Effective pan-EU co-operation to redress the balance and build confidence in safer, more secure on-line world could have a bigger impact on our wallets than the putative benefits or costs of Brexit because the dominant Internet companies of the US West coast appear more concerned to “protect” us from the FBI, NSA and GCHQ than from organized crime and disorganized abuse. Hence another reason for criticizing both camps for failing to debate constructively on the control versus risk issues that appear to matter to most voters. Do we want our on-line activities to be controlled from the West Coast of America (under Brexit) or more locally, via Brussels?
“Genuine autonomy” does not appear to be on offer from either side.
According to the Washington Post, the current trend in Silicon Valley is to ditch the big data business model, lest the FBI/NSA demand access. Instead they aim to encrypt everything for the sake of “privacy”. Is this evidence that their target customers are, as some have long expected, those who most Americans, let alone Britons, would not want protected.
I will pause to allow some readers recover from apoplexy – and qualify what I just wrote.
There is a good case for the much wider use of encryption, as I will elaborate below, but it is to address the rising tide of fraud and abuse, not “just” to enhance privacy. It also requires another change of approach and priority that is not on offer.
Estimates for the revenues trousered by e-crime range from $350billion to a $trillion, depending on whose guesstimates you believe. It is probably now a bigger “industry” than telecoms with Germany and the UK the third and fourth most victimised: after the United States and China. [over 80% of the Chinese e-crime has no international dimension so is left out of most figures. It is also unclear whether the high rate of e-crime in Germany is because they are less secure or are better at measuring and reporting.]
Meanwhile some of the most innovative and enterprising co-operation is coming from the southern hemisphere:
- Malaysians using stolen South African credentials to loot Japanese banks
- the world’s biggest bank heist with a Philippines gang targeting weaknesses in the Belgian-based SWIFT payment clearing service to try to lift a $billion and only getting away with $81 million
- the current waves of ransomware, spreading from Australia to the rest of the world with over 40% of victims in Europe and 44% in the USA.
The EU policy on security e-crime may be nearly as disjointed and ill-considered as some of its other policies but getting it right will do far more for the UK economy, as well as for our personal safety and security, than Brexit with no real strategy for making the UK a global centre of excellence in anything other than surveillance and re-active protection.
The Queens Speech includes various measures related to supposedly improving security, privacy and confidence in the on-line world but, to be effective, they need to be knitted together into coherent and prioritised strategies for co-operation, nationally, across the EU and internationally.
Conceptually the best place to start is probably not with the General Data Protection Directive, let alone with Data Sharing or Retention Powers, but with the plans for anonymised Age Verification. These could and should be used to open up debate on the provision of credible, market driven, identity and access management and the use of robust encryption technology to also give confidence:
- In the identity of the device which sent the signal and the person, if any, who told it to do so
- That the signal is as sent, not accidentally or deliberately changed en route
- That who-ever/what-ever sent it has not changed their mind without telling you
For most common applications these are more important than secrecy or privacy.
More patients die or suffer unnecessarily because of inaccurate medical records than almost any other cause, including resulting from the defensive medicine practiced by doctors and nurses who could otherwise be held liable for the consequences of errors outside their control. It is more important to know who or what (ever more is recorded by machines) updated the record and that it was accurately transmitted and stored, than that it is confidential. Yet almost all the focus is on the privacy – not accuracy and authentication.
The same is true with regard to most financial transactions, many (perhaps most) of which become irrevocable matters of public record within minutes (perhaps seconds) of completion. Meanwhile we have the Cabinet Office obsession with trying to get departments to use an identity access framework, Verify, which does not meet medical or banking needs and could be used to systemically hijack the benefits of those in most need.
Gordon Carera, in his excellent book “Intercept: the secret history of computers and spies” quotes a former director of the National Security Agency on his first briefing on the reasons why encryption was so important, with “scrambled text” the least of them. This is a paraphrase:
- Attribution – only the President can order a nuclear strike: you have to know it is him
- Integrity – lest the text becomes corrupted and the missiles have the wrong target
- Non-repudiation – you cannot allow the President to say it was not him
- Infinity/availability – however many times you run the system it must give the same result
- Secrecy – to provide reasonable confidence that it will not be read by those who are not authorized to do so (bearing in mind the ways of getting at the text before it has been encrypted and after it has been decrypted).
The Age Checking group of the Digital Policy Alliance is driven by those who have good business reasons for wanting robust anonymized age checking (from “Adult” entertainment providers to On-line Gaming Companies). They have identified a variety ways of providing this, including the use of low cost extensions to the one way encryption services now being used to control access to sensitive education and medical records as well as to high value financial transactions. The widespread adoption of such techniques by those offering users control over their identities and their data strikes at the heart of current advertising funded big data models, not just at the idea that the state should control the identities of its subjects.
When trying to put the various measures in the Queens Speech into wider context it is also worth looking at the evidence that GCHQ may be taking seriously its new role as host of the new UK National Cyber Security Centre, helping others to address vulnerabilities, not just to exploit them. Meanwhile we should add much of the advertising industry to the opponents of the routine use of encryption by users to take control of their on-line lives. But one of the most important legal steps is conspicuous by its absence: enforcement of the e-Commerce Directive requirement for those trading on-line to provide physical contact details and for carriers and intermediaries to take action when notified of abuse, impersonation or illegal traffic. The failure to enforce these makes it almost impossible for victims to identify who to contact or to sue if they fail to take action. A conspiracy theorist might think this was deliberate.
We may not think that Brussels has done a good job of trying to protect consumers from shameful exploitation, abuse and fraud, whether by government, monopolists or criminals – but do we believe the Brexiteers would do any better?