UK spy chief calls for tech sector co-operation to combat “abuse of encryption”

The director of UK spy agency, GCHQ, has urged closer co-operation between governments and the tech sector to end what he dubbed the “abuse of encryption”, describing it as a “moral problem” which democratic societies must grapple with in order to strike a balance between security and privacy.

Giving a speech at MIT yesterday, Robert Hannigan called for the tech industry to help governments and security agencies find technical solutions to workaround encryption — although he claimed he is not advocating for backdoors to be mandated. Or for security systems to be deliberately weakened. But he was less clear on exactly what he is advocating.

“I am consciously avoiding offering solutions, because I don’t have them, and I think we will need to find them together,” he said. “I suspect those solutions will be diverse and fragile and dynamic in the future: they will not be 20th Century solutions.”

“The solution is not, of course, that encryption should be weakened, let alone banned. But neither is it true that nothing can be done without weakening encryption,” he added.  “I am not in favour of banning encryption. Nor am I asking for mandatory backdoors.”

Hannigan expressed frustration about the current — as he sees it — ‘all or nothing’ nature of the encryption debate, arguing that “almost every attempt to tackle the misuse of encryption by criminals and terrorists is seen as a ‘backdoor’”, adding: “It is an over-used metaphor, or at least mis-applied in many cases, and I think it illustrates the confusion of the ethical debate in what is a highly-charged and technically complex area.”

His comments come at a time when Apple is fighting a high profile legal battle with the FBI over the measures it should be legally required to take to assist in unlocking an iPhone that was used by one of the San Bernardino terrorists. That battle has since spilled over into Congress, with politicians grappling with just such questions of the balance between security obligations and constitutional freedoms.

On encryption Hannigan called for “some very practical cooperation with the industry”, although he did not get so specific as to detail what this practical cooperation would entail — although he dropped some leading hints as to the intelligence agency’s thinking, suggesting the preferred route might be to co-opt companies to help security agencies exploit weaknesses in their own encryption systems to afford access to spooks when a legal warrant is requiring it.

On this Hannigan invoked a historical example — referencing British mathematician Alan Turing’s work during world war II to crack the Nazi’s Enigma code, and noting that “the exploitation of a few key flaws in the otherwise brilliant design of the commercial Enigma machine” enabled that strongly encrypted code to be cracked.

So it doesn’t take the joining of too many dots to envisage the kind of co-operation GCHQ might be advocating for, vis-a-vis tech companies…

In recent times the British spy agency has found its activities under more public scrutiny than they might prefer, in the wake of NSA whistleblower Edward Snowden’s 2013 disclosures about government mass surveillance activity.

Hannigan did not reference Snowden but did refute accusations that UK spy agencies deploy mass surveillance techniques. “As UK court judgements over the past two years have confirmed, our bulk collection does not equal bulk surveillance. They are different things,” he claimed.

He also claimed that draft UK surveillance powers legislation which is currently being debated in parliament does not equate to an expansion of state powers — despite critics saying the very opposite and dubbing the bill a new ‘Snoopers’ Charter’.

In the post-Snowden era, GCHQ has been learning the do’s and don’ts of applying a little marketing gloss to its message. Last fall, for example, writing in the FT newspaper, Hannigan made a public appeal to US tech companies to co-operate in handing over user data — arguing that tech platform had “become the command-and-control networks of choice for terrorists and criminals”.

Yesterday’s message was evidently intended to be a little less accusatory, a little more conciliatory. “The comments caused a bigger stir than I expected,” he said, referencing his phrasing from the November article. “And were widely seen as an attack on the tech industry. In fact I wanted to start a debate in the UK about how democratic Governments and the tech sector could work together within a clear and sufficiently transparent legal framework.”

“Our worlds overlap, but they are not the same; my point this afternoon is that they do not need to collide,” he added.

You can read Hannigan’s speech in full here.