Security vs. encryption – time for some myth busting

Security & Privacy

“In war, truth is the first casualty.”
Aeschylus

We are at war again. FBI vs. Apple is all over the headlines and this seems to be one of the most important battles in Crypto War II (CWII). For the record. The first Crypto War raged in the end of the last millennium. US authorities wanted, among other things, to put chips with a backdoor in phones. ISIS and the recent wave of terrorism has once again brought back the demands to ban strong encryption. UK’s prime minister is on a crusade against messaging his snoops can’t read. And details about the San Bernardino shootings is in a locked iPhone that FBI wants to open. Strong encryption is at the same time becoming the norm and many services are secured by default. This development has accelerated significantly after the Snowden revelations. So it’s no wonder we are at war again.

Yes, Aeschylus was right. Truth is always a victim in wars. Time for some myth busting. Let’s take a look at some of the jargon of CWII.

 

Strong encryption is only needed by criminals.

Totally wrong. Everyone who is using Internet is using strong encryption. It’s the fundament of securing our passwords, our communications, our stored data and e-commerce. Just to mention a few things. Most of us are not even aware of it, the systems provide security by default. And encryption is a cornerstone for this. The Internet, as we know it, would disappear if we took away encryption.

 

But at least security-focused tools like Tor and Signal are used by criminals.

Wrong again. It’s very dangerous to accept a mindset that people who care about protection automatically must be bad. I use Tor frequently in work for various, perfectly legal, reasons. And many other use them too for both practical and principal reasons. Not to mention that this kind of protection can be a matter of life and death. We all agree that the authorities should have tools against criminals. But what about the police in Iran hunting people for illegal political activities? Do you still support the authorities or should the “criminals” be able to protect themselves?

 

Terrorists use encryption to hide.

There’s a lot of examples proving this statement wrong. It turned out that the Paris terrorists had used ordinary mobile phones that would have been easy to tap with a warrant. Other terrorists have been watched by the authorities and their communications have been intercepted. But the authorities have collected so much data that they failed to spot the interesting stuff in the haystack. This myth seems to have its roots in movie plots like the James Bond stories, where the villain is a super-criminal with hyper-technology. In reality, terrorists are often just ideologically driven youngsters with poor op-sec.

 

Authorities should have backdoors to our devices and communication.

This sounds smart. Keep the benefits of strong encryption and just let the good guys get in to protect us. Right? No, wrong! This is really a naive idea. Authorities typically have unlimited trust in their own ability to use such capabilities only for legit reasons. And to keep the backdoors or escrowed keys safe and secret. Reality is totally different. The question is not if this very sensitive information will leak or be cracked, it is when. And the secret is really like a Pandora’s Box. Both good and bad guys will march through the backdoors once they become known.

 

Encryption helps terrorists and pedophiles.

It’s no coincidence that these two groups keep appearing in the headlines. They are widely hated and the authorities are most likely to get sympathy for their war against encryption by picking enemies like this. It’s also risky to oppose as you may get smeared as a protector of pedophiles. Usage of backdoors or weakened encryption would definitively not be limited to just these target groups. The Snowden documents showed how USA used every available method gather intelligence, including spying on heads of states and even the Climate Summit. And the same is true for many other nations too.

 

With a warrant, authorities should have access to all our data, including encrypted data.

Our homes can be searched with a warrant if there’s proper suspicion of a crime. This is a widely accepted practice. But things get complex if you try to apply these principals to digital data. The police will break your door if you’re not there to open it. But there’s no obligation for you to use a weak lock just in case the police one day has a warrant to search your home. That applies perfectly to digital data as well. Another issue is that there is protection against self-incrimination in almost every legislation. You can’t be forced to surrender information that you have stored in your brain. But what about digital extensions to your memory? A constantly increasing part of our brains’ content is mirrored into our gadgets. Making them searchable will cripple our fundamental protection against self-incrimination.

 

Authorities will be powerless against terrorists if we allow strong encryption.

It’s of course convenient to claim this when asking for new rights, but it is far from the truth. The authorities can still use wiretaps on the phone, access text messages, place surveillance in the suspects’ home or track vehicles. Not to talk about implants in their devices. A tiny piece of spyware can “see through” encryption, as the data need to be decrypted by the device before presented to the user. On top of that, metadata about who the suspects are communicating with is typically accessible despite encryption. Either by tapping the cable or searching the service provider. And no chain is stronger than its weakest link. One sloppy hoodlum in the gang is enough to get them all busted.

 

The authorities just want to cut down on our fundamental rights to get more power.

This is the tin-foil hat way to see things. I can’t deny that there may lay a grain of truth in this, in some cases. But this is not the main driver. It is very clear that all actors in the crypto wars have one thing in common. All want to stop terrorism and other types of crime, and ensure that our authorities have a suitable set of tools to do that. The authorities are no doubt mainly driven by a true desire to make our society more secure. The crypto wars is really about what methods we can use without harming our fundamental right to privacy too much.

 

Micke

 

Public domain image by unknown photographer

 

 

0 Comments

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

You might also like