It's being reported (following some lobbying, no doubt) that the new government is considering providing a power to An Garda Síochána to use an "electronic key" to access encrypted communications, the logic being that this will be the best way to combat organised crime.
Let's, for the purposes of what follows, ignore that the demand is belied by the story that is being used to push it: a major police operation came to a very successful conclusion recently due to the infiltration of the "Encrochat" encrypted messaging service, yet without the use of anything like the universal decryption key that the gardaí feel they require.
Let's also assume that although the newspaper story reporting is vague on the matter except in the headline1, this key is indeed what's being demanded.
Let's, instead, look at the nature of the challenge involved.
A quick glance at wikipedia suggests that there are about 20 or so active encryption algorithms, all of which can be described as implementing "strong" encryption; encryption that doesn't have a documented successful mathematical mechanism of defeating it. About half of them would be suitable for encrypted messaging between two or more correspondents.
Each one of these is designed with a view to ensuring that only the sender and receiver(s) can read the messages; no one else. The simple analysis is that if the message can be read by others, then it can be leaked and read by anyone else. That's fine by us if criminals are communicating and cops are intercepting. Not so fine if innocent people are communicating and the criminals are intercepting; or if NGOs are communicating and oppressive governments are interepting.
The idea of a universal decryption key has a major pragmatic problem, though. None of the current, active, strong encryption algorithms allow for such a thing.
This means a number of things would have to happen if we wanted such a key to exist and to work.
- Those responsible for the design of the exiting algorithms would have to redesign their algorithms to support such a key. Even if all these algorithms could be redesigned this way [Editor: they can't], we would have to get all of these algorithm designers to agree. None of them would, but even if some of them did, not all would – those algorithms left un-redesigned would remain available for use.
- Even if any of these existing algorithms was redesigned, it would be necessary to do something about those that would be left behind. First, you can't undesign an algorithm, so none of the existing algorithms would be replaced. They would all remain available. Some of them would be "declared" replaced2 by their "owners", but as algorithms are just expressions of sequences of mathematical operations, there's no way to remove the memories of those expressions. Any user of encryption would be wise to favour the version of an algorithm that doesn't allow interception over the version that does, even if that latter version is officially no longer current.
- So, now we have some encryption algorithms that meet the police's interception requirements, and some that don't. How are governments to deal with these latter algorithms? Can they outlaw all those others? Analogously, if some cars had a device in it that reports to the police when you exceed the speed limit and other cars didn't, which cars would be more popular? The thing is, you can't pass laws against knowing things. Once something is known, like an encryption algorothm, it's very very very hard to make it universally unknown again. So, if you outlaw the use of encryption algorithms, criminals being criminals, they're hardly going to obey that law.
Ultimately, it's a wild goose chase. The real concern is how much damage will be done by that chase? Will it just be a talking point, not progressed by a government fully aware of the challenges? Or will it become a government bill to be ridiculed and ripped to shreds by an attentative and responsible and informed Oireachtas? Will it become a law, successfully challenged in the High and Supreme Courts on constitutional grounds? Or will it become like France's Hadopi – a law that goes into effect, quickly showing how ineffective it is and is quietly shelved in embarrassment?
Finally, going back to the start of this post: why doesn't An Garda Síochána look at the operation that took down Encrochat? It worked. It wasn't a wild goose chase. No matter how expensive are the skills and technologies involved, they're not going to be more expensive than attempting to achieve the practically and theoretically impossible. This is where investigations into criminal activity should point, and this country should be mature about this and get on with using the alternatives, because they exist.