Quick summary: Forcing internet messaging services to permit only weakly-encrypted communications so that governments can access them easily, will not impact bad actors, but will seriously impact innocent people who want to obey the law. Read further for my explanation.

In my previous post, I outlined the abject pointlessness of governments' attempts to force service providers to weaken the encryption used on their messaging services.

The government of Australia is embarked on just such a foolhardy course of action. Whether you agree or not that "something has to be done", this is guaranteed to be a total failure no matter how far the initiative is taken.

The point of my post yesterday is essentially a combination of the following three facts:

  1. It is possible for me to write an encrypted message, to print it out, to put it into an envelope and then the postal system, and for the recipient to do what needs to be done to decrypt that message. No matter how easy it is to open that envelope while the letter is in transit1, the message will still be unavailable to anyone who wants to examine it, because it's encrypted. In exactly the same way, anyone who cares to do so can send an encrypted message to anyone else over an electronic communications channel that isn't encrypted (e.g. e-mail), or one that uses a deliberately-weakened encryption (e.g. WhatsApp, etc. if some so-called democratic governments get their way).
  2. The financial cost of being able to do this is tiny: it can be done using the standard "smart 'phone" people carry around in their pockets, and using freely-available software tools.
  3. There are 7.5 billion people in the world. If even 1% of 1% of them have the really, really bad intentions that governments believe these measures will stop, that gives us 750,000 people who have an interest in investing the tiny amount of money and effort to get around these weakened encryption schemes. This assumes, of course that at least one of the existing strong encryption methods – of which there are very many! – remains inaccessible to government organisations. If all of them magically become accessible to these government organisations, of the 750,000 really, really bad people interested in circumventing the weakened encryption methods, there are likely enough people in there to develop yet another algorithm that they will be able to exploit.

Let's assume that Australia, or the U.S., or some other government ultimately succeeds in getting all the internet service providers to stop providing encrypted messaging2 services, who will be affected?

Innocent people going about their private business. That's who.

And, perhaps, some low-grade, stupid baddies.

Any baddie worthy of the description will avail of the obvious workarounds I outline above. However, people communicating with their banks, lawyers conversing with their clients, charity organisations working to support people in oppressive countries will all have their communications capabilities compromised by these laws, because they will all want to be compliant.

Those who don't care about obeying the law will continue to communicate with each other in illegal ways, and it won't matter to them that they have to break yet one more law to do so.

A message to politicians:

Congratulations for getting this far.

Please use the logic of the technology: Technology doesn't know or care about the motives of the people using it.

Saying that innocent people won't be affected by a legal ban on effective encryption is patently untrue. But it's worse than that: non-innocent people definitely won't be affected; they will easily route around such a ban.

If you are truly interested in the democratic principle of freedom, you will permit innocent people going about innocent activities to speak privately with whomever they wish, and you will push for more sensible measures, which will have to include investing in police and security forces for them to improve their capacities to use the available, effective investigative methods, and to allow them to develop new methods that don't infringe on the rights of innocent people!


Or, if I just leave the envelope unsealed
I'm now sick of writing variations on "weakened encryption"; simply put: if it has been weakened, it's not encryption.