Genuinely strong encryption – the sort of encryption that is as good as unbreakable if used correctly – is now readily available, even in consumer devices such as mobile phones.
In theory, therefore, even a non-technical user can prevent hackers or eavesdroppers (regardless of their motivation or legality) from getting hold of private emails, text messages, browsing history, browsing content, phone conversations, personal documents, pictures, location data, customer information, and much more.
So, the debate boils down to, “Is this a good idea?”
In the “No” camp are those who claim that strong encryption makes numerous important activities too hard, notably intelligence gathering, fighting terrorism and investigating crime.
The Noes propose some kind of build-in “backdoor” that would keep the system secure for the most part, yet would make it reliably possible for the encryption to be stripped off by a duly-authorised third party when necessary.
In the “Yes” camp are those who claim that strong encryption should be exactly what it says: strong.
That way, we can rely on it to keep terrorists, foreign spies, crooks and other ne’er-do-wells out of our own and our customers’ data.
Ironically, if you remove from the debate aspects such as whether privacy is a right; whether surveillance is morally sound; and whether governments can be trusted with sufficient power to unlock anyone’s secrets on demand…
…the Yesses and the Noes are as good as reaching the same conclusion from opposite propositions.
The Yesses: “If we deliberately weaken encryption products, then the Bad Guys will win.”
The Noes: “If we do not deliberately weaken encryption products, then the Bad Guys will win.”
Who’s right?
Proposed laws in many jurisdictions – good examples include the Investigative Powers Bill in the UK, and bill 2015-A8093 in the State of New York – suggest that the obvious line for public servants and legislators to take is, “No! Strong encryption is not a good idea, and should be fitted with escape holes for use in emergencies!”
But the reaction of the technology industry, at least in the US – Tim Cook of Apple has been audibly vocal, and Facebook, Google, Microsoft, Twitter and Yahoo have stood together on this issue – is, “Yes! Strong encryption is needed for strong data security, and you can’t strengthen something by weakening it on purpose!”
As regular readers of Naked Security will know, we’re strongly in the “Yes! Strong encryption should be strong!” camp, and here’s why:
Mandatory cryptographic backdoors will leave all of us at increased risk of data compromise, possibly on a massive scale, by crooks and terrorists…
…whose illegal activities we will be able to eavesdrop and investigate only if they too comply with the law by using backdoored encryption software themselves.
The good news, if you’re one of the Yesses yourself, is that the IT industry is no longer alone in the “Yes” camp.
The public service in the Netherlands recently thought the issue through and concluded:
The government endorses the importance of strong encryption for internet security, for supporting the protection of citizens’ privacy, for confidential communication by the government and companies, and for the Dutch economy.
Therefore, the government believes that it is currently not desirable to take restricting legal measures concerning the development, availability and use of encryption within the Netherlands.
And now, France is on board, too.
Axelle Lemaire, the French government’s Minister for Digital Affairs, put it in language that Naked Security readers will probably enjoy:
What you are proposing is a vulnerability by design. […]
While the intention is commendable, it opens the door to actors whose intentions are less than commendable.”
And, for the French Digital Minister, that, quite simply, is that:
In the government’s view, this is not a good solution.”
We may be miles from the end of this debate, but that’s a great comment on which to pause right now!
SOPHOS STATEMENT ON ENCRYPTION
Our ethos and development practices prohibit “backdoors” or any other means of compromising the strength of our products for any purpose, and we vigorously oppose any law that would compel Sophos (or any other technology supplier) to weaken the security of our products.
Michael Qualls Jr.
Maybe we should all be tagged with GPS like cattle, just in case right? Maybe a small under skin locator, how about with all your info on it for convenience? The answer is no, actually…hell no. With any security comes a loss of freedom. If you want to be secure commit a crime go to prison where you can be watched 24/7 its safe there right?
Mahhn
I agree but; GPS, with a camera and mic, AND we pay for it ourselves. Yep, they didn’t know I went shopping last night, forgot my phone at home.
TonyG
I agree that backdoors are a fundamental flaw. There is no guarantee that a “safe” backdoor for the government won’t be compromised and mis-used. Not least, because if there is a backdoor, then it becomes the target of every foreign government agency and terrorist. It encourages industrial espionage on a global scale. And IoT security is enough of a problem without actively putting a deliberate hole in it.
The bad guys will always find a way round, and all it really does is make everyday life less safe for the law abiding 99.99999% of us. Should we really base our national security on being able to intercept and decrypt communications? In the short term, there might be gains, but how long before the bad guys develop their own encryption – what use is a backdoor then? The growth in knowledge and computer power says that is inevitable, and so the sooner we rethink the approach so that it is not based on backdoors, the better placed we will be to maintain security when that point is reached.
Maybe AI looking at patterns of behaviour and associations may be better than just the ability to intercept communications in the longer term.
Alan Robertson
Well said Tony! The bad guys will only develop their own encryption with no back doors, so why weaken encryption for the good guys? Doesn’t make sense.
Laurence Marks
Benjamin Franklin (one of America’s founding fathers) wrote “Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety.”
Kyle Saia
wish i could thumbs up this more than once.
Mike
Sadly, this phrase makes people think the choice is either-or, when in fact the choice is both or neither.
George Lindholm
I think “our of our own and our customers’ data.” should be “out of our own and our customers’ data.”
Paul Ducklin
Fixed, thanks!
Josh Stinsman
So anyone can get a bullet proof vest that make it harder to shoot and kill them. So should we put remote devices in every bullet proof vest that drops the ceramic plates if it is being worn by a terrorist?
justiceISfake
but with proper guns laws…. the terrorist wont have a weapon and therefore we wont have a terrorist… or a terrorist with a vest :)
Paul Ducklin
Gun law analogies don’t really apply here. The deal with crypto is that companies are expected to protect their customers’ data, and the penalties are increasingly harsh for not protecting that data properly. Therefore it’s a peculiar irony also to have laws that require those protection technologies to be defective :-)
Bryan
no, the remote should transmogrify each ceramic plate into a note stating:
“For your protection your use of this vest has been rescinded–as we have determined for your protection that you are likely dangerous to those around you and have given you a more appropriate vest substitute–for their protection.”
…then they can be arrested and handcuffed without incident while they stop to read each note.
you are surrounded by dozens of little notes, all different.
cyberviking
The Yesses: “If we deliberately weaken encryption products, then the Bad Guys will win.”
Very correct!
The problem with the noes, especially those noes in the governmental agencies with three letter suffixes, -is that THEY have ALREADY proved they are as bad as the real crooks. In fact, they are worse since they are successfully spying on everyone they can get their slimy fingers on regardless of how guilty or innocent any individual might be. Crooks is not that effective and as such a lesser (but real) threat. I do not believe for a second the governmental spnsored spying has been a lesser problem after Snowdon blew the whistle. So the yesses are right, seen from ordinary peoples front of view.
TonyP
Its time to resolve this old chestnut. Backdoors are illogical; therefore, research should investigate the escrow of segments of keys. Key segments could then be held by independent bodies and only released as part of a legal process.
Mahhn
Yes, this is incredibly frustrating. Banking apps are the most obvious example to me. Clearly this must be encrypted. Any backdoor will be abused, which points out the obserbity and stupidity of those that promote such backdoors. They are supporting and encouraging criminal activity.