Security services don’t need a master pass-key for all encrypted communications, but IT companies should do their bit, argues GCHQ’s Robert Hannigan
The impression that there’s no common ground between IT companies and law-enforcement authorities on the issue of encryption is a “caricature”, GCHQ director Robert Hannigan told the Massachusetts Institute of Technology (MIT), emphasising that cooperation between the two sides is in reality “routine”.
In a talk before about 150 people at MIT’s Internet Policy Research Initiative, Hannigan, making only his second appearance at a public forum since he took the role in 2014, argued it’s inevitable that IT companies will continue to aid governments to find ways around security barriers such as encryption.
No encryption master key
But he acknowledged that the problem has no straightforward solution, and it will more likely be necessary for law enforcement and government intelligence bodies to resolve issues on a case-by-case basis.
“I am not in favor of banning encryption, nor am I asking for mandatory backdoors,” he said, according to MIT Technology Review.
Cases such as the current stand-off between Apple and the FBI, in which the US Department of Justice (DOJ) is asking Apple to weaken the password protection on an iPhone belonging to a suspect in the December San Bernardino, California shootings, show that investigators can be provided with tools that have an effective, but limited scope, Hannigan argued.
“Not everything is a back door, still less a door which can be exploited outside a legal framework.”
He asserted that it’s likely investigators will always be able to find ways into protected devices and communications, even without access to a “master key”, simply by exploiting weaknesses that already exist in such systems.
Such weaknesses will always exist, in part because they’re necessary to make those systems usable, Hannigan said.
“I’m not sure it is certain that [companies] will construct systems that make [access] impossible,” he is quoted as saying. “Not least because then their own users will find it difficult” to use the devices.
His comments echo the findings of a recent study by Harvard’s Berkman Center for Internet & Society, which concluded that, in practice, investigators will always be able to find ways of acquiring the data they need, in part because a certain amount of data must always be exposed in order for communications systems to function and to be usable.
Hannigan made it clear that in spite of appearances, IT companies frequently aided law enforcement officials to access data held on mobile devices before device security policies were tightened two years ago, and they continue to do so now.
“The perception that there is nothing but conflict between governments and the tech industry is a caricature,” he said. “In reality, companies are routinely providing help within the law and I want to acknowledge that today.”
Hannigan claimed investigators are by and large targeting only the “abuse of encryption” by criminals and extremists: “It should be possible for technical experts to sit down together and work out solutions. Sometimes there will be nothing we can do and we will have to accept that. But those surely should be the exceptions.”
Apple is currently resisting efforts by the FBI to force its cooperation in the San Bernardino case, and the tangle between the two has helped give the encryption issue a high profile.
The 2012 disclosure of mass surveillance and data-gathering practices by the US’ NSA drew public attention to the privacy issues around digital communications, leading many IT companies to introduce additional layers of security.
The controversial draft Investigatory Powers bill includes provisions on encryption that would oblige companies to assist investigators in the removal of encryption that they themselves have put into place.
Are you a security pro? Try our quiz!