Report of the Independent Surveillance Review
13
1.26
Asymmetric (or public-key) cryptography involves encrypting data with a pair of keys.
Each user has a public key, which can be made openly available, and a private key that is
kept secret. Once information has been encrypted by another party using the intended
recipient’s public key, nobody but the holder of the counterpart, private key can decrypt
it (in reverse, if the private key is used for encryption, anyone with the public key can
decrypt it).32 The first widely available public-key encryption software was Pretty Good
Privacy (PGP), released in the 1990s as a response to the US government’s attempt to
control encryption via a proposal by the NSA, known as ‘Clipper Chip’.33 Typically, the
server a user connects to provides the encryption for an Internet session, in order to
provide security during the transmission process. Increasingly, however, companies
have begun to offer end-to-end encryption for all interactions over their network,
providing security in such a way that only the end recipients, not the company server
relaying the data, can decrypt the message.34 According to evidence given to the ISR
Panel by providers, data privacy has become an important issue for customers; offering
services using sophisticated levels of encryption can provide a commercial advantage
over competitors.
1.27
The trend towards more common use of encryption pre-dates the Snowden disclosures,35
and has been affected by other factors, including incidents such as the high-profile hacks
on celebrity Apple iCloud accounts in 2014, among many others. The subsequent privacyenhancing changes introduced by Apple include encrypting data by default on iPhone
devices – a move also made by Google in respect of Android devices. The encryption
of material on the iPhone is now user-controlled, meaning even Apple is now unable to
unlock securely configured iOS 8 devices.36
1.28
Increased levels of encryption are beneficial in increasing data security for law-abiding
users. The challenge for the government, however, is that while it favours encryption
as a way of enhancing cyber-security to protect the communications of citizens and
companies from criminals, encrypted devices and communications cannot easily be
accessed or monitored by law-enforcement and intelligence agencies, even pursuant
to a lawful investigation, since the companies themselves will be unable to access the
content of the communication. The encryption challenge was outlined by James B
Comey, the director of the FBI, in a speech to the Brookings Institution in 2014 where he
described two overlapping challenges:
32. Parliamentary Office of Science and Technology, ‘Data Encryption’, Postnote, No. 270,
2006.
33. Anderson Report, p. 60.
34. Ibid.
35. MI5 submitted evidence to the ISC that the disclosures by Snowden ‘accelerate[d] the use
of default encryption by the internet companies... which was coming anyway’. See ISC,
Report on the Intelligence Relating to the Murder of Fusilier Lee Rigby (London: Stationery
Office, 2014), para 440.
36. Anderson Report.