Decrypting Amber Rudd

1 Aug, 2017 Facebook, Microsoft, Twitter, and YouTube (Google/Alphabet, Inc) have formed the Global Internet Forum to Counter Terrorism and Amber Rudd is asking them to quietly drop end-to-end encryption from their products. You should not believe a single word any of those companies tells you about end-to-end encryption or privacy on their platforms ever again. PS. WhatsApp is owned by Facebook.

Rudd: “conversations between the tech companies and Government … must be confidential.” Photo courtesy: The Independent

A Ruddy Snoop

Amber Rudd’s column on encryption in yesterday’s Telegraph is so full of spin that it would make an electron jealous. It’s clear that Rudd (who once famously mixed up the cryptographic concept of hashes with hashtags) isn’t a fool when it comes to this subject. She’s malicious.

It’s not that she doesn’t understand mathematics or how cryptography works. Rather, she – and the UK government – are on a determined mission to strip British citizens of their fundamental human right to privacy and implement a surveillance state. Sadly, she is not alone in this, with recent calls by Theresa May, Chancellor Merkel and Emmanuel Macron for similar regulation on a European/global scale.

Given the gravity of what’s at stake – which is nothing less than the integrity of personhood in the digital age and the future of democracy in Europe – I want to take a moment to break down her article and address each of her points separately.

A bit of a spoiler, if you’re short on time: The most worrisome part of her article is the second part, in which she reveals that she has created the Global Internet Forum to Counter Terrorism with Facebook, Microsoft, Twitter and YouTube (Google/Alphabet, Inc.) and asked them to remove end-to-end encryption from their products (remember that Facebook makes WhatsApp) without telling anyone. This has dire ramifications for what you can expect in terms of freedom from government surveillance on these platforms. If you’re short on time, feel free to skip directly to Part II.

Part I: Conflating public and private; mass surveillance and traditional policing

Amber begins by conflating the battle against public online propaganda by terrorist organisations with a need to access the private communication of the general population. She also calls for mass surveillance, which we know doesn’t work, and stays strangely silent on community policing, which we know does.

Rudd: We don’t want to ban encryption, but our inability to see what terrorists are plotting undermines our security

Translation: We want to ban encryption and if we do we will be better equipped to catch terrorists.

Where should we start? Does it matter that you’re more at risk dying from falling out of bed than you are from terrorism? Or that mass surveillance – which is what Rudd is calling for – is wholly ineffective in thwarting terrorism? (After all, when you’re looking for a needle, the last thing you need is a bigger haystack.)

Here’s what renowned cryptography expert Bruce Schneier says on the subject:

Because terrorist attacks are so rare, false positives completely overwhelm the system, no matter how well you tune. And I mean completely: millions of people will be falsely accused for every real terrorist plot the system finds, if it ever finds any.

If you’re still not convinced and feel that the UK government should have the right to spy on everyone, you can stop worrying. Because they already do. They got the power to compel technology companies to implement backdoors on all communication technologies with the IP Act (previously known as the IP Bill or, more colloquially, the snooper’s charter). You may not have even heard of it as it passed relatively quietly and without opposition from Labour.

So your rights have already been lost. What Rudd is doing here is preparing for you for when they decide to put the rights they already have into practice.

Rudd: Awful terror attacks this year have confirmed again how terrorists use internet platforms to spread their vile ideology, and to inspire and to plan their acts of violence.

Translation: We want to scapegoat the Internet as the root of the problem with terrorism.

The Internet is not the underlying cause of terrorism. According to Emily Dreyfuss in Wired, “experts agree it does not cause terrorism, or even do much to radicalize.”

Emily goes on to say:

Terrorism researchers note that violence in Europe and the UK follows a familiar pattern, one that can teach governments how to counter the problem if they expend money and resources where they can do the most good. Most European jihadis are young Muslims, usually men, living in poor neighbourhoods with high unemployment. They often are second- or third-generation immigrants from countries they have never lived in, they are not well-integrated into society, and they are unemployed or poorly educated. Their lives lack meaning and purpose.

Rudd continues:

Rudd: Nearly every plot we uncover has a digital element to it. Go online and you will find your own “do-it-yourself” jihad at the click of a mouse. The tentacles of Daesh (Isil) recruiters in Syria reach back to the laptops in the bedrooms of boys – and increasingly girls – in our towns and cities up and down the country. The purveyors of far-Right extremism pump out their brand of hate across the globe, without ever leaving home.

All of the above are examples of public information that is freely accessible on the Internet. You don’t need backdoors or to weaken encryption for law enforcement to access them. In fact, the whole idea is that they are easy to find and access. Propaganda would be rather useless if it was impossible to find.

Rudd: The scale of what is happening cannot be downplayed.

Translation: The scale of what is happening cannot be any more over-exaggerated.

Remember the earlier statistic about how you’re more likely to die from falling out of bed than at the hands of a terrorist? ’nuff said.

Rudd: Before he mowed down the innocents on Westminster Bridge and stabbed Pc Keith Palmer, Khalid Masood is thought to have watched extremist videos.

First off, the Telegraph article in the link Amber provides doesn’t once mention Khalid Masood watching extremist videos (on the Internet, the Web, via an encrypted service of some sort, or anywhere else). Perhaps Rudd figured no one would actually read it to check. In fact, searching the Web, I couldn’t find a single article stating Khalid Masood watched extremist videos online. And even if he did, they are another example of public material that the government would not have needed backdoors or weakened encryption to access.

What I did find, however, was that Masood “was investigated by MI5 for ‘violent extremism’ but was ruled out as a threat by security services.” So, if anything, this is a perfect example of where eroding the rights of everyone in society with mass surveillance would have had absolutely no impact in catching him. He was already known to the intelligence service and judged not a threat.

And that’s not an isolated incident. An article in The Conversation from 2015 states:

A recurring problem is prioritising and analysing the information already collected. It’s no longer remarkable to discover that terrorists are already known to police and intelligence agencies. This was the case with 7/7 bombers Mohammed Siddique Khan and Shezhad Tanweer in London, and some of those thought responsible for the Paris attacks, Brahim Abdeslam, Omar Ismail Mostefai and Samy Amimour.

More recently, the five terrorists that carried out attacks in London and Manchester were all “known to police or security services”. One of them was featured unfurling an ISIS flag in a C4 documentary. The term we keep hearing over and over again is “slipped through the net”. Perhaps what we should be concentrating our efforts on is making the holes in the net smaller and finding better ways to examine what’s in the net instead of making a bigger net.

Rudd: Daesh claim to have created 11,000 new social media accounts in May alone. Our analysis shows that three-quarters of Daesh propaganda stories are shared within the first three hours of release – an hour quicker than a year ago.

Again, public accounts. Used to spread propaganda. Encryption isn’t involved and backdoors would not help.

Rudd: Often, by the time we react, the terrorists have already reached their audience.

So stop cutting budgets for local police departments. Invest in community policing – the thing we know actually works – and you might begin to change that fact. Encryption isn’t the enemy here, but your government’s toxic policy of austerity that has left local police forces in “a ‘perilous state’” is:

Forces are struggling to cope with the number of wanted suspects. HMIC found that 67,000 wanted suspects had not been placed on the police national computer (PNC). In addition, as of August, there were 45,960 wanted suspects on the PNC, including those being sought for offences including terrorism, murder and rape.

Instead of focusing on this, Amber’s goal is to distract us with The Big Bad Internet. Speaking of which…

Rudd: The enemy online is fast. They are ruthless. They prey on the vulnerable and disenfranchised. They use the very best of innovation for the most evil of ends.

Bluster! Hyperbole! Sensationalism!

Be afraid… be very afraid…

(No, thank you.)

Rudd: That’s why I called the internet companies together in March to start to work out how we can start to turn the tide. And they get it.

Which Internet companies, Amber? Could it possibly be the ones that already track, analyse, and monetise our every move? The same ones that erode our privacy on a daily basis? Of course they get it! They’re in the same business. As Bruce Schneier famously said, “The NSA didn't wake up and say, ‘Let's just spy on everybody.’ They looked up and said, ‘Wow, corporations are spying on everybody. Let's get ourselves a copy.”

Your problem, Amber, is that these companies don’t want to share all their data and insight with you. In places, they’ve even designed parts of their systems so that they could not even if they wanted to because they don’t have the data to begin with. (Apple, whose business model sets it apart from Google and Facebook, is known to design its systems this way whenever possible but has also recently demonstrated that it will throw its users’ privacy under the bus if an oppressive government asks it to.)

Now don’t get me wrong, Google and Facebook (to take two of the biggest people farmers) don’t give a rat’s ass about our privacy any more than Rudd does. But what Amber’s asking for is free use of their assets (which is what our data is to them). They don’t necessarily like that but they have been known to go along with it if they have to.

More importantly, however, what Rudd’s asking for makes it impossible for services that do genuinely care about people’s privacy to exist. End-to-end encrypted communication tools like Signal, for example. Or decentralised communication tools like Tox.chat.

And perhaps most importantly, if the UK government gets its way and starts executing on the powers it already has with the IP Act, it will shut the door for those of us who want to build decentralised, zero-knowledge, interoperable, free and open systems by rendering them illegal. And the future of democracy in the digital age depends on their existence.

Rudd: Working with the Government’s Counter-Terrorism Referral Unit, 280,000 pieces of terrorist content have been taken down since 2010, and millions of accounts closed.

Good! So, Amber, you’re saying that the steps you’re taking in tandem with technology companies to combat public propaganda by terrorist organisations is working. And all without the need for weakening encryption or introducing backdoors into communication systems. Carry on, then!

Rudd: But there is much more that must be done. So back at that meeting in March, the world’s most powerful technology companies stepped forward to say they would form the Global Internet Forum to Counter Terrorism.

It is not the role of multinational corporations to police the world’s citizenry. Of course, they’d love to amass even greater data and insight about the world’s population, legitimise their existing corporate surveillance infrastructure, and exert even greater control. This is a future we must avoid at all costs.

In the name of fighting a risk that is statistically negligible, we are talking about creating a global panopticon the likes of which the world has never seen. In such a system, we can kiss our individual freedoms – like freedom of speech and privacy – and our democracy goodbye.

Rudd: Today the Forum meets for the first time, and I am in Silicon Valley to attend.

Not only are you arguing for companies to collude with governments to play an active role in the surveillance of ordinary citizens but you are doing so with American companies, thereby officially sanctioning the involvement of foreign corporations in the policing of British citizens. (Merkel and Macron want to erode the rights of EU citizens in the same manner if they can get away with it.)

Rudd: The internet companies want to go further and faster in finding technology solutions to identifying, removing, and halting the spread of extremist content.

Fine! That still doesn’t require backdoors or the weakening of encryption. You’re again talking about public content.

We could have a much longer argument sometime about who gets to label what extremist content is and what happens when the algorithms get it wrong and flag someone as having posted extremist content when they haven’t (and thereby imply that they are an extremist when they’re not).

Today, it’s American corporations that define what is and what isn’t acceptable content on the Internet and that’s part of a much larger problem. We lack a digital public sphere as the Facebooks and Googles of the world are private (not public) spaces – they are shopping malls, not parks.

What we should be doing is funding the creation of public spaces online and encouraging individual sovereignty and a healthy commons. Of course, you, Ms. Rudd, are a million miles away from championing that sort of initiative but some of us are working to create the opposite of the world you want as we speak.

Rudd: They should be commended for that and they should know we will be holding them to account. But that is not where our challenge ends. For beyond the harmful content that is openly available, there is that which we cannot see, in the form of encrypted data.

Ah, and there it is! Halfway into the article, Rudd pivots from the government’s successful battle against the online spread of public propaganda by terrorist organisations to their belief that they need to eavesdrop on the private communications of every citizen on the Internet in order to keep us safe.

Part II: The war on end-to-end encryption and the complicity of Facebook, Microsoft, Twitter, and YouTube (Google/Alphabet, Inc.)

This is where you should sit down if you’re prone to getting dizzy because Ms. Rudd is about to outdo a whirling Dervish. She is also about to drop a bombshell that has dire ramifications for your privacy if you use services by Facebook, Microsoft, Twitter, or YouTube (Google/Alphabet, Inc.)

Rudd: Encryption plays a fundamental role in protecting us all online. It is key to growing the digital economy, and delivering public services online.

Exactly, Amber. And that should be the end of the story right there. There really is no “but” about it.

But…

Rudd: But, like many powerful technologies, encrypted services are used and abused by a small minority of people.

Yes, so…

Rudd: The particular challenge is around so called “end-to-end” encryption, where even the service provider cannot see the content of a communication.

Also known as the only type of encryption that guarantees you privacy today. (At least in the short term, that is, until orders of magnitude advances occur in computing power or new vulnerabilities are discovered in cryptographic algorithms).

As an important aside, the other important element of privacy that we rarely discuss is decentralisation. The more we keep our information away from centralised silos, the more expensive mass surveillance becomes – just like with encryption. Combine the two and you’re well on your way to protecting human rights in the digital age.

Rudd: To be very clear – Government supports strong encryption and has no intention of banning end-to-end encryption.

Ah, good, so we can just leave it there and all go home now…?

Rudd: But the inability to gain access to encrypted data in specific and targeted instances – even with a warrant signed by a Secretary of State and a senior judge – is right now severely limiting our agencies’ ability to stop terrorist attacks and bring criminals to justice.

Yes, but, that’s a fact of life. You can’t have both…

Rudd: I know some will argue that it’s impossible to have both – that if a system is end-to-end encrypted then it’s impossible ever to access the communication. That might be true in theory. But the reality is different.

True in theory? Ms. Rudd, it’s true in theory, in practice, here on Earth, on the Moon, and in outer space. It’s true, period.

“But the reality is different” has to be Amber Rudd’s spirited attempt to outdo Australian Prime Minister Malcolm Turnbull in the competition for the dumbest thing ever said about encryption. Mr. Turnbull’s own contribution was his recent comment that “the laws of mathematics are very commendable, but the only law that applies in Australia is the law of Australia.”

Turnbull and Rudd are, of course, speaking from the same playbook. It’s also the same handbook that May, Merkel, and Macron are using too. And Turnbull hinted as to what it contains when he followed up his illogical argument, quoted above, with “what we are seeking to do is to secure their assistance” (where “their” refers to technology companies).

Rudd goes into greater detail in her next passage:

Rudd: Real people often prefer ease of use and a multitude of features to perfect, unbreakable security. So this is not about asking the companies to break encryption or create so called “back doors”. Who uses WhatsApp because it is end-to-end encrypted, rather than because it is an incredibly user-friendly and cheap way of staying in touch with friends and family? Companies are constantly making trade-offs between security and “usability”, and it is here where our experts believe opportunities may lie.

Translation: What we are asking is for technology companies not to use end-to-end encryption.

And so we have the crux of Rudd’s argument: that technology companies should, of their own accord, erode the security and privacy of the people who use their platforms by not implementing end-to-end encryption. And, beyond that, to distract them from the fact by creating convenient and delightful experiences.

Needless to say, this is not a million miles off from what Silicon Valley companies that farm people for data do today. In that, what Rudd is saying to companies like Google and Facebook is this: “Hey, you already lure people in with free services only to farm them for data. We want you to keep doing that but do so in a way where we too can access both their metadata and the content of their communications. And, don’t worry, people won’t notice just as they don’t notice today that you’re essentially baiting them with candy so that you can spy on them.”

Also, the concept that we must make “trade-offs between security and ‘usability’” is a false dichotomy. A new generation of secure and privacy-respecting apps like Signal prove that no such trade-off is necessary. In fact, it is Rudd, here, who is willfully perpetuating that myth and telling technology companies to use it as an excuse for willfully leaving the people who use their products vulnerable to government surveillance.

You need only think for a moment to understand that Amber’s argument falls flat of its own merit. She asks “Who uses WhatsApp because it is end-to-end encrypted, rather than because it is an incredibly

user-friendly and cheap way of staying in touch with friends and family?” Let’s ask the question back at her: “Who doesn’t use WhatsApp today because it being end-to-end encrypted makes it any less user-friendly?” (And, while we’re doing so, let’s not forget that Facebook – who owns WhatsApp – makes its money by knowing everything it can about you and exploiting that personal insight into your life to satisfy its profit and political motives. Let’s also not forget that metadata – who you’re talking to, how often, at what times – is not encrypted in WhatsApp and that WhatsApp shares data with Facebook and your conversation behaviour and phone number are linked to your Facebook profile.)

Rudd: So, there are options. But they rely on mature conversations between the tech companies and Government – and they must be confidential.

Translation: When companies remove end-to-end encryption from their products, we don’t want them to tell their users.

This should send a chill down your spine.

The services that Rudd is talking about – like WhatsApp – are proprietary, closed-source applications. That means that even other programmers have no idea what exactly they are doing (although there are ways to try and find out by reverse engineering them). The reason most people trust WhatsApp’s end-to-end encryption is because a highly-respected cryptographer by the name of Moxie Marlinspike implemented it and told us it’s cool. The thing with applications, however, is that they can (and do) change at a moment’s notice. WhatsApp can remove end-to-end encryption from its tools tomorrow and not tell us and we’d be none the wiser. In fact, this is exactly what Amber Rudd is asking Facebook and other companies to do.

So, in light of this, two things need to happen:

You should take note of the companies that are part of the Global Internet Forum to Counter Terrorism and never trust another word they say to you about the encryption and privacy features of their products. These companies are Facebook, Microsoft, Twitter and YouTube (Google/Alphabet, Inc.) Information security experts must not vouch for the end-to-end encryption in these products unless they can commit to personally verifying every build that is released. To prevent further harm, individuals such as Moxie Marlinspike, who have previously vouched for companies such as Facebook and Whatsapp, must publicly distance themselves from these companies to prevent them from becoming complicit in government surveillance. It only takes one build to silently disable end-to-end encryption, and this is exactly what Amber wants.

Rudd: The key point is that this is not about compromising wider security.

These actions would entirely compromise the privacy and security of activists and the most vulnerable groups in society.

Rudd: It is about working together so we can find a way for our intelligence services, in very specific circumstances, to get more information on what serious criminals and terrorists are doing online.

Again, neither removing end-to-end encryption nor installing backdoors is necessary to combat terrorism. If Rudd does want to catch terrorists, she should try not defunding local police departments that have been the only effective means of doing so. I wonder if Rudd even realises that by calling for the removal of end-to-end encryption from online communication tools she is effectively opening the content of people’s communication to constant surveillance by – at the very least – the companies providing and hosting the services. Not to mention leaving them open to being compromised by other nefarious parties, including hostile foreign governments.

Rudd: The responsibility for tackling this threat at every level lies with both governments and with industry. And we have a shared interest: we want to protect our citizens and we don’t want platforms being used to plan ways to do them harm. Today’s meeting of the Forum is the next step towards achieving that mission.

I have nothing new left to say, and neither does Rudd.

Instead, I’ll end by repeating this:

What Amber Rudd wants will not make you safer. It will not protect you from terrorists. What it will do is make it easier for governments to spy on activists and on minority groups. What it will do is make all of less safe and lead to chilling effects that will destroy what little democracy we have left. It will result in a surveillance state and a global panopticon the likes of which humanity has never seen.

As for the companies that are part of the Global Internet Forum to Counter Terrorism – Facebook, Microsoft, Twitter and YouTube (Google/Alphabet, Inc.) – only a fool would trust a single word that comes out of their mouths about end-to-end encryption on their platforms or about the privacy features of their apps. Given what Rudd has said, consider that any end-to-end encryption they say they have today may be disabled and compromised, without your knowledge, during any app update at any time in the future.

This is especially worrisome for Facebook’s WhatsApp, which some people regularly recommend activists to use.

Given what Amber Rudd has said and what we now know about the Global Internet Forum to Counter Terrorism, anyone who continues to recommend WhatsApp as a secure means of communication to activists and other vulnerable groups is being profoundly irresponsible and actively endangering the well-beings, and quite possibly the lives, of these people.

PS. Thanks for all your hard work, Amber. You muppet!

(An actual, non-sarcastic thank-you to Laura Kalbag for laboriously reading through and editing this piece.)