What happened to the Investigatory Powers Bill?

Wednesday 08 June 2016

Strong encryption is critical for crypto, the web, and secure communication in general. Is anyone clear where we stand on this now?

Infinity is a big number. So big, in fact, it’s not really a number at all. It just sort of goes on forever.

For a four-year-old, such as my son, this is a problem. When you’re that age, you want simple, clear answers that make sense to your four-year-old mind. Can I have another biscuit? Can I watch TV? Can we make a rocket and go to the moon? What’s the biggest number?

What?! There’s isn’t a biggest number?!

Now, this obviously represents a serious oversight in Grown-up Maths. The elegantly brilliant solution he came up with was to designate a number as the Largest Number, and give it a name: Dymation. And when, in a complicating grown-up maths way, I asked him what Dymation plus one is, he replied, ‘You can’t do that.’ Dymation is the largest number. It just is.

It’s an excellent solution to a thorny mathematical problem, at least in four-year-old logic: decree, by fiat, that a number is the largest, and stop anyone from counting higher. You just can’t. Dymation is the largest number. End of story.

iPhone

The FBI has managed to circumvent Apple's end-to-end iPhone encryption

Now, anyone who has had their ear to the web over the last few months (not so many - 72% of Britons apparently have no clue about it) will know that the UK government is pushing through their Investigatory Powers Bill, which attempts to clarify the law on surveillance, data collection and so on, making our treatment of the web fit for the 21st century. And frankly, it hasn’t so far been inspiring. It's due for discussion back in Parliament this week.

Early comments by PM David Cameron included a suggestion that we might ban strong encryption. ‘In extremis, it has been possible to read someone’s letter, to listen to someone’s call, to mobile communications… The question remains: are we going to allow a means of communications where it simply is not possible to do that? My answer to that question is: no, we must not. The first duty of any government is to keep our country and our people safe.’

Since strong encryption is just a particular form of maths, this is akin to suggesting the government should ban long division or quadratic equations. It’s Dymation, by any other yardstick: a fiat declaration that something rooted in the laws of physics and maths is undesirable, and therefore ‘You can’t do that. End of story.’

Things have shifted a little since then, and one suspects a few better-informed advisors have lent their thoughts to the debate. But still, the most recent iteration is full of problems, as a cluster of big tech companies (including Google, Microsoft, Apple, Facebook, Twitter and Yahoo) have raised in evidence submitted. ‘Our companies believe that encryption is a fundamental security tool, important to the security of the digital economy as well as crucial to ensuring the safety of web users worldwide. The Bill provides for the power to issue technical capability notices requiring, among other things, the removal of electronic protection where reasonably practicable. The Bill should be amended so that there is an explicit threshold: where a service is encrypted end-to-end, the Bill should recognise it will not be reasonably practicable to provide decrypted content, rather than leave this to be established on a case-by-case basis.’

This is a fast-moving area, as the ‘FBiOS’ case shows: encryption is an arms race between tech companies, security services, researchers and cyber criminals. Today's secure system is tomorrow's research paper, the next day's theoretical and then practical exploit, and finally the hacker's tool of choice. There's going to be a LOT of interest in how the Fed circumvented Apple's security, not least by Apple themselves because they know where it could lead.

This is potentially an issue that could affect almost any cryptocurrency business, since messages can be communicated using the blockchain in various ways. And when you’re talking about protocols that circle the planet, well, you really need to be on top of your regulatory game. Dymation just doesn’t do it any more.


comments powered by Disqus