In the wake of the horrific Paris attacks, British Prime Minister David Cameron, left, and U.S. President Barack Obama met in Washington last week to discuss digital security and surveillance.STEPHEN CROWLEY/The New York Times
When British Prime Minister David Cameron publicly called on the world's biggest technology firms to assist law enforcement agencies in breaking digital encryption, he became the latest politician to assert that it is possible to balance Internet security and surveillance.
Whether that balance actually exists, however, is the subject of intense debate.
Prime Minister Cameron travelled to Washington late last week to meet with U.S. President Barack Obama. One of the major topics of conversation between the two leaders is digital security – a group of 12 U.K.-based cybersecurity firms is also travelling with the Prime Minister.
"The U.K. is already leading the way in cybersecurity and this government is committed to ensuring it continues to be a leader in this multibillion dollar industry," the Prime Minister said in a statement on the eve of his U.S. trip.
But what was originally planned as a discussion about British plans to strengthen digital security has suddenly become, in many security experts' view, a discussion about doing the exact opposite. In the immediate aftermath of the Paris shootings – one of the worst acts of terrorism in postwar French history – Mr. Cameron has publicly called for technology companies to co-operate with efforts to allow British law enforcement agencies to crack encryption, the fundamental building block of digital privacy.
"It's really odd in one breath to talk about improving cybersecurity and then in another breath call on companies to weaken security by weakening encryption," said Christopher Soghoian, principal technologist with the American Civil Liberties Union.
"There is no way to design the system to keep the Chinese and North Koreans out but let the North Americans and British in."
Encryption is, at its most basic level, a means of keeping information secret using very large numbers. Just as a 15-digit PIN is harder to guess than a four-digit PIN, high-grade encryption algorithms that manipulate larger numbers are usually harder to break. As such, all things being equal, encryption is not only a fairly effective means of keeping data private, its effectiveness can also be mathematically measured.
But ever since the Edward Snowden leaks revealed widespread claims of authorized and unauthorized government surveillance of many of the world's most popular digital services and social networks, the technology giants responsible for those services have taken great pains to improve their encryption standards.
(The motivation for doing so is, primarily, financial – companies such as Google, Microsoft and Apple stand to lose billions if enterprise customers such as banks and other large corporations no longer trust their systems to keep sensitive information private.)
In recent years, some tech companies have gone as far as creating encryption schemes the companies themselves cannot override – meaning that, if law enforcement agents come looking for information such as the content of user messages, it is technically impossible for the company to provide it.
It is precisely those measures that Mr. Cameron appears to have in his sights. Although the Prime Minster has not released technical details of his proposal, security experts say there are generally two ways to make it easier for law enforcement officials to nab encrypted data – either force companies to maintain a "vault" of passwords that can be accessed when needed, or deliberately build flaws into the encryption algorithms, which can be exploited later. In both cases, however, the proposed solution would create new points of weakness that can be exploited not only by intelligence agencies, but anybody else.
"You can see that neither of those is appealing," said David Skillicorn, a professor at the Queen's University School of Computing.
Mr. Cameron also faces an uphill jurisdictional climb – most of the companies that would need to agree with his proposals are not headquartered in Britain.
"And if it only focuses on data stored in the U.K. … then you'll start to see some companies move offshore," said Prof. Skillicorn. "There's a misconception politicians have that borders mean something in cyberspace."
However some industry experts say that, regardless of how difficult the issues of digital privacy and surveillance are, politicians increasingly have little choice but to face them head-on.
"In the case of [David] Cameron, I think he said some things that are very important – he proposed comprehensive legislation, and I think that's what the government's job is," said Roger Billings, CEO of GoldKey Corporation, which designs high-grade security and encryption solutions primarily for government, military and large corporate clients.
"In today's world, if we did not have encryption for things like online purchases, they would soon come to an end. But maybe that's not as important … if we're all killed by terrorists. Trying to balance that is not only very difficult, it is something that changes from day to day."