[UPDATED.] Reports that the FBI no longer needs Apple’s help to crack the security of the iPhone reveal the increasing tension between governments, technology suppliers, and citizens. That tension represents nothing less than a battle over the future of the internet.
That the FBI is working with “a third party” to gain access to an iPhone’s encrypted data demonstrates the ‘damned if you do, damned if you don’t’ problem facing the IT industry today. If tech companies agree to build back doors into their products, they weaken data security – and the internet – for everyone; whereas if they refuse to take a hatchet to their own standards, then law enforcement agencies may resort to other means, such as employing hackers (for whom the cracks could be worth a fortune on the black market).
Of course, the interests of private companies – some of which are headquartered offshore to avoid tax – should never take precedence over governments and national security. But in this case, it’s not as simple as billion-dollar corporations protecting their own shareholders.
Communications technologies are actively being destabilised and weakened by national governments, while IT suppliers risk being thrown to the wolves if they fail to cooperate. But national security services seem to have little concept of how insecure their actions may make the internet for the rest of us, and how much more widespread criminal behaviour may become as a result.
The great British botch
In the UK, the government’s newly passed surveillance plans force comms providers and ISPs to retain all phone and internet data for up to a year, while setting technology providers against their own customers’ interests.
Mass surveillance will make citizens’ and businesses’ internet records into prime targets for hackers, while ISPs, cloud companies, telcos, and mobile providers will be expected to secure all that data from day one, even though there is no legal obligation on them to encrypt it. The 2015 hack of TalkTalk suggests that some companies just aren’t ready to be in the front line of plans that, in most cases, they strongly oppose.
An internet that facilitates mass surveillance is an internet that is less secure. So, by leaving it up to the market to decide how best to react to a centralised programme of national intelligence gathering, the UK government’s plan has the makings of being a dangerous ideological gamble with national data security.
And as dozens of separate private sector entities, suppliers’ response will be piecemeal, rather than a co-ordinated national strategy.
The revised Investigatory Powers Bill may also force some technology companies to break the laws of the countries in which they are incorporated, as Apple CEO Tim Cook explained to the Home Secretary in 2015. O2, Vodafone, EE, and 3 were among others to express their disquiet.
Everyone supports the need to tackle terrorists, organised criminals, and abusers. However, governments on both sides of the Atlantic ignore an important fact by pushing through blunt-instrument surveillance plans against the advice of technology experts: they’re not just declaring war on terror, they’re declaring war on IT suppliers’ business models, and on their customers, too. That may have long-term impacts on the world’s digital economy and the security of many sectors – including digitised public services.
Local surveillance plans also threaten to begin breaking the internet apart into heavily policed national fiefdoms, threatening transparency, legitimate reporting, free association and freedom of speech: the Chinese model, applied locally from country to country.
Post-Snowden, the lesson must be that surveillance programmes never achieve what they set out to do, which is to reinforce trust; their effect is always the opposite.
Make no mistake, surveillance will drive criminals deeper underground and push millions of ordinary citizens towards encrypted communications and privacy-shielding platforms in an effort to protect themselves from the snoopers.
Many vendors are already telling customers to adopt greater privacy controls via encrypted email platforms such as SafeGmail and Tutanota, and devices such as the BlackBerry Priv. Meanwhile, Google is threatening to name and shame suppliers that fail to support encrypted communications.
The conclusion is obvious: IT suppliers may be paying lip service to government aims, but most fundamentally disagree with them.
The risk of litigation – and TTIP
In the UK, the national surveillance plan has the potential to be a Whitehall IT disaster to rival the NHS National Programme for IT, Universal Credit, and other botched, late, and vastly over-budget schemes. The likely cost of the programme has already soared from initial estimates of £150 million to over £1 billion. Add another zero to that, and you’re probably closer to the truth in the long term.
For one thing, there are the long-term legal ramifications of the plan. Litigation is a very real prospect if companies are forced to weaken their products and it can be proved that this compromised reputations, or led to security breaches, loss of trade, or financial damage to suppliers or their customers.
The government may be making a rod for its own back in this regard: the secretive EU/US TTIP trade agreement, designed to “liberalise one-third of global trade”, is widely believed to hand greater powers to transnational enterprises to sue governments that cause them financial loss or restrain trade, while sweeping aside many market protections and regulations.
And it is supported by a British government that claims to oppose any loss of national sovereignty that comes from being an EU member!
In this context, a clumsy, ill-advised national surveillance programme would seem to be like sleepwalking into a multibillion-dollar legal minefield. A truly bizarre state of affairs, and one that suggests a lack of joined-up thinking at Cabinet level.
There are a great many IT experts in the public sector and many stories of exemplary innovation. However, all central government IT disasters have shared the same elements over the years: ideology overcoming common sense; short-term political expediency; poor specification; little understanding of technology or the supplier community; unrealistic budgets and timescales; busloads of expensive consultants; and slow-moving bureaucracy – not to mention constant political change and interference.
Censure by the Public Accounts Committee usually comes just before the lawsuits start, and by the time a scheme limps into the public arena in much-reduced form, the technology is usually a decade out of date.
But this time, we may all have to pay the price of a a catastrophic misjudgement.
• Interested in comms security? Join UCInsight’s and UCEXPO’s live Twitter debate at 3pm this Thursday. #COMSECFUTURE #UCEXPO #UCinsight