Spartak - Fotolia

Security experts support Dutch stance on encryption

Security experts have come out in support of a Dutch government statement against weakening encryption for the purposes of law enforcement and intelligence agencies

Security experts have come out in support of the Dutch government’s view that strong encryption is essential for the security of the country. 

The Netherlands will not follow the trend of weakening encryption for security purposes, according to a statement by the Dutch security and justice minister Ard van der Steur.

The Dutch executive cabinet endorses the “importance of strong encryption for internet security to support the protection of privacy for citizens, companies, the government and the entire Dutch economy,” he wrote.   

The statement against weakening encryption for the purposes of law enforcement and intelligence agencies comes in contrast to the UK government’s draft Investigatory Powers Bill, which is aimed at giving police and security forces easier access to digital communications.

China and the US are also considering similar legislation that will require technology firms to give authorities access to encrypted internet traffic.

Van der Steur said the Dutch government believes that it is “currently not desirable to take legal measures against the development, availability and use of encryption in the Netherlands”.

“Confidence in secure communication and storage data is essential for the future growth potential of the Dutch economy, which is mainly in the digital economy,” he wrote. 

Van der Steur said that weakening encryption would not lead to a safer world because criminal organisations would have easier access to private information, according to a report by Daily Dot.

The Dutch minister extolled the virtues of encryption, which include enabling the Dutch government to communicate online safely with its citizens about taxes and digital IDs. “Cryptography is key to security in the digital domain,” he said. 

However, Van der Steur said that “infringement is permissible” given “a legitimate purpose” and regulation and restriction by law.

Concerns raised about terrorists using encryption

The ongoing debate on the strong encryption has been fuelled by the November 2015 terror attack in Paris and the US shootings in San Bernadino on 2 December 2015.

According to US reports, the White House has begun raising its concerns with tech firms about reports that terrorists may have used encrypted technology to co-ordinate and plan the attacks in Paris on 13 November 2015 that killed 130 people. 

Tashfeen Malik, one of the attackers in the 2 December shooting in San Bernardino, also posted extremist messages, including a pledge to the leader of Islamic State on a Facebook page, according to law enforcement authorities, underlining concerns about the use of social media by terror groups.

Despite these concerns, many security and technology experts remain opposed to any form of weakened encryption or back doors to allow law enforcement and security officers access to encrypted data. 

In November 2015, the Information Technology Industry Council (ITI), which represents more than 60 major tech companies including Google, Apple, Microsoft, Intel and Facebook, said in an open letter to US president Barack Obama that it opposes “any policy actions or measures” by the federal government that would undermine encryption technologies. 

“The decisive announcement from the Netherlands to maintain strong encryption and avoid implementing back-door access sets a powerful example that other world governments should follow,” said Nithin Thomas, co-founder and CEO of London-based security firm SQR Systems

“Van der Steur is correct in asserting that strong encryption is vital to the privacy and security of the entire country. Creating back doors in encryption technology would just as readily create access for hackers as it would intelligence services, leaving everything from individual financial data to national secrets at risk,” he said.

According to Thomas, instead of pursuing any approach that would make current encryption technology less secure, the organisations and individuals that own the data must be able to access and control it themselves.

“This would allow them to comply with legal needs during investigations and criminal proceedings without compromising security. This requires communications service providers to re-think their communications security architecture and corporate policy to enable them to deal with legal intercepts.

“By passing responsibility for lawful disclosure to the individuals and organisations that own the data, we will remove the need to damage the protection that encryption affords. This will also create more trust between users and authorities, with the process becoming more transparent, rather than occurring behind closed doors,” he said.

Surveillance technologies need public support

In December 2015, Ross Anderson, professor of security engineering at the computer laboratory at the University of Cambridge, told the Joint Committee on the Draft Investigatory Powers Bill inquiry that if surveillance technologies are used in ways that do not have public support, it undermines trust between citizens and police.

“Incidents such as the Snowden revelations are extraordinarily damaging because they show that the government has been up to no good. Even though the government may come up with complicated arguments about why bulk equipment interference is alright, it is not the right way to do things,” he said.

Anderson said that if surveillance powers are abused or they are seen to be open to abuse, there could be exceptionally serious damage to the British industry.

“If people come to the conclusion that if they buy a security product from a British firm, it may have a GCHQ-mandated backdoor in it, they will buy from a German firm instead,” he said.

The Joint Committee was appointed to consider the Draft Investigatory Powers Bill, published on 4 November 2015, and will report in February 2016. 

On 6 January 2016, the Joint Committee is to hear testimony from Christopher Graham, UK information commissioner; Jonathan Bamford of the Information Commissioner’s Office; Jesper Lund, chairman of the Danish IT Political Association; William E. Binney, retired technical director of the US National Security Agency; and James Bruce Robertson, New Zealand commissioner of security warrants.

Read more about the UK Investigatory Powers Bill

Read more on Privacy and data protection