Why a seemingly sensible proposal to compel back doors in Internet communications apps is a bad idea.

Dear Prime Minister Cameron:

You recently proposed that Internet apps be required to make users’ communications accessible by state authorities. I want to explain why this is a very bad idea even though it might seem like a no-brainer.

You said:

I have a very simple principle which will be the heart of the new legislation that will be necessary. In our country, do we want to allow a means of communication between people which even in extremis, with a signed warrant from the home secretary personally, that we cannot read? Up until now, governments have said: ‘No, we must not’. That is why in extremis it has been possible to read someone’s letter, to listen to someone’s telephone, to mobile communications. … But the question is: are we going to allow a means of communications which it simply isn’t possible to read. My answer to that question is: ‘No we must not’.”

President Obama appears to agree with you.

Heads of government bear the burden of keeping their populaces safe. That’s a crushing responsibility. Police solve violent crimes — and intelligence agencies predict and avert them — largely by intercepting the conversations of people conspiring to get away with them.

For at least thirty years democracies have kept eavesdropping within bounds by requiring a warrant or some other form of meaningful review before setting up something like a wiretap. As telephone companies upgraded to digital (but still not Internet-based) networks in the 1990s, governments around the world began to require that the new networks still allow for authorities to listen in to calls. The rationale was simple and generally uncontroversial: so long as the government respected the rule of law, its demands for information shouldn’t be trumped by new technological facts on the ground.

Why, then, you reasonably ask, should that long-established balance between security and privacy be disturbed simply because the internet has replaced telephony? The answer, it turns out, is that baking government access into all Internet apps will in fact not extend the long-established balance between security and privacy to all mediums of communication. It will upend it.

Here are four reasons why:

1. The Internet’s open ecosystem is fundamentally different from the closed world of telephony — so you can’t copy and paste the old order.

First, the landscape of Internet communications apps is profoundly different from telephony, where lawful intercept’s habits were honed. Traditional telephone systems were run by a single large company or by governments themselves. They overwhelmingly served the single purpose of letting people talk to each other at a distance, and the experience of using a phone in 1990 was hardly different from that of using one in 1950. A stable service run by a big company is susceptible to government regulation with little friction. Supporting lawful eavesdropping was done with no impact on telephony’s basic model — and often governments would pay to offset any costs incurred in keeping phone lines open to tapping.

Credit: reynermedia (flickr) — CC-BY

The Internet evolved in a wildly different way. It supports applications written by anyone, and a new application can become popular in heartbeat. Some people write and share apps for fun rather than money. To restrict how one might build an Internet application that enables person-to-person communication — that is, nearly all of the hundreds of thousands of apps out there — would expect that software developers be professionals who can hire compliance attorneys or risk breaking the law.

In the worst case, software development would be relegated to a handful of incumbents ready to do the kind of partnerships with governments that sophisticated phone companies do. Facebook, Google, and Microsoft could cope (if unhappily) with that, and software authors and service providers the next tier down would be hugely disadvantaged. The best case from the pro-government-access point of view would be one where app authors across the spectrum give up on encryption entirely. Instead of orchestrating a complex scheme of scrambling communications to all but the parties and a government, there’d be no scrambling at all. That best case is a nightmare for the public’s — and therefore national — security: it exposes their communications to anyone ready to hack. Lawful telephone eavesdropping wouldn’t have come about if it meant that it would be easy for others — even those at a distance — to also listen in on a conversation.

2. Comprehensive app regulation is either self-defeatingly leaky or unacceptably intrusive.

Second, again unlike telephony, Internet users who don’t like the way an app works can choose to use another.