Last week's UK terror attacks at in London left more than 50 people injured and four dead. The attack shocked the world, not least because it was committed not with a sophisticated weapon but by a single man with a car and a knife. The attacker, Khalid Masood, was shot dead by police but his methods won't soon be forgotten.
It has emerged that Masood connected to the popular messaging service WhatsApp just two minutes before the attack. Like other apps such as Signal, WhatsApp uses end-to-end encryption to secure messages. UK Home Minister Amber Rudd has renewed calls for tech companies to create backdoors into their products in order to aid law enforcement agencies investigating crimes. In remarks to the BBC, Rudd said:
We need to make sure that organisations like WhatsApp, and there are plenty of others like that, don't provide a secret place for terrorists to communicate with each other.
It used to be that people would steam open envelopes or just listen in on phones when they wanted to find out what people were doing, legally, through warranty.
But on this situation we need to make sure that our intelligence services have the ability to get into situations like encrypted WhatsApp.
Rudd said she planned to meet with technology companies to make her case. WhatsApp said it is cooperating with authorities.
At the same time authorities are seeking ways into encrypted services, a fresh privacy promise is spreading throughout Silicon Valley. It's best summed up by the statement "We can't see your data," says Constellation Research VP and principal analyst Steve Wilson. This idea, that messaging or storage providers could not access or decrypt a customer’s data even if they wanted to was popularized by Apple in its dispute with the FBI.
The theme played recurringly at IBM's Interconnect event last week, Wilson notes. "For one thing, there is a strong move to pervasive encryption of data both in motion and at rest, with encryption keys controlled by the client," he says. "Under these arrangements, even if a warrant is served on a cloud provider like IBM, they might not be able to furnish copies of client data, without the client’s permission."
IBM’s new Blockchain as a Service is premised on the same principles, he adds. "I haven’t seen such a focus on cryptography standards and certification for many years." IBM is advocating for FIPS 140 and Common Criteria as benchmarks for cloud security and blockchain operations, while its Bluemix
High Security Business Network for the blockchain service has EAL 5+ security certification and FIPS 140 level 3 cryptographic key storage.
"These are the highest levels of security available outside defense departments, which indicates how seriousness IBM is taking encryption," Wilson says. "Clearly this is a doubled-edged sword. Governments should welcome IBM’s and other cloud provider’s security standards, even if the logical consequences are uncomfortable."
IBM also emphasized security containerization as the means for countering insider threats. As Wilson discusses in his research report, "Protecting Distributed Private Ledgers," private blockchains operate with much smaller consensus pools than their big public forebears. "This makes them intrinsically less tamper-resistant," Wilson says. "They also have particular exposure to rogue insiders at the host data centers. Recognizing this, IBM stressed that their private blockchains feature containerized key management, so that even the most trusted systems administrators can’t get at the keys nor the contents of a client’s ledger."
Speakers amplified the point by reminding attendees "that most notorious of all insiders, Edward Snowden, was quite a lowly admin, and look what he got away with," Wilson says.
"Now IBM didn’t quite put it this way, but in my opinion they could say to their clients, 'Hey, you don’t need to trust us,' insofar as the most critical elements of a client’s hosted system are beyond reach of the operator. As my favorite proverb goes, 'It’s good to trust but it’s better not to.' I think I’m seeing the back of trust."
It remains to be seen what type of consensus law enforcement agencies around the world and the tech industry can come to over data access. What's clear, evidenced by the trends Wilson highlights, is that the privacy debate is getting more complicated all the time.
24/7 Access to Constellation Insights
Subscribe today for unrestricted access to expert analyst views on breaking news.