The encryption stand-off is getting weirder
Opinion: Governments have the powers they said they wanted, so why won’t they use them?
If you’ve ever wanted to see a real-world example of what happens when an unstoppable force meets an immovable object, you need only look at the stand-off between the tech industry and government over encryption.
In April 2024, European police have again warned that the rollout of end-to-end encryption (E2EE) is making it harder to investigate crime and keep people safe. Tech companies, for their part, have insisted that the rollout of the technology is essential to keeping consumers safe and are in no mood to back down.
How did we get here? It’s a long story.
It used to be relatively easy for police to access emails or other communications they deemed necessary to their investigations. That’s because, while emails might be encrypted as they travel across the internet, they were also usually stored by the tech company providing the service in a way that the authorities could access.
The trouble is that – as was revealed a few years ago – many spy agencies around the world saw this rather trusting setup as an excellent opportunity to quietly scoop up as much data as they could, about everyone. And so, of course, they did just that.
Not everyone was happy about that, for understandable reasons.
This led to the introduction of E2EE by many tech companies. Once a message is protected in this way, it cannot be read by anyone until it arrives at the other end. There’s no database in the middle that tech companies can be made to hand over to the police, or that spy agencies and their hackers can target.
Get the ITPro. daily newsletter
Receive our latest news, industry updates, featured resources and more. Sign up today to receive our FREE report on AI cyber crime & security - newly updated for 2024.
While this is good news for privacy, it’s bad news for law enforcement which continues to argue that poring over these messages is a necessary step to preventing crimes from being plotted or carried out.
We find ourselves in a tricky situation. User messages are largely safe from snooping due to E2EE and all the while police worry more about the fact that they can’t see everything they’d like to anymore. They argue for E2EE to be rolled back or somehow modified, so they can gain access through encryption 'backdoors' by design.
That’s led to a row between governments and police on one side, and tech companies and privacy campaigners on the other. As one has pushed, the other has responded – for example, the E2EE messaging app Signal saw a surge in users during a parallel rise in protests across the US and Europe in 2020.
No right answer on encrypted safety
What’s difficult about the encryption debate is that both sides see their actions as the ‘right thing’ to do. The government and the police are right: we cannot allow criminals to communicate in secret, with apps such as Telegram known to be popular among cyber criminals.
And yet, the privacy campaigners are right too. We cannot undermine the security of online communications simply so that police can comb through every message we send and many criminal communities rely on the dark web rather than encrypted messaging apps.
That’s your immovable object and your irresistible force. None of this is to say the police and governments haven’t suggested a way forward (or rather, back). The trouble is, everything they suggest inevitably weakens security for everyone all over again.
For example, so-called client-side scanning would see tech companies adding features to effectively scan every image or every message for suspicious behavior before it was encrypted and sent. This neatly sidesteps the issue of breaking encryption, but introduces another problem by introducing a government-mandated scan of every message you send.
It’s not exactly hard to see how various global regimes could tweak the scan requirements to create an excellent way to crack down on protest.
Some governments have already enacted laws to force tech companies to provide their customers’ messages, regardless of whether they are E2EE or not. The strange part is governments don’t seem willing or able to use it.
In the UK, for example, the Online Safety Act effectively empowers the government to compel tech companies to hand over specific messages. But this can only be done without degrading the security of others, a feat the government itself has acknowledged is – at least for now – technically impossible.
Beyond the philosophical considerations, there is the harder reality. There are a small number of tech companies who are, in this situation at least, more powerful than governments.
If any government ordered them to remove E2EE there would likely be three main consequences.
First, most companies would stop providing services in that country. The encrypted messaging firm Signal threatened to leave the US in 2020, as it added its voice to opposition of the US EARN IT Act, which is similar in scope to the Online Safety Bill. But who wants to be the politician explaining why voters suddenly can’t contact their friends or colleagues anymore?
Second, that country would become one of the least secure places to do business online, with customers offered no legal avenue for completely secure messaging – hardly a claim that any government wants to make. Third, it would make it a lot easier for various regimes to make similar demands to crack down on dissent.
As a result, we are left in a weird situation, with police and governments warning about encryption but not wanting to do anything about it.
The government has a power it likely doesn't want to enforce. Police are losing access to the intelligence that helps them do the job of keeping us all safe. Tech companies will continue to add strong encryption because it’s now a standard feature for many.
The future for encrypted messages is uncertain
Perhaps chats with your distant relatives don’t really need state-of-the-art privacy tech. Others would argue we’ve already lost so much privacy in the information age that this small island of privacy is worth defending.
Either way, we’re unlikely to see the tech industry backing down on encryption, and in reality, there is little political will to force the matter. For now, it’s hard to know what would persuade tech users to give up on additional security, and even harder to know what would make tech companies change direction. Expect more broadsides against the tech industry, but little real action.
But now we know, at least, what happens when an unstoppable force meets an immovable object: a messy stalemate that serves nobody well.
Steve Ranger is an award-winning reporter and editor who writes about technology and business. Previously he was the editorial director at ZDNET and the editor of silicon.com.