Precognition, an idea examined by Philip K Dick all the way back in 1956, is the latest misguided plan to make us all feel safer.
In Dick’s The Minority Report, better known for its Tom Cruise big-screen adaptation in 2002, crimes could be stopped before they happened.
Dick’s method was precogs, a psychic trio of people that could recognise when a crime was going to happen. The European Commission has a different approach, decryption through its ProtectEU plan, which has noble motives.
It aims to combat child sexual abuse material by giving law enforcement authorities access to encrypted data. The method would involve scanning private communications, including on platforms well-known for end-to-end encryption like WhatsApp or Signal.
READ MORE
[ Have EU laws to protect our privacy online worked?Opens in new window ]
The way of doing this would be to scan messages on the client-side before they are encrypted, essentially checking what the user plans to send before it gets to the encryption stage that happens during the process of sending. For context, these are infinitesimally small amounts of time in which the actions would occur.
This would make it easier for law enforcement authorities to access the communications of those that distribute illegal content.
It rather feels like the European Commission missed the point of Dick’s work. Well, maybe not everyone involved. The proposal was announced on April 1st after all.
The methods outlined in ProtectEU undermine the strong cybersecurity stance the EU itself wishes to push
There are layers of terrible to this awful idea, which is basically shielding itself in the argument that it’s for the greater good. Before the matter of user privacy rights, there are obvious cybersecurity challenges.
The backers of ProtectEU are missing the most obvious issue with their plan: any attempt to weaken encryption weakens everyone’s security.
While criminal actors benefit from it, it also impacts pretty much everyone else from journalists through doctors, law enforcement itself, businesses, whistleblowers and, rather importantly in this context, the victims of crime.
[ How businesses can help protect themselves from cyber attackOpens in new window ]
Any tool that would create a means to weaken encryption, even if the tool was created for the purposes of doing good, can be exploited by criminals and other bad actors. Even Lindsey Graham, the US senator and a noted hawk when it comes to anti-terror measures, agrees on this.
Graham was one of the loudest calling for Apple to find a way to access the iPhones of the culprits in the San Bernardino terrorist attack in 2015. He changed his tune to the opposite when the risk this would create was made clear to him. As it happened, the phones in question were later accessed by targeting a zero-day vulnerability, or security flaw.
The methods outlined in ProtectEU undermine the strong cybersecurity stance the EU itself wishes to push. Governments across the bloc, along with agencies within it, constantly push for greater digital resilience yet this measure would erode the strongest protection it has at the front line of security.
Then there’s the matter of the would-be good actors that would have access to such a system. Between the tech companies that would need to comply and the law enforcement agencies involved, the amount of people with potential legitimate access to such a backdoor would easily number in the tens of thousands.
Simply assuming these would all be good actors, even with the most rigorous of vetting processes is laughable. That puts to bed the classic argument of ‘if you have nothing to hide, you’ve nothing to fear.’
ProtectEU would essentially be prosecuting the intent not the attempt
We all have lots to hide, every one of us. Sadly, most of it isn’t even that interesting. Personal information regarding our finances and the likes would be the most obvious example.
That’s why the privacy issue is so entangled with the cybersecurity one here. Even if encryption isn’t removed, scanning before it acts nullifies its very purpose. This in turn would enable less democratic regimes to point to the EU – meant to be a bastion of democracy – as justification for their own efforts to outlaw or inhibit encryption.
A successful implementation of ProtectEU would effectively have the Commission doing the hard work for totalitarian states in designing a mass surveillance system. Europe wouldn’t use it, I think, but plenty of others would. Yes, it really is that bad an idea but it somehow gets worse.
Let’s assume the method for scanning pre-encryption, as ProtectEU plans, occurs and, implausibly, no cybercriminals or anyone else ever misuse the new means of attack.
In that instance, when should law enforcement authorities act on the information?
If they act the moment they know the person has illegal digital material in their possession then that actor has clearly got possession of illegal material and could probably be proven to have intent to distribute. Likewise the intended recipient could potentially be charged with intent to receive, where such laws exist.
Yet they couldn’t be charged with actually distributing it, while the would-be recipient would not yet have committed the crimes related to receipt and possession.
If authorities act immediately, then they are limiting what they can charge and likely who they can charge as well. If they wait, then they get to add on more charges but have knowingly failed at preventing a criminal act. It’s quite a dizzying moral puzzle.
ProtectEU would essentially be prosecuting the intent not the attempt. The Minority Report was meant to be a warning not an instruction manual.
