encounter this category of event, and their safety must always come first; that means strong encryption by default.
Politicians are very accustomed to making tradeoffs. In this case, we are trading off the absolute fact of trillions of dollars and billions of people who use eCommerce being kept safe against the remote possibility of detecting and perhaps preventing extremely rare crimes against a vanishingly small number of people, the number of which when combined globally is lower than the number of people who die from mundane causes.
And when we talk about protecting people, we do not only mean protecting their money. Every aspect of your life is shielded by encryption, including all the private matters that you send or receive through your internet connected devices. Encryption keeps your private information away from everyone but the intended recipients. The government is only one hostile adversary out of many trying to gain access to your communications, money, medical records and location.
Encryption is democratic; it keeps everyone safe equally.
The True Reality
The age of the Security Services being able to read everyone’s communications at will is essentially over. The coming of this day was inevitable from the moment that PGP and SSL were developed and released. The net benefit to society is the emergence of global eCommerce and the massive reduction in online crime as the bad guys are permanently locked out.
If government advisers were serious about reducing terrorism, they would advise a different foreign policy, which is the root cause of the terrorist problems facing Britain.
For example, Libya, had it been left untouched, would have prevented the immigration crisis facing the EU. The consequences of bad policy are the root cause of the west’s problems, not encryption, and breaking encryption for everyone will not solve them. In fact, it will cause a cascade of knock on effects and another class of unintended consequences that will effectively end Britain’s place as a centre of tech for the foreseeable future.
President Trump must absolutely reject the voices that are using fallacious arguments to get new damaging laws passed. If he does not, America faces damage of its tech sector, as building products that are safe for consumers will be impossible in the US. The world has changed; not even the Communist Chinese are suggesting that global standard encryption tools be back doored, and they are using all the same software that is used in the west to protect their websites and communications.
We should not have to go through this process again and again every time there is a media frenzy over a killing spree. Someone in Trump’s government must be hired for the sole purpose of bringing sanity to their pronouncements on everything related to software. Perhaps it’s time for a cabinet position for this, which should be held by a member of industry elected by the software industry, and not a layman. This should be done before another suicidal piece of legislation is enacted, that at the very least, will waste everyone’s time defending their business models against it, and at worse, trigger a “Tech Exodus”.
