Dear Mr Cameron,

You recently proposed that all Internet apps — and their users’ communications — be compelled to make themselves accessible to state authorities. I want to explain why this is a very bad idea even though it might seem like a no-brainer.

You said:

“I have a very simple principle which will be the heart of the new legislation that will be necessary. In our country, do we want to allow a means of communication between people which even in extremis, with a signed warrant from the home secretary personally, that we cannot read? Up until now, governments have said: ‘No, we must not’.
That is why in extremis it has been possible to read someone’s letter, to listen to someone’s telephone, to mobile communications. …
But the question is: are we going to allow a means of communications which it simply isn’t possible to read. My answer to that question is: ‘No we must not’.”

US President Barack Obama appears to agree with you.

Heads of government bear the burden of keeping their citizens safe. That’s a crushing responsibility. Police solve violent crimes — and intelligence agencies predict and avert them — in significant part by intercepting the conversations of people conspiring to get away with them.

For at least 50 years, democracies have kept eavesdropping within bounds by requiring a warrant or some other form of meaningful review before doing it. As telephone companies upgraded to digital (but still not Internet-based) networks in the 1990s, governments around the world began to require that the new networks still allow for authorities to listen in to calls.

The rationale was simple and generally uncontroversial: as long as the government respected the rule of law, its demands for information shouldn’t be trumped by new technological facts on the ground.

Why, then, you reasonably ask, should that long-established balance between security and privacy be disturbed simply because the Internet has replaced telephony?

The answer, it turns out, is that baking government access into all Internet apps will, in fact, not extend the long-established balance between security and privacy to all mediums of communication. It will upend it.

First, the landscape of Internet communications services is profoundly different from telephony, where lawful intercept’s habits were honed.

Traditional telephone systems were run by a single large company or by governments themselves. They overwhelmingly served the single purpose of letting people talk to each other at a distance and the experience of using a phone in 1990 was little different from that of using one in 1950.

Supporting lawful eavesdropping was done with no impact on telephony’s basic model — and often governments would pay to offset any costs incurred in keeping phone lines open to tapping.

The Internet evolved in a wildly different way. It supports applications written by anyone, and a new application can become popular in a heartbeat. Some people write and share apps for fun rather than money.

To restrict how one might build an Internet application that enables person-to-person communication — that is, nearly all of the hundreds of thousands of apps out there — would require software developers to hire compliance attorneys or risk breaking the law.

In the worst-case scenario, software development would be relegated to a handful of incumbents ready to do the kind of partnerships with governments that sophisticated phone companies do. Facebook, Google and Microsoft could cope (if unhappily), but software authors and service providers the next tier down would be hugely disadvantaged.

In the best-case scenario, to give government broad access, app authors across the spectrum would face having to orchestrate a complex scheme of scrambling or encrypting to all but restricted parties and the government. They would likely give up on encryption entirely, which would be a nightmare for the public’s — and therefore national — security as it would expose communications to anyone ready to hack.

Lawful telephone eavesdropping wouldn’t have come about if that meant it would be easy for others — even at a distance — to also listen in on a conversation.

Users now have choice
Second, regulating apps so comprehensively is either self-defeatingly leaky or unacceptably intrusive. Unlike telephony, Internet users who don’t like the way an app works can choose to use another.

As a practical matter, WhatsApp, owned by Facebook, could — under your legislation — successfully be required to change the way it encrypts users’ communications. Since Facebook can’t readily gainsay what a major government wants and since Facebook has “boots on the ground” in London, it can be easily tracked down and it has to comply with government demands.

So, you may be looking at large companies like Facebook and thinking that regulation will be easy, without considering the millions of other sources of code produced by fiercely independent and often anonymous developers who are based in the UK.

Despite WhatsApp’s US$19bn price tag, its basic functionality could be reproduced in a weekend by two caffeine-fuelled university students. The speed with which the public could migrate to a new coder’s NextApp would up the stakes for the massive enforcement you’d have to conduct for your proposed requirement have any impact.

Indeed, you’d have to constrain the application ecosystem itself by further requiring that new code be vetted before it can be installed on people’s platforms.

That would accelerate a profound and undesirable flip from software that flows freely except in the most unusual of circumstances to software that can only move once it meets government standards. PCs would have to become like iPhones, running only what their originators — Microsoft and Apple — permit.

Seriously, this isn’t just about telling BT Group to go ahead and tweak its software. Rather, it would position a handful of companies as gatekeepers to the vast and colourful universe of code that flows from millions of sources. And these gatekeepers would turn out to be the very companies whose market dominance has so deeply troubled European authorities.

Empowering the lawless
A here’s the third problem: a requirement to make encryption breakable by the prevailing legal authority would be a gift to states that do not embrace the rule of law.

Billions of people live in such countries and Western technology has represented one of their best shots at the freedom to communicate enshrined as a universal human right. Their governments have had to invest enormous amounts of effort to extract the economic benefits of being connected to the rest of the world while still enforcing censorship and surveillance.

If you succeed in shaping our software so that we can’t keep secrets from authorities bearing valid warrants, you will also make it so that people can’t keep secrets from regimes who don’t bother with warrants.

All of these reasons are grounded in the fundamentals of the way the Internet has evolved, not to mention the nearly unthinkable costs of trying to push it to a place where communications could be monitored across all Internet applications.

Finally, building systems to secure communications against all but the communicating parties and the government is really, really difficult, and entails its own risk of catastrophic failure, rendering communications worse off than if they hadn’t been encrypted at all.

I understand the imperative to provide security. I also understand that it makes sense to determine the boundary between state and citizen through democratically enacted, constitutionally sound law rather than the cat-and-mouse behaviour between technological hacks and counter hacks. Unfortunately, that is the kind of behaviour that this proposal would foster.

In an age where ever more sophisticated encryption becomes available, it can seem that entire sectors of communications that were once regularly monitored are “going dark”. But a simple technological mandate to prevent the use of strong encryption is not, in fact, simple.

The toolkit for law enforcement and intelligence agencies to do their necessary work is deep and growing. The fact that some apps encrypt need not stymie investigations of large-scale terrorism.

Mr Cameron, I do not envy you your job. The only solace is that the choice this proposal represents is, in fact, an easy one: don’t attempt it.

The Internet has been a force for modernity and openness — exactly what those who believe in indiscriminate violence despise. Let’s not try to build them a network that they find more agreeable, in the name of the short-term imperative to uncover and prevent their worst.

Regards,
Jonathan Zittrain

Zittrain is George Bemis professor of law and professor of computer science at Harvard University
This article was originally published on The Conversation

Netflix, Warner Bros talks raise fresh headaches for MultiChoice

Big Microsoft price increases coming next year

Vodacom to take control of Safaricom in R36-billion deal

Black Friday goes digital in South Africa as online spending surges to record high

BYD takes direct aim at Toyota with launch of sub-R500 000 Sealion 5 PHEV

Amazon and Google launch multi-cloud service for faster connectivity

Google makes final court plea to stop US breakup

Bezos unveils monster rocket: New Glenn 9×4 set to dwarf Saturn V

Tech shares turbocharged by stellar Nvidia earnings

Config file blamed for Cloudflare meltdown that disrupted the web

So, will China really win the AI race?

Valve’s Linux console takes aim at Microsoft’s gaming empire

iOCO’s extraordinary comeback plan

Why smart glasses keep failing – it’s not the tech

BYD to blanket South Africa with megawatt-scale EV charging network

TCS+ | How Cloud On Demand helps partners thrive in the AWS ecosystem

TCS | Ralph Mupita on competition, AI and the future of mobile

TCS | Dominic Cull on fixing South Africa’s ICT policy bottlenecks

TCS | BMW CEO Peter van Binsbergen on the future of South Africa’s automotive industry

TCS | Why Altron is building an AI factory in Johannesburg

Your data, your hardware: the DIY AI revolution is coming

The energy revolution South Africa can’t afford to miss

It’s time for a new approach to government IT spend in South Africa

How South Africa’s broken Rica system fuels murder and mayhem

South Africa’s AI data centre boom risks overloading a fragile grid

Dear David Cameron…

Beware the digital demagogues

Politicians are cashing in on the tech boom

A hack like this could start the next World War

Beat the summer heat with Samsung’s WindFree air conditioners

AI is not a technology problem – iqbusiness

Telcos are sitting on a data gold mine – but few know what do with it