It’s always fascinating to watch how security concepts are communicated to the general public and by “fascinating”, I mean it’s sometimes horrifying. There is no more poignant an example than that of encryption and I found the piece from CNN a few days ago on how encryption is a growing threat to security to be the absolute epitome of disinformation. It would be understandable if the general public walked away from reading and watching this piece with the distinct impression that encryption was the root of all evil. Why? Apparently “because terrorism”.
To be fair, CNN doesn’t have a monopoly on crypto disinformation and you’ll find misunderstandings all the way up to the British Prime Minister, but let’s run through some of the problems anyway. Firstly, there is a view that encryption is an “emerging technology” (their term). I guess that’s open to some subjectivity, but given cryptography dates back about 4,000 years I’m going to say no, this is far from a new “threat” rather a modern incarnation of an age old practice.
Next up is the assertion that terrorist organisations are using encryption to keep their messages private from US federal agencies. Here’s the thing with that – everyone is using encryption to keep their messages private from US federal agencies! You are, your friends are even your kids or elderly relatives are because unfortunately, trust has been broken. The massive data collection exercise of the NSA was illegal and understandably, people are cranky. Not just individuals mind you, but corporations that now feel an increased obligation to protect their customers above and beyond the measures they were already taking.
The argument often mounted by the mainstream press in support of back-dooring encryption is that the government should simply keep a key handy to unlock the comms of suspicious parties. Ignoring the significant challenges of actually doing that in a secure fashion for a moment, it begs a rather important question: which government? Oh, you mean the US government, well let’s just follow that thinking through for a moment.
Let’s say Apple (who incidentally, has been a vocal proponent of strong encryption) provides this mythical private key to the NSA. Now what happens to their relationships in Germany? The German government has the same desire to protect citizens from terrorism so maybe they should get a key as well? But then do German citizens feel comfortable with a foreign government having the ability to intercept their comms? Or do you start making things really complex and saying different nations should have their traffic keyed differently such that there can be local government oversight in each respective jurisdiction? And then which nations are afforded this oversight – does China get a key? Does Egypt?
Turn it around and look at tech companies based in other countries too. Let’s take Samsung – what if the South Korean company decides to maintain strong encryption and not opt in to US government oversight? How does that change the balance of smartphones in a market such as the EU? The CNN article refers to Silicon Valley companies already losing tens of billions of dollars as a result of the NSA surveillance and customers simply losing trust in US companies. This is on the assumption of ongoing US government oversight, how would that change if, say, Apple was legislated to back-door their iThings?
There are no easy answers to enabling broad government oversight of communications without fundamentally compromising not just the privacy of individuals, but the viability of the organisations that produce the tools that governments are asking them to weaken. If legislation of any kind does pass, those who desire private communications will simply source the appropriate tools from elsewhere and carry on with their business. Those who require encryption as an operational necessity (such as terrorists) will invest the necessary effort to ensure they still have it because for them, it’s an easy ROI to justify. Meanwhile, those who were implicitly protected by the likes of Apple who are increasingly baking encryption into everything they do will be the losers as their privacy is eroded by compromised security measures.
Think about that as you’re reading this on your encrypted device or sharing it on encrypted social media via the cryptographically signed software running on your machine.