In my ongoing blog series “Hacker Mindset,” I explore an attacker’s assumptions, methods, and theories, including how information security professionals can apply this knowledge to increase cybervigilance on the systems and networks they steward. In this article, I explore the intense debate surrounding encryption and what it means for policy makers and consumers alike.
Cryptography and Communications
Cryptography protects our information systems by changing the way data is transmitted and stored. Through the use of mathematical formulas, it prevents anyone except the intended recipient from reading any given email or message. Because security experts consider encryption to be virtually unbreakable, it has been an essential layer of protection for individual users, businesses, and government agencies.
Source: Wikimedia Commons The increasing reliability of cryptography as a secure method of transmitting messages is a dilemma for law enforcement. Criminals and other bad actors using encryption can carry out malicious acts partly because law enforcement cannot monitor the content of their communications. Furthermore, in the event police do arrest these bad actors, they are often prevented from accessing critical email and text messages for purposes of obtaining evidence for trial. As a result, leaders in the law enforcement community have used their bully pulpits to advocate for so-called “backdoor” technologies that would allow the government special access to encrypted contents.
Mandated Backdoor Risk
Mandated backdoor access, if compelled by government, could take any number of forms. One proposal would require that telecommunication providers to manufacture computer chips with a built-in backdoor accessible only by government. The Clinton administration proposed such an idea in the 1990s, but the proposal faded away after strong pushback from the technology industry. Another example was the litigation between Apple and the Department of Justice. In that case, the DOJ attempted to require that Apple develops a backdoor to an iPhone that was used by an assailant in the terrorist attack in San Bernardino, California.
Source: Flickr Moreover, the government can use various legal methods to mandate the above proposals. For instance, Congress can legislate mandated backdoors at the political level. Or, as we see in the Apple case, courts could require such backdoors through judicial holdings. Regardless, policy makers must prudently consider whether to require the use of this technology in cryptography. Questions include whether law enforcement needs backdoors to investigate and prosecute crimes, as well as whether foreign governments can exploit backdoors for purposes of spying or cyberwarfare. Privacy is also a major concern, and many experts believe backdoor mandates will have the unintended consequence of not only weakening individual privacy but also creating an avenue for identity theft. If these fears prove true, then a backdoor mandate would help police solve crimes at the same time that it facilitates others. A U.S. Congressional report released late last year found that weakening encryption is against the national interest. A backdoor, or mandated key escrow, would allow hackers, cyber criminals, and even foreign governments to exploit information systems. Security and privacy concerns must be incorporated into the design of new technology to be marketable to the vast majority of consumers. A privacy policy's actual value is measured by how efficiently it delivers real privacy as opposed to perceived privacy and argues that consumers will evaluate newly available technology regarding how it fits into their personal belief systems of privacy. In the event of government-mandated backdoors, consumer confidence in the products they purchase is significantly undermined.
Need for Strong Encryption
The need for strong encryption at all levels of telecommunication products, from business to consumer devices, is apparent. However, in the past, we’ve seen government attempts at key escrow flawed in one way or another. It’s tough to design a secure system that prevents unauthorized access while allowing trusted third-parties into the mix. The trusted third-parties end up losing control of their key which, in turn, enables hackers to exploit the gap quickly. Data breaches are common in our digital age and will likely only grow in frequency. A sound legal policy is needed that protects free speech without weakening encryption standards or building a backdoor into systems.
Source: Flickr Freedom of expression is predicated on the assumption that two or more people want to collaborate and exchange ideas. Knowing that the government can access all channels of communication is truly a 1984-type scenario. The effect mass surveillance would have on the population would be detrimental. An individual's freedom of expression is infringed upon if anyone can intercept and understand private thoughts and intentions. Some Americans proudly proclaim they have nothing to hide and invite the scrutiny. This point of view is flawed in numerous ways. Many people might not know they are violating a law in any given situation and would be unpleasantly surprised to learn that even a minor violation can result from law enforcement's access to their personal computers and smartphones.
The Road Ahead
The United States leads the world in technology innovation, and policy makers should look to established experts in the field when crafting cybersecurity policy. The next few years will define the very nature of how we relate to the internet and technology. Books, journal articles, and other existing literature demonstrate that backdoors into encrypted communications cannot be accomplished without compromising the information’s confidentiality and that such backdoors can have severe unintended consequences. One consequence is that backdoors run counter to certain American values. U.S. citizens are accustomed to believing that they can privately exchange information free from government intrusion. However, backdoors will diminish this expectation of privacy. Moreover, providing law enforcement with a cryptographic key to protected communications will almost certainly mean that criminals and other bad actors will eventually acquire it. If such a key were leaked to the public, one’s data would be available not only to police but common criminals as well––a concerning prospect given that legal due process requirements tend to limit the actions of law enforcement but not those of ordinary citizens committing a crime. Requiring that ordinary citizens hand over a key to their most private communications will only serve to erode privacy and put individuals at risk for identity theft, computer hacking, and other cybercrimes.
