16 Jan 2015

Is Cameron really planning on ‘banning’ Snapchat?

Let’s be clear about what Prime Minister David Cameron said: he doesn’t want any wrongdoers to be able to communicate in a way that UK intelligence agencies can’t access.
A lock icon, signifying an encrypted Internet connection, is seen on an Internet Explorer browser in Paris

Read more: A cut-out-and-keep guide to snooping in the digital age

That’s NOT THE SAME as banning any encrypted communications. Here’s why:

Let’s imagine jihadis use Snapchat (a service which allows users to send each other encrypted messages which then “self-destruct” on the recipient’s phone and apparently on Snapchat’s servers too).

If you’re the UK government and you want access to that jihadi’s messages you’ve got three options:

1. Ask Snapchat to keep copies of the messages of a particular user, and allow UK law enforcement access to the unencrypted file

2. Use brute force to unscramble the message as it passes from one jihadi to another via UK internet infrastructure

3. Agree with Snapchat that you’re going to keep a “master key” somewhere that will allow law enforcement to unscramble the messages (but, for example, only after informing Snapchat).

The problem with option 1 is that it relies on Snapchat’s approval, and UK law enforcement don’t like that.

The problem with option 2 is that it’s time consuming and costly.

Option 3 sounds tempting: until you realise that if the UK gets access to the skeleton key, there’ll be a queue of other countries lining up for the same access, including Russia, China, Turkmenistan, Kazakhstan….

So what if Snapchat et al refuse to play ball? Can Cameron “ban Snapchat?” How exactly will David Cameron banish such services from the nation’s phones? Just one of the gaping holes in this unfolding story.

This is as much about UK’s power in the world as anything else. The vast majority of successful tech companies are based in the US. American law enforcement has far less trouble accessing them than UK agencies. So as a result of our lack of tech prowess, British politicians must go cap in hand to the US to ask for access.

 Wargaming bank security

Conducting simulated attacks to test cyber-defences of banks is better than doing nothing, but it’s been tried before; twice, in fact: Operation Waking Shark I and II. The problem with these tests is that you simply cannot replicate the kind of attack banks are going to get hit with from a genuine aggressor.

Not only do the war games not have the timescale required, but they can only deal with known threats; hackers are constantly coming up with new tactics. Added to which, the wargames are run by the banks and they therefore have a vested interest in lowering the bar. As an example, here’s an excerpt from the Waking Shark 2 report:

“Overall the feedback on the exercise was positive with the vast majority of participants finding the exercise to be extremely useful.”

What were the real results? We never found out.

Follow @geoffwhite247 on Twitter