Going Dark – The Problem with Full Encryption

Since the 2013 Snowden disclosures on the spying activities of the NSA in the US (and other government intelligence gathering agencies worldwide, e.g. GCHQ in the UK and Moss-ad in Israel), there has been a move to encrypt everything from our devices to messenger apps and the use of HTTPS to access websites.

This movement to encrypt everything is particularly an issue for law enforcement when they have a legitimate reason to eaves-drop on someone, or access a device, to gather evidence on criminal activity or terrorism. Some might say – “So What!” Well, if you are the victim of a crime, I am guessing you will want to catch and punish the perp’.

In some countries the Internet is very much more restricted than in the west, and government controls everything. For example Russia is trying to ban all but a few VPN’s, as well as restrict access to a lot of western based websites and technology. China is also restricting its population in similar ways. North Korea don’t even allow its population access to the wider Internet. And this is only a few examples which can be extended to other regimes in Africa and the Middle East.

In the UK we have a piece of legislation called the ‘Investigatory Powers Act 2016’ (often called the ‘Snoopers Charter’) that sets out, and in some respects expands, the electronic surveillance powers of the UK Intelligence Community and Police. This is a broad piece of legislation that is too large to go into in any detail here – and I am no means an expert on this legislation. However one side effect of this legislation is that ISP’s have to retain logs of all your internet activities in the UK – whether you are a UK citizen or not. These logs can be requested by law enforcement via a court order.

There is also a debate going on about encrypted messaging both in the US and UK (as well as other countries). Some are demanding that software developers like Apple, Microsoft, Facebook build in back-doors to their encryption so that law enforcement can decrypt any message they are interested in. Apple in particular is resisting this since they claim not to retain the decryption keys for their messaging platform. This is also the case for Telegram and Signal.

Introducing a back-door to encrypted messaging has consequences. Yes, Law Enforcement will be able to get at the messages for interested parties (hopefully read that as criminals), but so will hackers and cyber criminals. Hackers will be able to exploit the deliberate back-doors and decrypt your messages – the argument recently put forward by Apple especially around the time of the San Bernardino case.

The US Senate is also considering the state of fully encrypted messaging as stated in a recent Forbes article.

This also goes further than just messaging since a lot of cloud storage companies encrypt all uploaded information (encryption at rest) and encrypt it is transit as well.

I am generally supportive of end -to-end encryption of messaging (including web browsing) and storage solutions as it keeps what should be private well and truly private. However, there is a case where Law Enforcement and Intelligence gathering agencies need access. If the decryption keys are not stored by the owner of the service (e.g. Apple, Facebook, Microsoft) this becomes a problem since they won’t have the capability to decrypt.

My personal view is that legislation will be passed in most western countries to force these tech companies to retain the decryption keys so that with the correct court orders the encryption can be broken.

However this brings forward yet another problem – that of data breaches. Every day (it seems) we hear about another major data breach. If the tech companies owning these messenger apps and cloud services have to retain the encryption keys in their data centres, these will become a target for cyber criminals.

I am the first to admit that I don’t have all the solutions here. If there was an easy solution I am sure some smart person would have thought about it. However I am very interested in following where this all goes since I am also a great believer that privacy is a human right.

However, one word of advice to anyone willing to listen. If you don’t want anything you say to be recorded and possibly disclosed (especially to cyber criminals and Law Enforcement), don’t say it on an online forum or in an email or messenger service. Also, if something is so private that you would not want it disclosed, then don’t put it on a cloud storage service – even if it is encrypted by yourself as well as the company. Given enough processing power, even the strongest encryption can eventually be broken. Although it might theoretically take centuries today, CPU horse-power is always increasing and building an encryption cracking computer is not that hard at all today.


Headline image provided by Markus Spiske on Unsplash.

Comments are closed.

Create a website or blog at WordPress.com

Up ↑

%d bloggers like this: