The head of the British intelligence agency GCHQ says he hopes technology companies and academic researchers will find ways to let government investigators get into encrypted devices without creating broad “back doors” that undermine computer security.
In a speech to about 150 people at the Internet Policy Research Initiative at MIT, GCHQ director Robert Hannigan said Monday that law enforcement and intelligence officials want only targeted ways to stop what he called “abuse of encryption” by ISIS and other terrorists and criminals.
“It should be possible for technical experts to sit down together and work out solutions,” he said. “I am not in favor of banning encryption. Nor am I asking for mandatory back doors. … Not everything is a back door, still less a door which can be exploited outside a legal framework.”
Hannigan’s stand on encryption meshes with the Investigatory Powers Bill, an act pending in the British Parliament that would affirm the legality of a wide range of surveillance practices. It also aligns with statements that the U.S. Secretary of Defense and other top officials have made in recent weeks amid the Apple-FBI controversy.
This suggests that officials have learned the lessons of past fights over encryption. In the 1990s, the National Security Agency had to give up on asking companies to secure everything using a component called the Clipper Chip, to which it retained a master key, after a researcher showed the system was deeply flawed.
But computer security practitioners say they still don’t see how companies can ensure law enforcement access to encrypted data without opening up dangerous new security holes. Apple and Google routinely helped investigators get data off smartphones before the companies tightened encryption practices in 2014, but there is little appetite in the industry to roll back security to the state of the art of two years ago.
“I think the highlight of what Hannigan said is that back doors are not the answer,” said Daniel J. Weitzner, a former White House technology policy officer who heads the Internet Policy Research Initiative and worked on an influential encryption report published last year. “Dumbing down the whole infrastructure is not the way to go. The question, then, is what do you do?”
Weitzner and Hannigan both suggested that the answer will lie in vulnerabilities that are inherent even in encrypted phones—like the pathway the FBI is asking Apple to open in the phone used by San Bernardino shooter Syed Rizwan Farook. “I’m not sure it is certain that [companies] will construct systems that make it impossible,” Hannigan said in an interview. “Not least because their own users will then have huge problems, won't they?"
Getting evidence off an encrypted phone is surely much more challenging for a local police department than for a powerful intelligence agency such as GCHQ or the NSA. (Asked whether his experts could crack the San Bernardino phone even without Apple’s help, Hannigan laughed and said: “I would be crazy to go there.”)
Nonetheless, Hannigan—making just his second appearance in a public forum since taking the helm of GCHQ in 2014—said tech companies should work more closely with governments to try to come up with ways to give law enforcement what it wants. “The perception that there is nothing but conflict between governments and the tech industry is a caricature,” he said in his speech. “In reality, companies are routinely providing help within the law, and I want to acknowledge that today.”
He acknowledged, however, that there is unlikely to be a way to allow for easy, broad access. “The security tail shouldn’t wag the dog,” he said. “And of course sometimes there will be nothing we can do and we will have to accept that. But those surely should be the exceptions.”