End to End Encryption

End-to-end encryption of a communication system ensures that only the sender and the receiver(s) can read or meaningfully modify the message. Any intermediaries — even the service provider itself — see only “encrypted” garbage. They can, at most, know “metadata” about the message, such as the length, or who was communicating with whom. Some people compare this to being able to see the outside of an envelope but not the letter within.

But it’s more than just an envelope protecting the information. It’s mathematics! Imagine, if you will, a murder. Some letters are found, all written in a strange language. In Conan Doyle’s “The Adventure of the Dancing Men,” it took Sherlock Holmes to decipher such a script and find the murderer.

Inventing a secret language is rather difficult, except that we now have standardized ways to do it: encryption algorithms. Essentially, we have language-inventing software, which can create different languages based on a secret password. If you know the password, you can translate the language back into plain English. Today’s techniques produce incredibly secure ciphers that would leave even Holmes clueless.

Inevitably, every time an atrocity occurs, cryptographers hear the same argument. As David Cameron (then the Prime Minister of the United Kingdom) said after the Charlie Hebdo attack, “In our country, do we want to allow a means of communication between people, which even in extremis, with a signed warrant from the home secretary personally, that we cannot read? … are we going to allow a means of communication where it simply isn’t possible to do that? My answer is no, we are not.” The justification, of course, was that these powers were needed by “intelligence agencies and security agencies and policing in order to keep our people safe.”

The “deal”, then, is this: You can communicate securely, as long as you make the encryption easy enough for The Government to decipher. Unfortunately, if something is easy enough for one person to decipher, then it is easy enough for many others. You cannot have one and not the other, since our government employees are not magically cleverer than their US, Chinese, or Russian counterparts, or the many cyber-criminals that prowl the internet. Broken security renders us vulnerable to anyone with expertise, not just some government agencies. Mathematical laws care little for the laws of any country.

A commonly proposed solution is for the government to have some kind of “exceptional access” or “backdoor”, such as a master key. This is difficult to do, both technically and operationally. What if the master key gets stolen? We are artificially introducing a critical weakness – a juicy target! Over the past few years, hackers have been able to steal everything from Angela Merkel’s emails to details of the F-35 fighter jet, to lists of people with US security clearances (SF-86 forms). Trusting governments with master keys when they haven’t been able to safeguard their own leaders, military technology, and security data, seems like a bad idea.

The global nature of computing further complicates this problem. Other governments are not going to sit around and use compromised systems – they’ll build their own and stop trusting software made by residents of other countries, essentially creating import control on software. How would multinational companies secure their data? Would they be required to provide keys (for traceability or decryption) to every local government, or, perhaps, a branch of the UN? The creation of a global body to govern these master keys presents a Herculean challenge. Further, nothing prevents the subversion of that new body.

Most importantly, if a criminal knows that some government has a master key to software #420, she’s not going to use it. She’ll find a system with no master key (these, of course, already exist). So, the only people who will end up suffering from a lack of privacy will be law-abiding citizens.

Practically every expert in the field believes that subverting cryptosystems is a terrible idea, morally, economically, and technically. Many people who don’t really understand how encryption works have come up with many good reasons for simple backdoors and opined that regulators and legislators must find a way to provide some privacy while allowing law enforcement access. This won’t work. Imagine a government insisting on structural changes to all aeroplanes while ignoring any advice from engineers. Yes, there are many good reasons for having backdoors (roll-down windows on aeroplanes might have many advantages), but the numerous fatal problems they create should have obviated this discussion long ago.

The fact is that legalising this — at least in its current form — is not only unethical but operationally impossible. However, the problems that law-enforcement agencies face are real and cannot be ignored. We need many more discussions between law-enforcement, cryptographers, civil society, and policy experts before we can come up with something that has a chance of working. We hope that CIPHER can facilitate some of these discussions, and look forward to building efficient, reliable, and deployable solutions.