Exploring Amber Rudd’s Comments On Encryption In The Wake Of The Westminster Attack


Dr Andrew Whiting, lecturer in Security Studies at Birmingham City University, responds to Home Secretary Amber Rudd’s comments that strong encryption is ‘completely unacceptable’, should be outlawed and that the authorities must have access to messages sent through encrypted platforms such as WhatsApp.

The proliferation of the Internet has brought with it benefits in access, speed, efficiency, reliability and capacity across the personal, public and private spheres.  In the UK we enjoy and utilise a whole host of services online from news and current affairs, banking, entertainment, communication and various social platforms.

The reality is that a range of nefarious actors have access to many of the same benefits, be they fraudsters, paedophiles or people like Westminster attacker Khalid Masood, who have the intention to commit physical violence against members of the public.

In fact, terrorist organisations have embraced the benefits of the Internet and their use of this space has been the focus of academic research for some time. Terrorists have used the Internet for propaganda, recruitment, information gathering, finance, training and communication to name but a few functions. Communication has garnered a lot of attention this week after the revelation that Masood received a message via WhatsApp (an online messaging platform) just prior to conducting his attack outside Westminster.

With four people dead and over 50 injured in the attack, it is inevitable and right to reflect upon and reassess security measures.

The controversy here surrounds the ‘end-to-end encryption’ that WhatsApp users enjoy when they use this messaging platform. What this means is that when you send messages using WhatsApp you can be confident it is not finding its way into the hands of criminals or being ‘snooped’ on by the likes of GCHQ or the NSA.

When a message is sent it exists as ‘plaintext’ (eg. English) before becoming encrypted via a ‘public key’ housed on a public server. At this point the message is unintelligible to everyone and can only be decrypted via a unique ‘private key’ housed on the message recipient’s device. Once it arrives on our recipient’s device it is converted back into plaintext and its content is only known to the sender and the recipient. In this sense both ‘ends’ of the communication are required in the encryption and decryption process making it incredibly difficult for external actors and agencies to reveal the content of any message, picture, voice clip or video sent via this service.

A clear justification exists for such encryption when savvy criminals and prying security services have demonstrated their ability and willingness to gain unauthorised access to public data. However, what happens when those guilty of murdering members of the public also use the service? Accessing their messages could provide insight into the suspect, potential networks or even future attacks.

On the BBC’s The Andrew Marr show, Home Secretary Amber Rudd spoke about how Masood’s use of encrypted communication via WhatsApp was ‘completely unacceptable’.

In the interview Marr pressed Rudd on pressuring companies like Apple and WhatsApp to build a ‘backdoor’ into their encryption to allow the security services and law enforcement privileged access to information relevant to their investigations.

This might sound like an uncontroversial solution but the innocuous sounding ‘backdoor’ is ultimately a backdoor for everyone regardless of intended usage. That backdoor may be set up for ‘our’ security services and law enforcement but once it’s in place the guarantee of secure communication is gone; the backdoor will serve as a point of access to whoever discovers it and thus essentially undermines the entire purpose of the encryption.

The desire to stop violence like we saw at Westminster is an uncontroversial one, however, violence like this shouldn’t justify carte blanche for the government and the security services.

Underpinning all of this are a range of questions central to the study of security, such as: What is security? Who or what is security for? Who or what do we need securing from? Is security even a possibility? Is it desirable?

Terrorist organisations have embraced the benefits of the Internet.

Rudd’s desire to undermine encryption by providing external access to the security services relies on an understanding of security that privileges the state and purports that security will be enhanced if the guarantors of security have enhanced powers to combat existential threats such as terrorism. However, adopt a different position in relation to the above questions and you could conceivably come to a very different conclusion.

For example, that broken encryption represents an encroachment by the state on civil liberties, sets a dangerous precedent on encryption more broadly and creates vulnerabilities for nefarious actors to exploit. In fact, it appears to contradict other security priorities the government laid out as recently as November 2016 in their updated Cybersecurity Strategy (a summary of which can be found here).

This document recognised citizens and their data as needing protection as well as the necessity for UK citizens to, ‘defend themselves’. The document also stated the government’s desire to ‘rigorously protect and promote our core values…[to]…preserve and protect citizens’ privacy’ (National Cyber Security Strategy, 2016, p25).

How confident are we that undermining the core values the government itself reasserts in the 2016 Strategy is the best way to respond to a threat that (at least in part) is considered so threatening due to how it attacks these core ‘British values’?

Moreover, while Masood admittedly appears to have taken advantage of WhatsApp’s end‑to‑end encryption, how confident are we that breaking encryption would stop these individuals and terrorist organisations in their tracks?

Violence like we saw outside Westminster is a tragedy and always an emotive topic that needs to be considered carefully and with sensitivity. With four people dead and over 50 injured in the attack, it is inevitable and right to reflect upon and reassess the security measures currently in place. However, we must strive to remain critical in our assessment, be realistic about what level of security is achievable and desirable and not allow security to become synonymous with protection against terrorism at all costs.

The Home Secretary’s comments in relation to encryption threaten to undermine security online and infringe upon the citizenry’s right to privacy.