We can all learn something from King Canute. At least he had the humility to know, contrary to popular misconception, that he could not hold back the waves.
The same humility is absent however from the Investigatory Powers Bill – which seems to imply it can hold back waves of diffusion.
Diffusion is the way in which a new innovation, such as the car, television or the telephone, starts from a small niche market of early adopters through to being a commodity used by all. It’s best known from the classic Everett Rogers curve.
Think of any new innovation or technology – from flat screen TVs to contact lenses to electric cars – and it becomes apparent how diffusion works across multiple markets, industries and organisations.
Let’s consider how diffusion will impact the IP Bill by taking a look at encryption.
Computer encryption was initially limited to those with the compute power and expertise to use it – such as the intelligence agencies. Early work on public-key cryptography was kept secret. But as with any innovation it was only a matter of time before what was available to a very limited and select few followed the diffusion curve. Encryption moved out of its niche market and into the mainstream.
The impact of this process has been good for us all – better security for our online financial and commercial transactions, and better security for devices such as laptops and mobile phones. Successive waves of technical innovation have provided the intelligence agencies with short-term advantage. But over the longer term, those advantages flow out and diffuse to us all.
There’s a big downside too of course. This same pattern of diffusion happens in less helpful ways – such as criminal hacking.
At one time hacking was limited to those with in-depth technical capabilities. Now hacking is increasingly commoditised. Today someone without any technical knowledge can download and run automated hacking scripts and launch potentially damaging criminal attacks without any real technical understanding. What was once niche and specialist has become mainstream.
And this is where diffusion and the IP Bill clash. Big-time. Here’s why.
The Bill talks about being able to demand “the removal of electronic protection applied by a relevant operator to any communication or data”. The Bill also seeks other significant powers, such as making it legally permissible to remotely hack computers.
So let’s assume the Bill passes. Someone creates a way to “remove electronic protection” from any communication or data. So too hacking tools are created and exploited so that computers can be remotely compromised and their contents accessed. So far so good – just what the Bill’s authors wanted. Trebles all round.
Ah. But we haven’t yet considered the impact of diffusion. Unfortunately what starts today as a specialist way of compromising security and enabling remote hacking will tomorrow become a commodity, available to all. A universal way to remove “electronic protection” from every device, communication or data.
It’s hard to believe anyone considers this a good idea. Consumers will no longer be able to trust their devices or online financial and commercial transactions, or businesses their mission critical information systems. Without trust, our online commerce and financial environment will fail. Worst of all, the intelligence and law enforcement communities will find their own operations and security progressively, and fatally, compromised.
The IP Bill in its current form will lead to the very opposite outcome to that its authors foresee.
More time is needed to get the Bill right. The wrong decisions now would prove devastating. Not just to our trust in technology – but to our personal and national security.
Just as King Canute accepted that he could not hold back the waves, the civil servants authoring the IP Bill need to recognise that they can’t hold back diffusion.
New tech observations from the UK (ntouk) 
This is a topic that never seems to go away! The Home Secretary has apparently launched an initiative to break encryption to help identify child abusers and terrorists (see reports in the Telegraph and elsewhere earlier this month — September 2021).
This isn’t the first time the UK government has attempted to solve the riddle of how to enable companies to detect criminal activities, such as images or videos of the sexual abuse of children, but without compromising encryption.
And we’ve just witnessed an attempt by Apple to do just this via the implementation of client-side scanning of users’ images through a tool called neuralMatch. Well, that’s caused no end of public criticism and the withdrawal, or at least temporary suspension, of the idea.
So far, it has been impossible to show how such features could be implemented for law and enforcement purposes without also opening them up to others — and diffusion tells us this would be inevitable. The debate also hides the reality that intelligence and other agencies have no shortage of data, including extensive information on patterns of communications between users, sites visited and so on.
If any government breaks online security and privacy, the consequences will be horrific and put some of the most vulnerable, including children, at risk. It will cause far more problems than they intend to solve. Democracies should champion strong security and privacy by default and promote them as an essential and non-negotiable feature of a safe and secure internet. It’s another aspect that distinguishes us from the regimes that use the internet as a tool of surveillance and repression. We should not be following in their footsteps, however well-meaning some politicians who speak about “breaking encryption” might be.