If you outlaw encryption, only outlaws will have encryption

There’s a dangerous little idea floating around about the encryption debate, that it is a battle between realists who want to protect us and privacy-obsessed geeks who don’t want government messing with their toys. 

This is utterly, hopelessly wrong. The encryption debate is not really about civil liberties at all. If the issue really was just whether GCHQ should be allowed to look at your messages while looking for jihadis planning murder, you’d get much less resistance from people like us. Privacy is an important freedom, but so is the freedom not to be murdered on a night out. We need to compromise.

No, the real issue here is that there is absolutely nothing the government can do to stop jihadis from keeping their communications secret, no matter what laws they pass. Encryption is simply not something you can stop people who are willing to break the law from using.

You can, of course, ban Facebook and Whatsapp from using end-to-end encryption, which encrypts messages in such a way that only the two users can decrypt and read them. (This, by the way, is why news reports about Whatsapp “refusing” to disclose dead terrorists’ communications are nonsense – they have no more way of decrypting them than you or I do.)

You can force Apple and Microsoft to put backdoors into their software, which only government agents can use to pry into your activity. Only government agents, that is, until they’re discovered by the guys behind the WannaCry ransomware hack that brought the NHS down for a few days. When you have a backdoor you effectively turn a system with two points of vulnerability into one with three, this extra one being a shared vulnerability that puts all users of a service at risk. (Let’s assume for argument’s sake that these firms actually comply with HM Government instead of quitting the UK altogether, which is far from certain.) 

That is to say you can make it so that no law-abiding person can use encryption without breaking the law.

But you cannot stop people who are determined to use encryption from doing so. This is because it is not very difficult to actually set up extremely strong encryption without the assistance of an app all by yourself. As Ken Tindell shows here, a few lines of code can build an end-to-end encryption system that will be nearly impossible for others to crack. 

And since the British government does not actually control the internet, it will not be able to stop people from downloading apps like Signal. These are designed with the specific intent of letting users avoid government surveillance, something that comes in handy for people in Russia, Venezuela and Iran, and I’m quite happy that they can communicate without their governments listening in. You can stop these apps from being hosted on the Google app store, but you cannot stop people from downloading and installing them themselves. ISIS has already made its own encrypted messaging app called “Alrawi”. 

The best argument I can think of is that, even if banning stuff like end-to-end encryption doesn't stop terrorists from using it, it does make it much easier for the security services to see who is using it – the amount of encrypted traffic is much smaller and now you know the people using it are law-breakers. This is still not that persuasive: if you use a VPN located outside the UK, it's very difficult to track down who is behind the encrypted communications.

Here in Britain the costs of ordinary users not having this sort of protection are more mundane: your financial details and private conversations will be less safe. Major companies like LinkedIn and Adobe have been hacked on a massive scale. Most people, even the ones who never break the law, would not like their private photos or Whatsapp and Facebook chat histories to be leaked online. Would you?

Let me repeat: there is nothing we can do to stop people from encrypting their communications this way. This is a practical point, not a principled one. We can block websites, we ban apps, and we can insert backdoors. It will rob normal people of a valuable defence against malicious attacks, but none of it will stop bad people from using a few lines of code to keep their plans secret. 

It needs to be said again and again: if you outlaw encryption, only outlaws will have encryption.