The Internet, marvellous as it is, hasn’t had a proper service in nearly 50 years – and it badly needs one. The fundamental protocols to carry communications and media were designed for a more innocent age when people didn’t need to be nearly so anxious about their personal privacy online, or about terrorists making use of encrypted communications.
Today, the Internet and its users face a double threat. On the one hand, it seems there is almost no privacy available. Advertisers mine our every activity for data to refine their profiles our interests. Passwords and then credit card details are regularly stolen. Pictures are stolen and misused by advertisers and worse. A simple search can unearth the secrets of our youth that we’d prefer forgotten. And more.
On the other hand, some users of the Internet appear to have nothing to fear: terrorists and criminals communicating and planning using encryption to hide their traces. Very strong encryption is freely available and easy-to-use. Not even the supercomputers available to government can crack the public key encryption schemes available to anyone who wishes to seek out the apps required.
The social networks and app developers involved – to avoid responsibility, it seems, though it may be dressed up as concern for users’ privacy – wash their hands of the matter. They refuse to store messages or keys and thus are unable to help with legal intercept requests. This leaves national security and police authorities with their hands tied, unable to apply the law in the ways they are used to being able to in the physical world.
But this weakness for security and privacy are born out of design. The outer layers of the Internet, where social networks and messaging apps exist, have moved faster than its lowest levels.
The technological foundations of the Internet, invented in 1969 to enhance communications between a limited number of academic, corporate and defence systems, and initially named DARPANET, have barely moved on. There was no thought around maintaining personal privacy on these systems back then, nor was there any thought given to the widespread use of sophisticated encryption systems.
Much the same thing is true of our legal system which, in the UK, relies on a complex hierarchy of precedents and legal acts, dating back centuries. Many current lawmakers continue to have a weak grasp of technology, and are prone to making over-generalisations that are neither practical, nor ultimately in their nation’s best interest.
To find a solution, we need to change the Internet, and our social networks. We need to retrofit our beloved, but dated, 1969 communications network with the powers it needs to continue to provide the amazing benefits it has done to date, but with safety and privacy embedded. We need a blanket policy that will treat everyone the same, and give everyone their rightly deserved privacy.
A mechanism for privacy should be provided at the application layer of the Internet and this involves several steps, and some caveats. To take part on the Internet, identities ought to be verified. This is a complex area, and the verification credentials required of a 10-year-old girl might not be the same ones required of a 30-year-old man. But the broad proposition is that everyone should have a verifiable identity on the Internet that remains the same throughout one’s life, much like your passport.
Encrypt To Protect
So, everything to be encrypted by law. Everything. Nobody, and no commercial organisation, will be allowed to read or identify your messages, browsing history or any other content you have produced on the Internet through any kind of scanning without your explicit consent.
The proviso is that when your actions and your content are encrypted, very securely, then the keys to that encryption action are retained by the service provider. If the law enforcement or national security authorities require access to those keys, then the regulated service provider will yield them, for the specific actions for which they have a warrant. Only people with something to hide should have anything to fear – again, only warranted authorities would be allowed access.
This, I believe, is the only solution. We need privacy. We need security. We cannot continue as a free, democratic society without a balance between those two things. I believe that legitimised key escrow, through agencies regulated by government, as telcos and ISPs already are, is the only solution.
No Easy Way
There’s no doubt that a transition to such a state will be resisted by some, and from well-meaning intentions. People, by-and-large, don’t want to change. Lobbyists perceiving a threat to the purity of the Internet will resist any infringement to existing rights. And not least, be sure that such a change would require a considerable body of legislation, communication and reassurance. It will be a long, hard road.
But consider the alternative. Across most of the Internet, private networks are harvesting everything you do, say and post. And make no mistake that state authorities are not equally interested in probing your digital persona on a mass scale. You have no privacy whatsoever in the current environment. Encryption will change the rules for that engagement – in the favour of private citizens.
The encryption tools we have now are empowering terrorists, who currently face no checks to their organisation, recruitment, and operational efforts. This state of affairs cannot be allowed to continue. Server-centric encryption against verified identities will make our Internet safe again.