Priorities clash over the call to encrypt the whole internet

Encryption isn’t just a nice-to-have for privacy-conscious web users – it’s essential to the growth of the online economy, and should be used across the entire internet as standard practice. That’s the view of the Internet Society, a global nonprofit focusing on internet policy – and it says that law enforcement agencies worried about tracking the bad guys are just going to have to deal with it.

In a blog post titled Securing Our Digital Economy, ISOC president Kathryn Brown argues for universal encryption on the internet to preserve growth of the online economy. She warns:

This cannot happen without a serious commitment by all parties to security and privacy. The truth is that economies can only function within a secure and trusted environment.

As such, strong encryption is crucial, and ISOC wants it to be the norm for all online transactions. “It should be made stronger and universal, not weaker,” she continues.

The spanner in the works is of course online crime and terror. Law enforcement and politicians consistently call for encryption loopholes that would enable them to read private data, on the basis that they need to know what the bad guys are doing.

Brown acknowledges this, and argues that we need to “deconstruct the issues faced by law enforcement and policymakers and agree together how we can achieve a trusted digital economy underpinned by encryption”. She doesn’t necessarily come up with solutions to the concerns of law enforcement, though.

Brown suggests three measures for G20 countries. First, acknowledge that encryption is an important technical foundation for trust, and get everyone to use it. Second, collaborate on securing the digital economy, and third, put users’ rights at the heart of any decisions made. Everything should be done in their interest.

To this end, ISOC calls for “ubiquitous encryption for the internet”. How would that work, then?

Encrypting the internet

There have already been some movements towards an encrypted internet, in the form of HTTPS. This secure version of the hypertext transfer protocol – the language that lets web servers send you pages – is based on the encryption standard TLS. When you’re surfing using HTTPS, snoopers can still figure out the domain name you’re accessing, but the data that you’re exchanging with the website (including specific URLs, content, and your login credentials) is scrambled.

Tech companies have been busily ushering everyone into an HTTPS world. Google began putting warnings on non-HTTPS sites last September, and Apple vowed last year to require HTTPS access for its apps. That’s important, given the rise in mobile traffic that we’ve seen on the web. WordPress, one of the web’s linchpins, also added encryption for all customer sites, which goes a long way towards making encryption a de facto standard.

Efforts to encourage end-to-end encryption in this way seem to be working. Mozilla spotted in October that the users who feed data to the company about their surfing habits had loaded more than 50% of their pages via HTTPS, which was a first.

Still, this doesn’t make encryption an actual standard that must be followed. There are still plenty of sites that don’t offer it. There was some hope for a mandatory standard in the form of HTTP/2, an update to the existing HTTP standard. There was a concerted effort to build encryption into this by default, but it was overruled.

There is now an effort to build what’s known as opportunistic encryption into HTTP/2. This automatically upgrades HTTP connections use TLS by default, if both sides support it. Otherwise, the connection uses plaintext communications instead. Email servers already have a special command called STARTTLS that does a similar thing for SMTP (simple mail transfer protocol) communications.

While encryption isn’t a compulsory part of the HTTP/2 spec, the browser vendors may well end up enforcing what the standards bodies won’t – as it stands, they are mandating that their implementations of HTTP/2 be used over an encrypted link. No one is enforcing the use of HTTP/2 as a communications protocol, though.

Governments won’t like it

What isn’t clear is what this means at a nation-state level. In the UK, the Investigatory Powers Act – often referred to as the “Snooper’s Charter” –  theoretically gives the government the right to require internet providers to build decryption capabilities into their services. In France, presidential candidate Emmanuel Macron is pushing for the same thing. But deliberately forcing providers to build “in-the-middle” surveillance features into what is supposed to be end-to-end encryption is something of a fool’s errand, for reasons we’ve outlined before.

ISOC has been a consistent supporter of encryption. It has written about how deliberately weakening encryption decreases trust in the internet without really deterring bad guys, who will presumably use encryption of their own rather than relying on what’s in their devices. Like many privacy advocates, ISOC points out that law enforcement officials won’t be the only ones to benefit from weakened cryptography. This is the internet, and someone else is going to find and exploit any deliberately-introduced holes.

(Sophos, for that matter, agrees strongly with the position that you can’t advance security by weakening it.)

The bottom line is that there are already standards to encrypt the internet, and it will be difficult for governments to force surveillance points into them if they’re used properly. But that means getting the internet to use them – and that could be the most difficult challenge of all.