Dear Amber Rudd,
Break encryption for one person and you break it for us all.
You argue that security services once steamed open envelopes to intercept messages – to achieve this, all they had to do was break the security of glue. To break encryption, companies would be required to make every single message sent on their platforms insecure and open to interception by anyone.
While you can legislate to give security services access to phone calls, text messages and internet histories, you cannot build encryption in this way. Once you break it to go after one target, it is broken for everyone. There is a fundamental difference between how encrypted and unencrypted communications work.
We’ve been here before. Two years ago, in the aftermath of the Charlie Hebdo attack in Paris, then prime minister David Cameron said security services should have access to encrypted communications under warrant. It felt like opportunism by the British government then, and you have been criticised of similar now. Major General Jonathan Shaw, the Ministry of Defence’s former chief of cyber-security, has accused you of trying to “use” the Westminster attack to expand the UK’s sweeping privacy legislation. It is unwise to use fear to try to push through ill-informed legislation.
Besides, the British security services already have world-class powers to surveil communications. The Snooper’s Charter, passed into law as the Investigatory Powers Act in November 2016, grants the UK some of the most intrusive and extreme surveillance powers in the democratic world. Measures to break encryption were not only opposed by the technology industry but also by politicians – including your cabinet colleague David Davis.
Encryption is what allows us to bank and shop safely; it is what keeps our medical records secure and our private lives safe from prying eyes. Security services were first made aware of Khalid Masood in 2010, during that time they could have, under warrant, monitored his phone calls and text messages. They were not monitoring Masood at the time of the attack and so, as a consequence, would not have taken out a warrant to monitor his WhatsApp messages. WhatsApp creating a back door would have made no difference.
The line you have taken against security companies is leading to inaccurate and alarmist reports in the press. Claims in the media that “internet giants” are hiding the “terrorist’s final note” are wrong. WhatsApp doesn’t have access to any messages sent by its users. It is likely the authorities have Masood’s phone. If they do, WhatsApp isn't stopping them from getting access to Masood's messages, the phone’s passcode is.
Go after WhatsApp and other similar services and you also risk falling into a dangerous game of whack-a-mole. If you persuade WhatsApp to introduce a backdoor, people using it to plan criminal activity will simply move to another service. Break that service and they’ll move to another.
This is not an argument you are going to win.
This article was originally published in March 2017 following the Westminster Bridge terror attack. It has been updated in light of new comments made by Amber Rudd in August, as she prepared to meet with the world's biggest technology firms.
This article was originally published by WIRED UK
