How imminent is imminent?

Powerful quantum computers already exist but nobody seems to know how soon they will be operational in ways which impact our everyday lives. Apparently that time is “imminent”. How many people/companies/Governments will have one? More than one? Pass.

Nevertheless alarm bells started ringing last week when the FT published an article in which they reported a claim made by “Chinese researchers”. The researchers appear to be suggesting they have been able to do something which, hitherto, was thought to be impossible with the current state of quantum technology.

The something the researchers said they had done was crack the forms of strong encryption which currently underpin a great deal of sensitive activity on the internet, or  they were saying they knew how to do that.

Former UK Government security chief Ciaran Martin Tweeted a rebuttal and the “New Scientist” reported the claim was being disputed for want of sufficient evidence being published by the researchers.

But for me the notable element of the discussion was nobody disputed or really commented on the fundamental point. Quantum computers will be able to crack the forms of encryption currently widely used on the internet. And they will be among us…. later this year? Next year? 2025? Silence on that point. It’s a bit unsettling.

I follow Ciaran Martin on Twitter so I sent him this question

Is ‘Harvest Now Decrypt Later’ a thing? And if it is should we immediately stop putting sensitive stuff in messaging Apps, even those which boast that their encryption is a guarantee of confidentiality/privacy against all-comers with no possibility of that changing on any  horizon?

Harvest Now Decrypt Later is a thing. That bit  of my question was rhetorical.

I have not yet had an answer but if or when I do I’ll let you know.

The existing public-facing online“security establishment” is heavily invested in the status  quo where RSA and other forms of encryption prevail. Maybe there is a natural resistance to or scepticism about change, particularly on the part of those security consultants or commentators who had no hand in building the new kid on the block or have very little engagement with its further development.

So the question arises if, today or soon, researchers in China or anywhere else can crack strong encryption what should we mere mortals do now?

Quantum proof algorithms have been and are being devised but they are no use in respect of stuff which has already been transmitted or will be transmitted in the future before those algorithms are integrated into the messaging Apps I normally use. Can they be integrated? Is that economically and technically possible?

How and when will the transition from crackable to uncrackable begin and be managed?  And how long before the new uncrackable becomes crackable? Most people will assume that whatever one computer can do another can undo, if it is powerful enough.  Tricky questions for the gods of certainty to answer.

I am given to understand top-level terrorists and organized criminal gangs, the military, parts of law enforcement and the security services long since stopped using the internet for anything even remotely important or sensitive. They use highly customised bespoke services. You can see why. Where does that leave the rest of us?

That aside, is it possible, for example, the noisy push to retain or extend the use of  the known, existing forms of strong encryption, for example by Meta and Apple, is nothing more than an attempt to reduce or keep low the costs of moderation and reduce potential exposure to legal liabilties? In other words it’s a short-to-medium term strategy about money, dressed up in the language of privacy, freedom, fighting against tyranny etc. More sellable. Without caveats it is also deceitful, a deliberate misrepresentation. Sins of omission are still sins.

If I am right about that then the duty of care provisions of the Online Safety Bill in the UK cannot come quickly enough. And the techno priesthood needs to stop playing their highly political game atop Mount Olympus and bring politicians and the public in on the debate.

Posted in Default settings, Privacy, Regulation, Self-regulation | Leave a comment