Encryption is the best way to keep your private information private. And it’s not a new concept. According to Chris Parker, founder of WhatIsMyIPAddress.com, manual encryption has always been an option.
“Anyone can write in code to conceal what they're saying, and share that code with someone else if desired.” But in the digital era, encryption has taken on a new meaning, since you don’t have to create your own code. (Read Encryption Vs. Decryption: What's the Difference?)
“With a simple tool and a password, you can protect something so that it would take years — or even decades — to crack it, and there's nothing that can realistically be done about that kind of encryption,” he explained.
And since it’s your data, isn’t that your right to privacy? Maybe, maybe not. While encryption is beneficial to users, it can pose serious problems for law enforcement. (Read Privacy Compliance: Gearing Up for 2020.)
So, should the former outweigh the latter?
Benefits of Encryption
Technology has made it incredibly easy to create data, but also easy for that data to be hijacked. “Encryption protects data at rest when stored on hard drives, cell phones, or in the cloud, and it can also protect data in transit as it moves from one device to another,” explained Cindy Murphy, president of digital forensics at Tetra Defense.
“In these situations, encryption acts to protect the data, including personally identifying information, health information and financial information from being improperly used if intercepted,” she said.
There’s a growing cybersecurity war on the healthcare industry, and the finance and energy sectors are always popular with bad actors. However, just as IoT devices can compromise homes, industrial IoT devices have increased the risk of cyberattacks in the manufacturing industry, according to Vectra. In fact, no sector is really safe from cybercriminals. (Read Straight From the Experts: How to Limit Cybersecurity Risks with Workplace IoT Devices.)
“Encryption is widely understood to be the only effective way to ensure that data can be securely stored or transmitted between two assets,” said Ray Walsh, digital privacy expert at ProPrivacy.
“Without secure encryption, data is always at risk of hacking, and for this reason, the primary solution to all consumer and enterprise data security needs centers around the effective implementation of encryption.”
Why Encryption Goes Wrong
However, encryption can also be problematic. “Encryption is one of the most common techniques companies use to ensure confidentiality, but what happens when the encryption key is derived from a password, and the person who held the password dies?” asked Evan Larkin, senior manager of product security at Relativity. He points to the example of Gerald Cotten, CEO of QuadrigaCX, which used to be Canada’s largest cryptocurrency.
However, in December, 2018, Cotten (who was 30 years old at the time) died suddenly. “He was the sole person who had the password that protected $190 million worth of bitcoin owed to investors,” Larkin explained. “When he died, no living person had access to the encrypted fortune.”
Cotten ran the entire company using a password-protected laptop and a USB key. (Ernst & Young was hired to find the money owed to 115,000 investors, and eventually was able to access six of his offline crytocurrency wallets — but they were all empty. Now there’s speculation that Cotten may have faked his own death.)
Why Encryption is Problematic for Law Enforcement
Keeping your data private is a good idea — until it’s not. Cotten is a high-profile example of the latter. However, encryption in general has created a tug of war regarding who has the right to decrypt data.
According to Jeff MacMillan, CEO and founder of KeyNexus: "The problem is that the various parties view this issue from their particular perspectives and goals.”
Government agencies are not interested in the average citizen’s private data itself; they are simply driven and focused on solving crimes, tracking national security threats and keeping their communities safe.”
And that’s makes sense. For example, did you know that if you park next to a fire hydrant and there happens to be a fire in that immediate area, there’s a good chance the firefighters may run the hose across your car which could cause significant damage. But your car is not their concern (and it’s a PSA to avoid parking next to hydrants). Firefighters are focused on containing the fire.
Likewise, when people pass by a hot car and see a child inside (or in some cases, a doll that looks like a child), they would break the window—with no thought about the owner’s vehicle—because a child is in a dangerous situation.
And that’s how law enforcement agencies tend to view decrypting data so they can retrieve it. “For example, if there is data that might show where a child has been taken after a kidnapping, not only getting the data but getting it in a timely manner is important, said Marty Puranik, president and CEO of Atlantic.Net.
Darren Deslatte, vulnerability operations leader at Entrust Solutions, agreed. “Encryption frequently blocks law enforcement, at both local and national levels, from accessing data that could be useful in their investigations or even prevent potential crimes from occurring.”
For example: He said they may want to access a messaging app to see the history of a suspect’s conversation — information that could save someone’s life or prevent a crime. “The majority of these messaging apps often use end-to-end encryption (E2EE), meaning that only the senders and recipients have access to the data, not any mediators, including the host company,” Deslatte said.
That’s why service-level encryption offerings—like WhatsApp by Facebook—contribute to the controversy. “The company has been pressured to install a security backdoor to allow governments to read messages if considered necessary, but so far Facebook has refused,” Parker explained.
The controversy actually creates a lose-lose scenario for law enforcement, when trying to balance individual privacy and collective safety. “People agree that authorities shouldn't intrude upon personal freedoms without good reason, but will wonder why terrorists weren't being observed closely enough to prevent their criminal acts — even though there may have been no reason to suspect them,” Parker said.
When All Else Fails
However, there are always different methods to use to access the data. “There are various examples from more recent times, where tech companies refused to provide law enforcement the encryption keys or access to devices, and eventually, they had to resort to using third party companies to hack the devices and decrypt the content,” said Liron Lev, senior engineer at Pico — Get Personal.
“As a current-day example, we can see how the FBI resorted to using the Israeli cybersecurity company, Cellebrite, to crack the iPhone device from the San Bernardino attack in 2015, as Apple had refused to grant access to the device,” Lev said.
That’s just one example, but it may be a compelling argument for why law enforcement needs unfettered access. “This has led countries like the UK and Australia to pass legislation that can be used to force companies to create backdoors into their encryption,” Walsh said. (Read Encryption Backdoors: The Achilles Heel to Cybersecurity?)
So, how does that work? According to Brian Gill, co-founder of Gillware Data Recovery, the government can require devices sold in that country to have backdoors that allow law enforcement to easily bypass the encryption. But backdoors and persuasion aren’t the only options. “They could also hack around or brute force the user authentication,” Gill said.
“This is different than brute-forcing the encryption, rather attempting to trick the device into performing a natural decryption process.” However, he explains that the type of device and device operating system will determine the feasibility of this method.
Problems With the Backdoor Approach
While creating a backdoor could be beneficial to law enforcement, for everyone else, it defeats the purpose of encryption. According to Walter Paley, VP of communications at SafeLogic, encryption protects law abiding citizens and criminals equally — regardless of intent or effect.
“Advocates for a legislated and mandated backdoor or skeleton key for law enforcement don’t understand that this would be a design flaw,” he said.
“It would be a vulnerability being presented as a feature, and there would be no limit to who could exploit that vulnerability,” Paley explained. That’s because if law enforcement could use the backdoor, so could everyone else.
Walsh agreed, and said government agencies with a legitimate reason wouldn’t be the only people accessing private data. “You’re also looking at service providers, rogue employees at those services, foreign governments who discover the backdoor, and cybercriminals who find a way to exploit those purposely created weaknesses in the system,” he said. (Read Are Your Enterprise Printers Protected from Cybercriminals?)
And this may make one of the other options — while quite thorny — a better alternative. “The ability of law enforcement to compel a suspect to unlock their device, for example, would not fundamentally undermine the cryptography, although it would threaten other civil rights,” Walsh said. “It’s a very delicate conversation, to be sure.”
In fact, for companies that are charged with making sure personal information is protected from cyberattacks, Walsh said it creates an impossible situation. “Private messages between consumers often contain highly sensitive personal information, which is designated sensitive data by regulations such as General Data Protection Regulation (GDPR).” (Read How Cybercriminals Use GDPR as Leverage to Extort Companies.)
And if sensitive data is stored in a way that creates access for law enforcement, it also creates opportunities for breaches by anyone. “As a result, encryption backdoors create the potential for personally identifiable data to be breached — which could ultimately lead to those businesses being fined,” he said.
And there are other issues that need to be considered, according to Lev. “Who is the authority, or what authority will decide what data should be given access to, and in what instances?” He said it’s not possible to grant partial access. “If the encryption key is in their hands, they will have access to all of the data, and how can we ensure that the chain of custody will be kept and unauthorized uses of keys won’t happen?”
The Solution
Unfortunately, there may not be one.
“The best solution to data privacy and security is to not just allow for strong end-to-end encryption, but to require it,” said Walsh. But while emerging legislation introduces massive fines when consumer data is mishandled, legislation is also being passed to weaken encryption.
“These two opposing wills are creating an impossible duality in which the solution to the problem — encryption — is being institutionally opposed by the same authorities that require its use,” Walsh explained.
Gill agreed and said that finding a balance could be impossible. “Law enforcement officials want back doors, and if planted, those devices will be less secure and will be harder to sell and harder to protect data.” When governments pass laws making it illegal not to plant back doors, he predicts that this will decrease innovation and increase device insecurity.
“This will create more problems and possibly greater problems than the governmental inability to access encrypted data,” he warned.
And it could serve to further pit companies against the government.
“This is less about balance and more of a binary decision that individual governments will need to make, and then companies will need to decide whether or not they want to sell devices in that country or abandon that market — or perhaps sell insecure versions of their products in that market, and maintain two product stacks,” Gill said.
Also, government agencies might do well to remember that they also benefit from encryption preventing cybercriminals from obtaining their information. “Rather than placing restrictions on the private sector and demanding some forms of encryption be banned, weakened, or have backdoors introduced, law enforcement should fund research towards innovative encryption systems that would allow secure law enforcement access while still providing the overall security that makes encryption so attractive in the first place,” recommended Deslatte.
He said any argument that a backdoor would be used solely by law enforcement is unrealistic. But Deslatte remains optimistic.
“While there are currently no real-world solutions to this issue, I am confident that in the near future the cybersecurity community as a whole will be able to implement a stable, trusted, and secure encryption without encumbering our societal security or individual privacy in the process.”