The new avatar of the encryption wars
The government has proposed a new bill to regulate mathematics. The bill envisages that certain mathematical operations such as multiplication, division, LCM and GCD would be banned, if they are prime numbers and have more than 309 digits and a licensing regime, which would only allow licensed entities to perform these operations.
If the above reads like a parody, it may soon cease to be and become reality.
An Australian Prime Minister, Malcolm Turnbull declared in 2017 that, “The laws of mathematics are very commendable, but the only law that applies in Australia is the law of Australia”.
In a joint communique issued on October 11, 2020, the Five Eye nations (United States, United Kingdom, Australia, New Zealand, Canada), along with Japan and India, stated, “Particular implementations of encryption technology... pose significant challenges to public safety, including to highly vulnerable members of our societies like sexually exploited children” and called upon technology companies to enable “law enforcement access to content in a readable and usable format where an authorisation is lawfully issued, is necessary and proportionate, and is subject to strong safeguards and oversight”.
The specific implementation of encryption technology that has worried governments the world over is the Signal protocol (E2EE), which guarantees that even intermediaries who provide these services will not be able to decrypt these messages in transit. It also guarantees plausible deniability, where if someone receives an encrypted message from you, they can be absolutely sure you sent it (rather than having been forged by some third party), but can’t prove to anyone else that it was a message you wrote.
A variation of their anxieties played out in India, in the “WhatsApp traceability debate”, where the government pushed for traceability (Tell me who the sender is), but also said that it does not want to break end-to-end encryption, an impossible request, as sender deniability is at the heart of the end-to-end encryption. When repeatedly rebuffed by WhatsApp, an attempt was made to resolve the matter through the judicial system to compel the intermediaries (WhatsApp) to stop deploying messaging systems that use E2EE.
Given this background, the use of children in the statement to build a case for banning E2EE is interesting because it uses a propaganda technique called Pedophrasty, where children are invoked to prop up an argument, and make the opponents against the argument look like unprincipled savages and make everyone else suspend all rational and critical thinking, and agree to the argument.
But we must not agree to this dangerous set of proposals, as they are a continuum to the encryption wars, which started in the 1970s, where Western governments tried to limit use of encryption technologies by using export controls and ultimately failed.
In the 1990s, the National Security Agency in the US proposed the use of “Clipper Chip” in every phone, which implemented encryption but gave backdoor access to the US government. After Matt Blaze showed how rogue applications can use the chip to access data without the government backdoor, this attempt was abandoned.
In 2010, Google published a blog post, detailing how Chinese state backed hackers, attacked Gmail to spy on Chinese human rights advocates via a backdoor, installed by Google at the behest of the US government in Gmail to comply with search warrants on users. When Ericsson put backdoors into Vodafone products and deployed these in Greece for aiding law enforcement, these backdoors were used to spy on the Greek prime minister, by unknown perpetrators, who were never found.
All these incidents point out two fundamental realities. The first one is that backdoors are always dual-use and can be used by anyone and, hence, they don’t keep anyone safe. The second is that E2EE is safe and easy enough for anyone to use and hence has achieved mainstream adoption. This has made the usual approach preferred by law enforcement agencies of coercing intermediaries to put backdoors irrelevant and obsolete.
Outlawing E2EE deployment and forcing intermediaries to comply with these proposed rules or leave the country by threatening to shut down their business operations, hence, may become the preferred policy response. But these rules, even if they become the law everywhere, are doomed to fail, in the same way, the discovery of irrational numbers (square root of 2) could not be suppressed by drowning its inventor Hippasus, in the sea, as it takes only a rented computer at ₹700 a month to run a back-end service implementing E2EE.
If existing intermediaries are forced to abandon it, others like EncroChat (popular among drug cartels) will step in and fill the void. The busting of EncroChat, when law enforcement agencies successfully penetrated the drug cartels by putting a “tool” in its servers, also indicates that it is possible to work around E2EE in some cases, using offensive technical measures by compromising endpoints. It would also be a far more proportionate measure than attempting to ban mathematical equations.
Anand Venkatanarayanan researches disinformation, cyber weapons and data security and is a privacy advocate
The views expressed are personal