How do we balance safety and privacy? In a speech this week, UK Prime Minister David Cameron suggested that the UK ought to ban any communications applications that can't be intercepted - and said that if his government is re-elected this will be a major part of his legislation. His key question was:
"In our country, do we want to allow a means of communication between people, which even in extremis with a signed warrant from the home secretary personally, that we cannot read?"
His answer was "No, we cannot." The government must be able to keep people safe. He does not want to give terrorists a "safe space" in which to communicate.
In the wake of the Paris terrorist attacks, I expect we'll see more and more governments making similar statements about their need for increased legal powers for surveillance to help prevent these types of attacks.
There is a natural tension between "safety/security" and "personal freedom/privacy" and all societies have to determine where they fall on the continuum of options. After 9/11 here in the USA, many people seemed to want more safety (or our leaders made it seem that way) and as a result we got the Patriot Act and other legislation that basically led to the pervasive surveillance we've learned about from the Snowden revelations. While the pendulum has been swinging back towards a greater demand to respect personal privacy online, attacks like the one this week may send it swinging back toward more interest in national security.
I understand the desire. If my family were harmed in an attack, I would want the government to do anything possible to find the people responsible and bring them to justice. And I would want them to do whatever they can to prevent such attacks in the future.
But where do you draw the line?
This is the fundamental challenge of our time. How do we balance the legitimate security needs of governments to protect their citizens from very real threats - and at the same time allow people to have a level of privacy from government intrusiveness?
And what constitutes a "threat"? The government of one country may have a VERY different idea about "threats" than the government of another. Indeed some governments see other governments as threats and ironically want to use encryption to protect communications from interception by those other governments. And we know very well that some governments have greatly differing views of privacy and what constitutes personal, private information.
While these differences have always existed, the Internet has changed the equation. Back in the days when you could only communicate through telecom companies that had legal requirements to allow government access, the only way you could have encrypted real-time communications was through expensive equipment.
Now... anyone can use WhatsApp, RedPhone, Signal, SilentCircle or countless other "over-the-top (OTT)" apps (including many WebRTC apps that have no central control and are entirely encrypted) that ride over the data network to have secure, encrypted communication that CANNOT be intercepted. And the Internet Architecture Board (IAB) and the broader IETF community are calling for encryption to be the norm for all Internet-based communications (and we as the Internet Society support that position).
And now the governments of world are standing up and saying they want their control back.
And a terrorist attack such as the horrible one in Paris provides the exact opportunity for the governments to make their case.
It's a minefield. And we have to somehow navigate through all that... because the legislation and choices that governments make will have fundamental impacts on how this Internet of ours operates.
P.S. Additionally, as Cory Doctorow has pointed out in a great piece on BoingBoing, Prime Minister Cameron’s ideas would be extremely difficult to implement technically and would greatly hurt the UK’s Internet industry.