It’s interesting watching how the series of news flows out and the sequence with which is sometimes unfolds. For example, earlier last month Tim Cook was rather vocal about his support for encryption. Of course he’s not alone, many large technology players are driving more and more towards encrypted devices and encrypted networks because, well, we’ve learned we just can’t trust people. Of course we always knew we couldn’t trust online criminals looking to profit from our data, but particularly in the wake of Snowden, we also don’t trust our government.
Now governments clearly aren’t all that keen on encryption the way Apple is doing it because it can be enormously effective – too effective for their liking. It’s so effective that we have the likes of David Cameron calling for it to be banned which is a farcical response, in part because it will simply never happen. The necessity to protect data in transit via HTTPS, for example, just simply isn’t negotiable for many online assets. Of course in some cases we have governments calling for back doors into encryption, although they’re usually not real clear on exactly which governments they believe should have access to these back doors…
Getting back to the series of news though, only a week after Tim’s quotes on encryption, the OPM breach hits the headlines. Here we have a case were millions of US government employee records have allegedly made their way into the hands of Chinese attackers. It’s not like we’re just talking about usernames and passwords here either; this is voluminous data on people in roles such as intelligence and military. You know, the sort of stuff a nation state adversary would be really, really interested in. Oops.
When the OPM news originally broke we were apparently looking at some 4 million people affected. Today the news is saying it’s more like 10 million. The FBI reckons it might be 18 million (that they know of). We may never know the truth and in all likelihood, the numbers are way higher due to the active attacks they don’t know about. This one apparently took place over a period of many years before it was discovered – how many more attacks are presently taking place within governments around the world?
Which brings me back to why people are getting so worried about governments handling their data – we just don’t trust them enough. We don’t trust them enough not to abuse it (there’s not a great track record on that front) and per the OPM hack, we frankly don’t trust them to be able to hold onto it without it being inadvertently disclosed to other parties. Encryption hands back a lot of control to individuals when it comes to how their data is handled and who has access to it. Device encryption as Apple and others are doing is one part of the picture, protecting data in transit like many websites do with HTTPS is another part and Facebook now offering to support OpenPGP keys on their profiles to protect messages once they’re stored in someone’s inbox is another great example.
Encryption is becoming less of a transparent technology implementation and more of a feature precisely because we just can’t trust those who are attempting to gain access to our data, even when they believe they’re doing so to protect us.