Proposed New Anti-Terror Law Could Leave Us Vulnerable To More NHS-Style Hacks

By James O Malley on at

As the world mourns the dead from the Manchester Arena attack, it appears that the government is already preparing an inevitably draconian response.

The Sun is reporting today that after the election (which at this point is just a technicality for Theresa May), Ministers will ask Parliament to pass new laws to enable them to use Technical Capability Notices (TCNs) to demand that internet firms weaken their encryption so that messages can be intercepted.

Yes, sadly like after every other terror incident, there are immediate calls to expand government surveillance powers with no thought as to the broader implications.

In essence, it would force them to build back-doors into their apps so that the security services can poke around.

The only mitigating factor would be that each order will have to be approved by a warrant signed by the Home Secretary, as well as approval from a Senior Judge. (Go on, try to imagine a judge turning a request from the Home Secretary down.)

If this sounds familiar, it is because the idea has already been touted by Home Secretary Amber Rudd. After the Westminster Attack in March, she went on Andrew Marr where she gave a disastrous interview, calling for a ban on encryption. At the time I called this an "aggressively stupid" idea - and I stand by it for the reasons stated in the piece.

Digital rights campaigners The Open Rights Group has already offered a slap-down of the proposals too. In its detailed response to the Manchester attack, the ORG makes a particularly strong point: That this call to weaken encryption is coming only weeks after the devastating cyber attack that saw ransomware effect thousands of NHS computers.

"The recent #WannaCry hack demonstrated how a vulnerability discovered by the National Security Agency (NSA) to access their target’s communications was then used by criminals. These are powers involving different technologies but the principle remains the same: Governments should be doing all they can to protect our digital security", the ORG says.

In other words: If the government insists on backdoors to ostensibly stop terrorists, that is the same as opening the door to potentially equally devastating cyber intrusions. There's no such thing as a digital backdoor that only the good guys can use.

Issues of civil liberties or whether such moves would actually prevent terrorism (spoiler: they wouldn't) aside, weakening digital security hurts us all. Let's hope that the inevitable debate approaches this in a rational, and technically informed way.

If you'd like to read more on this check out this piece and just do a mental "find and replace" on "London" to "Manchester", to bring it annoyingly up-to-date.

(Full Disclosure: I donate a whole £2/month to the ORG as they're damn right about this sort of thing.)