Obituary: Professor Ross Anderson, pioneer in security engineering and campaigner

Friends and colleagues have paid tribute to Ross Anderson, professor of security engineering at Cambridge University and Edinburgh University, and a fearsome campaigner for digital rights.

Anderson, who died unexpectedly at his home in Cambridge on Thursday 28 March 2024 aged 67, is known equally for his monumental work in the field of security engineering and his relentless campaigning for privacy and security.

A fellow of the Royal Society and recipient of the BCS Lovelace medal for his contributions to developing security engineering as a discipline, his textbook, Security engineering, is described by fellow security specialists as his masterwork.

“He was enthusiastic, brilliant, opinionated, curmudgeonly and kind,” wrote Bruce Schneier, who has known Ross for more than 30 years.

From high school in Glasgow, Anderson went on to read mathematics at Trinity College Cambridge, and completed his doctorate in 1995 under the supervision of Roger Needham, a world-leading researcher in security and computer architecture.

Anderson played a leading role in defining new methods to assess the costs of information security and cybercrime. His 2000 paper, Why information security is hard, heralded the study of security economics.

Bill Buchanan, professor of applied cryptography at Edinburgh Napier University, highlights Ross Anderson’s achievements in cryptography, including his strident criticism of an insecure algorithm developed by GCHQ for the NHS, in a warm tribute.

When the US National Institute of Standards and Technology (NIST) ran a competition to create an algorithm for the Advanced Encryption Standard, Anderson’s team came a close second, but only because NIST opted for speed over stronger security offered by Anderson and his collaborators.

“He was someone who has broken down barriers in the ‘art of the possible’ and rallied against those who wish to spy on our citizens,” said Buchanan.

During the 1980s and 1990s, Anderson’s work on ATM payments identified flaws in banking software – denied by the banks – that led to customers suffering phantom withdrawals.

When the UK Cards Association demanded that Cambridge University take down a student’s thesis on the topic from the web, Anderson responded with a brilliantly polite but scathing letter excoriating the banks for failing to fix the problem.

In 1998, Anderson founded the Foundation for Information Policy Research (FIPR), a think tank for information technology policy, which took, like Anderson himself, a wide view of technology and social issues.

FIPR intervened in NHS IT plans, investigatory powers, smart meters and more. And it successfully lobbied for safeguards to state surveillance powers in the Regulation of Investigatory Powers Act.

Through FIPR, Anderson also pushed for the formation of European Digital Rights (EDRi), an umbrella organisation for digital rights organisations around the world.

In his campaigning work, Anderson stood up to repeated government attempts to weaken encryption, opposing key escrow in the 1990s, and in recent years government proposals to provide access to law enforcement to encrypted communications.

He was one of the signatories to Bugs in our pockets, along with other world-leading cryptographers and computer scientists, which found that plans by Apple to covertly scan encrypted messaging systems for abuse material were unworkable and a threat to safety and security. Apple subsequently dropped the plans.

He intervened again when the government introduced proposals in the Online Safety Bill to mandate technology companies to scan all encrypted messages for abuse material. His point was that it is not possible to weaken encryption and simultaneously protect computer systems from misuse by bad actors.

“The idea of using artificial intelligence to replace police officers, social workers and teachers is just the sort of magical thinking that leads to bad policy,” he argued in a rebuttal to proposals by two senior GCHQ officials to allow government departments to ‘listen in’ to encrypted communications.

He won the respect of his intellectual opponents, as Ciaran Martin, founder of GCHQ’s National Cyber Security Centre acknowledged: “Prof Ross Anderson had a formidable brain and fierce integrity. He could sometimes give us in the security services a difficult time, but that’s because he cared and really knew his stuff. And he knew how to disagree well.”

He was appointed as an expert witness during court hearings into the legal admissibility of evidence from EncroChat encrypted phone network.

He told a BBC podcast that his research had shown “the live data appears to have been taken as a matter of live intercept”, a bombshell finding that had the potential to undermine hundreds of prosecutions of organised criminals, though one that has not found favour with judges.

More recently, he has campaigned against Cambridge University’s policy of “forced retirement” for academics when they reach 67 and had plans to bring the matter to an employment tribunal.

He was a man of principle, outspoken, and said it as it is, but he was always enthusiastic and willing to pick up the phone. He had a knack of being able to explain complex topics for non-experts.

Anderson was an “inspirational and doughty fighter” for people who cared about digital privacy and security, journalist Duncan Campbell wrote in a tribute on X (formerly Twitter) that was read and reposted by more than 200,000 people within the first seven hours.

“Many say Ross helped shape lives and careers, framed vital technology issues, communicated powerfully. They remember Ross as a giant with huge intellectual competence, and commitment,” Campbell wrote.

Ross Anderson is survived by his wife Shireen, daughter Bavarni, and his grandchildren. The family has asked for privacy at this difficult time.