Lawyer suggests tying access to encryption to verified ID

Encryption has become one of those uncomfortable itches that nobody in the British government or its platoon of advisers seems quite able to scratch.

But every now and then, somebody feels compelled to try, the latest example of which emerged last week in comments made by Max Hill QC, who is leading the Independent Review of Terrorist Legislation (IRTL).

We only have the Evening Standard’s presentation of his comments plus a few follow-up observations by Hill to go on, but what he seemed to be saying was the following:

Social media accounts are used for direct communication and to spread terrorist propaganda, much of which uses encryption and is therefore difficult to monitor. The solution is to force all users to prove who they are before they get access to accounts with encryption privacy turned on.

In his words:

A discussion I have had with some of the tech companies is whether it is possible to withhold encryption pending positive identification of the internet user.

If the technology would permit that sort of perusal, identification and verification, prior to posting, that would form a very good solution… and would not involve wholesale infringement on free speech use of the internet.

According to Hill, this ID checking could be done in “nano-seconds” and at a cost that is reasonable for tech companies to bear given the profits they make.

Before dissecting how this might work – or not – let’s give Hill credit for opening his mouth in the first place. A lot of people will ridicule the proposal but it’s better to hear what people in influence think about the subject in order to expose its flaws before it influences policy-making.

Hill’s idea of identity checks sounds different from the home secretary Amber Rudd’s interest in bypassing encryption through technical means, but arguably all it’s doing is translating one problem (encryption privacy) into a new one (assessing identities).

The problem is that no such system of identity exists on the internet, let alone one that works in real time. Even making this work in one country, the UK, or on one platform, Facebook, sounds difficult.

And who would be the gatekeeper for an approved identity? The tech companies? A government appointee? ISPs? The latter already face a complicated challenge to implement age verification for UK citizens who wish to access porn from 2018 and that’s a relatively straightforward problem by comparison.

Then, as with the debate over bypassing encryption, there’s the problem of displacement, as Hill acknowledges:

It would not be an effective solution to the problem of online extremism simply to drive the criminal publishers of that material into dark spaces which neither the police nor anybody else can reach.

Even if an identity system could be invented, there’s the likelihood that criminals would simply game it by using bogus or stolen identities.

This is because the internet is a system that thrives on its lack of identity checking. This has negative consequences – criminals impersonating people and stealing their identities – but in other instances, protecting oneself from the growing number of nosy, censorious governments, say, it is fundamental.

Surely it is not identity that should be at issue but online behaviour. Funnily enough, that was supposed to be another thing tech companies promised earnestly to filter in real time despite having failed to do so.

Why tech companies have struggled with this is a matter of conjecture. But until they can control what goes on inside their own platforms, withholding encryption for the badly behaved sounds like another example of fixing the symptom, not the cause.