This opinion piece was originally published in SC Magazine.
With social distancing the norm, we’re spending more time on the Internet doing more important things than ever – eg, working, learning, banking, trading, shopping, seeing the doctor and having family time – as well as streaming, gaming and interacting with our connected speakers.
Shouldn’t we be certain, especially now, that no one is eavesdropping, stealing or modifying our data?
Encryption is the primary means of accomplishing that goal. Using encryption, data is scrambled so that only the intended people can see the data. It’s right there under the covers most of the time when you’re on Wi-Fi, Bluetooth, 4G and browsing most websites.
Unfortunately, most online services today still do encryption in a piecemeal manner. Sections along the path are encrypted, but typically there are points along the way where the data is unencrypted and processed in some way before being re-encrypted and sent along.
The good news is that many messaging services – eg, WhatsApp, Telegram and Signal – offer end-to-end encryption, where only the sender and intended recipient can “see” the message. Everyone else along the path – even the company providing the service – can’t see inside. The more this happens, the better our data is protected.
But, consumers’ data protection is nonetheless being threatened, mostly by governments who want access to the data for law enforcement or intelligence purposes, but also by businesses that want to monetise their data. The request goes something like this: “We strongly believe in encryption to safeguard everyone’s data. Hey, we even rely on it in the government. And we don’t want any backdoors that would let criminals break in. We just need to see the data of specific individuals using your service. And we’ll only ask for it when there’s a serious crime involved and we have a warrant.”
Creating a dangerous master password
At first glance, this seems like a reasonable request. It’s only the data of one individual, there’s a good reason to want it, and the request comes with proper authority. And who doesn’t want to stop horrific crimes or to catch their perpetrators? But, this is what goes unsaid – the mechanism to provide access for any one individual’s data on that service puts everyone on that service at risk. It’s like creating a master password for the entire system. Sure, that password will be long and complex and nearly impossible to guess and only a few people will have access to it, and it will only be used in the most extreme circumstances.
But do you want this master password to exist? People at the company could abuse it, and governments could also abuse it; but even if you trust their intentions, look at their data security track record over the last few years – tens of thousands of data breaches involving billions of records (and by the way, why weren’t those databases better encrypted, which would have protected individuals’ personal data from being exposed?). Or even more importantly, do you trust that bad guys across the globe won’t figure out or find or steal that master password? If they do, all bets are off for everyone on the service. If users can’t trust that their communications are adequately protected, they will limit their use of the Internet.
Debates on this topic are happening across the globe.
Most arguments for this so-called “exceptional access” revolve around child exploitation and terrorism or other serious crimes. For instance, in the US the EARN IT Act, which was introduced to the US Congress in March doesn’t even mention encryption – it just implies that companies providing the services we all count on need to provide access to the pertinent data in an unencrypted form or face fines and prosecution. Yet, these are the same services that protect vulnerable communities like domestic abuse victims, journalists, and activists right alongside our families, military and law enforcement.
What you can do
Curbing criminal activity is an important task, but we can’t do so by weakening the security of virtually everyone online. Make sure your MP protects your right to strong encryption. Be aware of the variety of dangerous approaches governments are taking to get access to the data they want. They range from scanning unencrypted data at the sending or receiving end, forcing decryption somewhere along the path, to even tapping into the flow as a silent third party. All of these approaches represent mechanisms that jeopardise security by breaking the concept of end-to-end protection.
Let’s all join together to protect encryption. Let’s fight for our right to keep our communications secure. While governments may insist that they are sacrificing one person’s security for the greater good, in reality they are forcing the sacrifice of security for us all.
Take these six actions to protect encryption and protect yourself.