Beware of messages hiding in plain sight
A view from Scott Ross

Beware of messages hiding in plain sight

Encryption is not simply the domain of the big tech platforms.

On 22 March, the actions of Khalid Masood on Westminster Bridge and the resulting loss of life served as yet another reminder of the vulnerability of our society to such disturbed and determined individuals. In the aftermath of this tragedy, it was discovered that a number of messages and photos had been sent from his WhatsApp account only minutes before his attack. Messages that, due to the encryption used on the platform, can never be decoded.

Again, this has sparked a debate in the media about the need for the government to monitor these platforms. During an interview on The Andrew Marr Show, home secretary Amber Rudd was asked if it was acceptable that platforms such as WhatsApp remained beyond the oversight of intelligence services. Her response that the situation was indeed unacceptable and that companies had to take greater responsibility has triggered a backlash in the technology community, who labelled her statements "draconian" and "misguided". They even mocked her and other cabinet members for personally using the very service she called "a secret place for terrorists to communicate". 

Focusing efforts on monitoring platforms such as WhatsApp, Telegram and Facebook Messenger acts as a distraction that will reduce the overall effectiveness of our security services

Putting hyperbole aside, the community is correct that this is not the appropriate path to security – but not for the standard reasons. It is not because of the inherent danger of back doors and the weakening of encryption it brings; nor is it because of the difficulty of shaming global corporations into abandoning their views towards privacy. 

The true reason this path should not be followed is one of practicality. Encryption exists in the wild outside of platforms such as WhatsApp, Telegram and Facebook Messenger, and focusing efforts on monitoring these platforms is not only impossible but acts as a distraction that will reduce the overall effectiveness of our security services.

In a world that has turned digital, focusing on these platforms will only result in massive expenditures to monitor the constantly increasing number of communications channels. It is a waste of valuable resources attempting to sift signal from noise. With a total budget of just under £3bn (FY2015/16), our intelligence services are already under-equipped for such a brute-force approach – recently, Google disclosed it alone has invested more than $30bn on its cloud infrastructure.

Even if it was indeed possible to keep pace with this fire hose of data, breaking end-to-end encryption only removes a form of convenience. It in no way prevents determined individuals from hiding their communications from others. To illustrate this, I have used three forms of encryption in this article to deliver a secret message to the editor of Campaign, all known to the general public.

The first message uses public-key encryption and free software OpenPGP to encrypt text anywhere, even on the printed page. Invented in 1991, PGP brought encryption to insecure channels such as email by ensuring the contents of a message were unreadable before they were sent through a platform, and is still widely used today. While it looks like a string of gibberish text to you, someone with the right key (delivered securely to Campaign via USB drive) can decode its real meaning.

The second message uses an even simpler form of encryption called a book cipher. Dating back to
the 15th century and popularised in TV shows such as Sherlock, individuals who possess a shared secret – such as the same copy of a book, purchased at a local bookstore this morning – can encode messages that again can be sent anywhere you can type but are nearly impossible to decrypt.

While the first two messages appear somewhat suspicious, the third is more subtle. Using a technique called steganography, a photograph from my recent holiday in Australia posted to my Twitter feed has had its pixels subtly altered to conceal a string of text (tinyurl.com/mzhgujl). And, by incorporating one of the previous types of encryption, it renders the message not only unreadable but invisible. If you look closely, I have exaggerated the effect, so you will see a series of noise or dots in the background.

Combining all three messages results in a time and location for a future meeting. This is where I hope to continue an open debate regarding the challenges we face and the unnecessary burden we place on our intelligence services expecting them to close stable doors after the encryption horse has bolted. Feel free to join me in the debate – it can be our little secret.


Secret Message 1

-----BEGIN PGP MESSAGE-----

hQILA+UgzFYrslCnAQ/3TFQ5PffX7sItvGzeBfb9NSPoyv3zHIszTQNxpK4Hhsil

pFHkQEaiSn4T++NRZErseFG5vaUAp5w3kyKjaa8lrW1AeeZq2ttKFtQ7o/SGcYVs

Ys86u3xajA5nG+bL5zXIFmDoE/pO9QFPYMa2aZa4N5WYMrUwYMAfzLgHJT4bSZAo

CwGsFhbg0/uDKIoe4SPc0W8wP8/g1X/Lo3tHYaKQNVPXLWQ5EHlAhRfajgPoagVo

UIY+hYHhGI3VFgew7WmMPdyverEaFohFTHhSTVxSWXrRgk5ubxKa8f5JpEbS2WZc

0M5iFE22kczypPGZOXgSgWgcO3R/ORPvU27DQN7S2Zu5m2Qa9scJMYKWSq6RDEtU

j30vz/XmDcCF4f0kbe/5fY6z72KeklW8m6eS/Rcvv0eMhS1nChIUrZDDANLMU9cx

FwSeHhER4qqyDm4bgwZ1MdHN6oFQPdaxgmJFe2WsbmeaW8ZD24Q7Bxi5GSUAkam9

SBGAGHU4mHhCDCA25J1+w0082LvObfGSW/EoUCwKX377Pdw2sbN3bY/H7Ua2u/tn

WVA+S+H//EXhaBYnaEHOUSWi9mziEQPGrkx0jBHL9K2KE9F/aVjZGUUyF/NwWyKy

1ct63KTRL/r5KUW5TbQvRGd9LgSqitOjZIarBQ2WDk08x7jT8STm4p1XbFd7fNJZ

AURAVZA7gCs/TvDt+4Q0zLv+NM3pOpkz0EzuL3ROyvmLZAsfS+KUAFgKoBwE1uqi

H53otpjKT2t3obC5kKAJAlcyqm6axO/KHntjERDUnje2gHRRcRm/hjE=

=stLh

-----END PGP MESSAGE-----


Secret Message 2

219-3-8, 126-6-1, 130-1-5, 

195-3-5, 200-5-13, 31-2-6, 

85-3-33, 63-2-15


Secret Message 3


Scott Ross is the chief technology officer, international, DigitasLBi