Defending encryption doesn’t mean opposing targeted surveillance

David Omand, the former head of British spy agency GCHQ, has made an extraordinary threat. Speaking earlier this week, he said that if companies such as Apple and Google don’t abandon their end-to-end encryption efforts, intelligence services will have to employ more “close access” surveillance on people they suspect of evil deeds.

This means physical observation, or bugging rooms, or hacking into phones and computers. According to Omand, such actions are “more targeted but in terms of intrusion into personal privacy – collateral intrusion into privacy – we are likely to end up in an ethically worse position than we were before.”

No, you’re not. Surreptitiously getting a key to a suspect’s communications is no more ethical than conducting close personal surveillance — but in the big picture, the latter is vastly preferable.

The ethics of spying

Targeted surveillance will always mean “collateral intrusion” into the privacy of people associated with a suspect, regardless of whether communications are read by having a master key or by hacking into client devices. Either way, communications with innocent people will probably be scooped up. When the master key mechanism means a weakening of security for the public at large, though, that option has the added downside of being dangerous and counterproductive.

Omand was spouting what is either a misinterpretation of the pro-end-to-end-encryption argument, or (more likely) a willful misdirection. His implication is that those who favor end-to-end encryption – which leaves your Apples and Googles without any keys to offer the spooks – are against the surveillance of people who want to blow things up.

That’s nonsense. I can’t speak for everyone, but I don’t personally fancy being murdered by terrorists, nor would I like anyone else to be. We do need to have intelligence services, and they do need to keep us safe.

However, strong encryption also keeps us safe from criminals and potentially foreign agents too (GCHQ and the NSA aren’t the only ones with mean hacking skills). Our ecommerce infrastructure wouldn’t work without it. A trustworthy internet will not work without it. The next-best alternative to end-to-end encryption is arguably the use of key escrow databases, which are inherently less secure. There’s a reason the U.S. government’s own cybersecurity department recommends people use end-to-end encryption.

That’s why we should ignore calls by Omand and David Cameron and Barack Obama and the EU’s counter-terrorism coordinator to abolish end-to-end encryption in communications tools, and why we should be deeply annoyed at the intelligence community’s surreptitious attempts to weaken encryption standards. Sure, security will always be an arms race — attackers make better attacks, so defenders make better defenses; rinse and repeat — but hyperconnected societies require state-of-the-art defenses for regular citizens.

The case for friction

There’s an added benefit to proper encryption technology, which may be the real reason spies and securocrats want it stamped out. Intelligence services can, to put it generously, get somewhat carried away, particularly when a framework such as the internet makes it so much easier and cheaper to spy on people’s communications than ever before, by encouraging everyone to live their lives on spy-friendly infrastructure.

This lack of friction makes mass surveillance relatively efficient and secretive, as there’s no need for a lumbering, conspicuous Stasi-like system (something that really had extra ethical downsides, creating a society based on mutual suspicion). When the secrecy associated with the agencies’ programs also leads to fewer judicial and political safeguards, an excess of efficiency may also encourage the overuse of targeted surveillance, because who would know?

In short, the internet’s opportunities for surveillance efficiency create the potential for intelligence agencies to become too powerful. End-to-end encryption adds friction and acts as a counterbalance. It doesn’t make targeted surveillance impossible – Omand himself noted that client device hacking and physical surveillance render encryption moot – but it does make it more resource-expensive, and therefore discourages its overuse.

We don’t want intelligence agencies to be unable to do their job. We do want them to focus more and even keep a more watchful eye on those who need watching — perhaps by diverting resources from mass surveillance efforts to targeted surveillance. We also want the necessary security underpinnings of our digital economy to be genuinely secure.

These things can and should coexist, and there’s no reason to inaccurately paint them as being in opposition. So, spies and law enforcement, please go right ahead and employ close access surveillance where it’s necessary. You have more support in that regard than you’re making out.

UK wants hot tech grads to do spy work before building startups

The British government is considering a program that would see the most promising tech graduates spend some time working for the GCHQ signals intelligence agency, the U.K.’s equivalent to the NSA, before they move into the private sector.

As per a Thursday article in The Independent, confirmed to me by the Cabinet Office on Friday, the scheme would give the U.K. a rough equivalent to the system in Israel, where many tech entrepreneurs have come out of Unit 8200 of the Israel Defence Force. Unit 8200 is also a signals intelligence operation, and the cybersecurity firm Palo Alto Networks is a notable spinout.

According to the Cabinet Office sources quoted in the Independent piece, the idea would be to “capitalize on the expertise in GCHQ in terms of IT commercialization” by creating “a secure space where business can work with GCHQ and build an eco-system between the two.” (Side note: For more security-related U.K. civil-service-speak, check out the brilliant Sir Bonar Neville-Kingdom spoof account on Twitter.)

In short, part of the attraction lies in the idea of making money out of GCHQ’s in-house spy tech. In Israel, some Unit 8200 technologies have ended up being commercialized through startups created by former members. The Cabinet Office reckons the same could be done in the U.K., particularly around cybersecurity technologies — Cabinet Office boss Francis Maude visited Israel in November and, I am told, came away with lots of ideas around “digital and cyber”.

No doubt GCHQ would also benefit from the fresh ideas bubbling away in the brains of U.K. tech’s future stars, not to mention the potential for continued links in the future.

Of course, all Israelis have to go through the army anyway, so funnelling bright young tech minds through the local spook house is a relatively easy task there. GCHQ and the Cabinet Office may have a harder time of convincing promising British techies to spend time hanging around spooks, particularly with GCHQ’s mass surveillance programs – illegal under international law — having been exposed by the leaks of NSA contractor Edward Snowden.

While GCHQ has remained tight-lipped about its specific activities, since the Snowden leaks it has made a couple attempts at publicity. In November its new chief, Robert Hannigan, attacked U.S. tech firms for “benefiting” terrorists by extending encryption across their products and networks, and in December it released a tablet app for kids to, er, teach them the basics of encryption.

NSA and GCHQ hacked into systems of oil body OPEC, Snowden leak says

The latest Snowden scoop, according to Germany’s Der Spiegel: the NSA and its British counterpart, GCHQ, have thoroughly infiltrated the computer systems of the Organization of the Petroleum Exporting Countries (OPEC). The NSA has already been shown to be spying on Brazil’s Petrobras.

Meanwhile, reports in Australia indicate the country’s intelligence agency – a regular partner of the NSA and GCHQ – spied on Japanese firms for the benefit of Australian companies during trade negotiations. Particularly favored were “firms that provide employment and cover for spy operatives.”