March 28, 2017

Editor’s Note: I try not to bring politics into my development discussions, but when they intersect, it’s always a good time for a teaching moment. If you leave a comment, be civil and follow the rules of having a good discussion, or I will outright delete your comments. There’s no room here for rude people. We’re here to talk about encryption, not start a political war. Be good.

Last week in Westminster – a neighborhood of London, terrorist Khalid Masood killed 4 people and injured more than two dozen. While the terrorist attack was heartbreaking, and our thoughts and prayers go out to the victim’s family, it’s the aftermath of the attack that’s stirring up technology specialists around the globe.

Home Secretary Amber Rudd has put out a call to big tech companies – Google, Facebook, Twitter – to take on extremist content on the web.  The article, posted by The Guardian, goes on to name several services that (according to them) contribute to terrorism around the globe. Three services are named in particular: Telegram, JustPasteIt, and… WordPress.

The full blurb (highlighted text is my emphasis):

What is it?

Uunlike Telegram WordPress is not a mobile phone messenger but a free website publishing and hosting system. WordPress software supports more than 60 million websites from personal blogs to major newspapers, and the free hosting site WordPress.com hosts approximately 40 per cent of the world’s blogging sites created by webdesign companies like http://www.webdesign499.com/web-design-jupiter/.

To create a WordPress.com account, users log in with an email address, which they could have created anonymously. They do not need to provide a phone number.

Once users have picked an available web address and chosen a basic website template, the new site will appear online.

Why is it linked to terror?

Its low cost, ease of use, and anonymous interface means terror groups are as likely as the average website owner to create their sites using WordPress.com – for propaganda, radicalisation or publicity.

It is possible to secure and encrypt a WordPress site’s server so content cannot be hacked, and to share an encryption key with others so content can be shared privately.

But most such sites are publicly available and used to spread content. According to US think tank the Counter Extremism Project, WordPress.com sites have played host to beheading videos, firing squads, and a video of a man being shot in the head, emblazoned with the words This In the Enemy Of Allah.

Who runs it?

The WordPress project was co-founded in 2003 by two developers, American Matt Mullenweg, 33, and Briton Mike Little, 54. Mullenweg’s company Automattic owns WordPress.com which acts as web host for the majority of smaller WordPress sites.

Automattic was valued at over $1bn in its latest funding round. Little, who lives in Stockport, developed the original WordPress software alongside Mullenweg but has gone on to focus on other development projects rather than on the WordPress.com web hosting business.

Encryption and the Web

If you’ve never heard of encryption by that term, you’ve still seen it in action: when you go to Amazon to purchase something, that green lock in the URL address bar is letting you know that the site has an SSL Certificate.  It’s not foolproof, but encrypting the data securely via SSL is a “first level” defense against hackers getting in and intercepting the data.  If someone were to intercept secured, encrypted data – they’d see a bunch of random ones and zeros, or a string of gibberish characters.  But, the SSL certificate acts like a decoder pin – it has the necessary information needed to interpret and read the information.

Encryption: What’s the Problem?

Using the decoder pin example, let’s take it a step further. Let’s say you write a message with a decoder pin, and you are the only one that has that specific pin. You are the only point of failure, and someone would have to literally mug you in order to decode your data.  Now, with enough tries, a person could -guess- your decoded information, but the time it would take to iterate through all of the possible combinations. In the InfoSec community, this is known as a “Brute Force” attack.  A person could also guess at what you’ve written using common words and phrases.  This is known as a “Dictionary” attack.  Both of those attacks are much harder to pull off successfully with one point of failure – your decoder pin.

The problem, then, is that governments are starting to see encryption as a bad thing. They see data they can’t snoop into and – contrary to the US judicial system – immediately decree that you must be guilty because you’re hiding something.  Both the US and the UK – especially after last week’s attacks – are ramping up pressure on tech companies to install backdoors into their programs. Basically, they want the FBI and UK governments to be able to tap into those programs to read

This is a terrible, terrible idea.

Remember that single point of failure?  Imagine, now, that someone has made a copy of the decoder pin, and handed it to the law enforcement agencies.  They’re able to – at any time – see anything that you’ve written with your code.  To some people, this may not seem bad, but let’s look further for a moment.

  • We now have two points of failure – 100% more chances that a hacker or dubious individual can use your encrypted data maliciously.
  • Humans are humans. Even if someone has your decoder pin and pinky promises not to use it, the allure of being able to access that data may be too great.
  • If the decoder pin is stolen or misused (by others, or by their intended audiences), your data is now at risk.

The Bottom Line

I am a firm believer that humans are mostly good. Sure, there’s some terrible people out there, but I know Muslims, Christians – Humans in general – and all sorts of other people that are terrible, and I know many more that are legitimately good.  And people have a right to privacy.  I have a right, in my own home, to be free from people spying on what I do. Does that mean that I’m doing something dubious? Absolutely not – it just means that I have the right to have people not be “all up in my business” when I’m home.

Online data is a different animal, but I think that we still have the right to that privacy.  The ability to encrypt data is no different than putting something in a safe where we have the only key. I would never give a random person the key to the safe in my house, and I don’t expect to give the key to a random person to inspect the data I send online, either.

Educate yourself.  We should not, even for the sake of safety, have to give up any more rights than we already have.  The right to privacy far outweighs that.

This subject will come up more in the coming months, as more and more people start to learn what encryption is.  I hope that the value of encryption is seen over the need for personal safety, especially because – in the long term – a sacrifice of encryption will not lead to a safer world.