The devil is not in these details: Why encryption isn’t evil
This feature first appeared in the Winter 2016 issue of Certification Magazine. Click here to get your own print or digital copy.
Editor’s Note: This feature was written and published prior to the emergence of the current dispute between Apple and the FBI and therefore does not directly reference those proceedings.
In the past few months, deadly terrorist attacks rocked San Bernardino, Calif., and shattered the French capital city of Paris. The technical investigation following both incidents largely focused on questions regarding digital communication and coordination among the attackers using standard encryption protocols to avoid eavesdropping by law enforcement and intelligence organizations.
Encryption is already a hot-button topic in cybersecurity. These dramatic breaches of public safety have sparked a worldwide debate regarding the widespread use of encryption, and its role in barring government access to private communications. There’s one bottom line question: Is encryption a sinister tool being used serve nefarious ends?
Politicians and presidential candidates were quick to condemn the attack, but also used their soapboxes to rail against encryption technology as a tool of terrorism. In a Democratic presidential debate, Hillary Clinton called for “a Manhattan-like project” focused on encryption.
Republican presidential candidate John Kasich struck a similar tone in arguing that “we have to solve the encryption problem.” There’s certainly an undertone in the national conversation that encryption is an unwanted technology that facilitates terrorism — and that the government must take action to protect Americans from it.
Kasich and Clinton are correct that there is an encryption “problem” but the problem is not that the technology is available. The real problem is that the technology is not well understood. Many average citizens are surprised to learn that encryption is a part of their everyday life and that the security it provides routinely protects their credit card information, healthcare records and other sensitive data from prying eyes.
Encryption is not a problem to be solved: It is a technology to be embraced as a cornerstone of every organization’s information security program. The government itself relies heavily upon encryption technology and spends millions of dollars annually developing new encryption methods. How can government officials decry encryption as a terrorist weapon while simultaneously using it to protect sensitive information?
What is encryption?
Encryption is, quite simply, a set of mathematical formulas. In its most basic form, encryption algorithms take plaintext messages and use a secret key to transform them into an encrypted form that is unintelligible by anyone who does not have access to the corresponding decryption key.
Encryption algorithms are public knowledge. Any university-level computer science student has the skills required to write a small piece of software that implements military-grade encryption technology in a matter of weeks. The government would have as much luck banning encryption as they would banning algebra or physics.
What would you think if you learned that your neighbor was using advanced military-grade encryption algorithms to protect files stored on his smartphone or laptop computer? How about if he was using encrypted messaging technology to apply the Advanced Encryption Standard to text messages that he exchanged with others around the world?
Does this sound sinister? It’s not. This description could not only easily fit your actual neighbor, but it most likely applies to you as well.
Where is encryption used?
If you have a laptop computer issued by your employer, it’s more likely than not that the entire hard drive is encrypted to protect the contents from prying eyes. Companies do this as a matter of routine to protect themselves in the event that the device is later lost or stolen. If a hard drive is encrypted, nobody can gain access to the files stored on the drive without having access to the corresponding decryption key, which is usually encoded with the laptop user’s password.
Do you own an iPhone or Android smartphone? Both devices automatically encrypt all of the information stored on the device for similar reasons. Current versions of iOS and Android prevent anyone other than the phone’s owner from gaining access to the encrypted data.
Even if Apple or Google wanted to cooperate with government investigators (or anyone else for that matter), they simply don’t have access to your sensitive information. They designed their operating systems this way on purpose. This level of security protects your data with strong encryption that prevents anyone from gaining unauthorized access. Isn’t that what you expect from your phone or tablet?
Have you ever logged onto your bank account online, checked your email over the web or visited the White House website? If you’ve done any of these things, you’ve used the HTTPS protocol to communicate securely with the remote web server. HTTPS uses strong encryption to protect your data from prying eyes while in transit.
Yes, that’s right — the White House website requires that citizens visiting its web site use strong encryption to browse the site. Go give it a try. If you type whitehouse.gov into your browser’s address bar, notice that it quickly changes to https:// whitehouse.gov. The “s” in “https” indicates that strong encryption is in use. How can government officials claim that the use of encryption is a problem when they force citizens to use it every day?
What do politicians want?
As with many political conversations, it’s difficult to understand exactly what politicians are calling for when they speak out against encryption technology. Hillary Clinton, when asked how she would address encryption, admitted that, despite viewing encryption as a danger, she doesn’t really know what could be done to neutralize it:
“It doesn’t do anybody any good if terrorists can move toward encrypted communication that no law enforcement agency can break into before or after, there must be some way. I don’t know enough about the technology … to be able to say what it is.”
FBI Director James Comey has been similarly confusing in his plea for action against encryption technology. In a 2014 speech, he warned listeners that, “Justice may be denied because of a locked phone or an encrypted hard drive.” He went on to say that “We aren’t seeking a backdoor approach. We want to use the front door, with clarity and transparency, and with clear guidance provided by law.”
Unfortunately, Comey doesn’t provide any technical details on how his so-called “front door” would actually work. By the way, it’s not just the White House website that forces the use of encryption — citizens visiting Director Comey’s FBI.gov site are also forced to use encrypted communications.
What’s wrong with these government requests?
The bottom line is that the requests by government officials and political candidates simply aren’t feasible. When pressed for technical details on their plans to subvert (when necessary) or replace encryption technology, they merely assert that technical people can figure it out. What no one says openly is that such an approach is simply not feasible, practical, or even advisable.
There is no direct means of providing government officials with access to encrypted communications without fundamentally weakening the technology itself. The National Security Agency tried to develop this type of backdoor back in 1993 when they proposed the Clipper Chip: an encryption device with a government backdoor. That device failed miserably when the technology industry refused to adopt it.
Two of the congressmen who attended a hearing where Director Comey made his pitch for a government backdoor later sent him a letter explaining their objections to his proposal. Rep. Will Hurd, R-Texas, and Rep. Ted Lieu, D-Calif., have an interesting shared background — they are both not only congressmen, but also trained computer scientists. In their letter to Comey they wrote:
Any vulnerability to encryption or security technology that can be accessed by law enforcement is one that can be exploited by bad actors, such as criminals, spies, and those engaged in economic espionage. It is important to remember that computer code and encryption algorithms are neutral and have no idea if they are being accessed by an FBI Agent, a terrorist, or a hacker.
During our oversight hearing, it was clear that none of the witnesses were willing to assert that a backdoor would be completely air-tight and secure. Moreover, demanding special access also opens the door for other governments with fewer civil liberties protections to demand similar backdoors.
The congressmen are correct. Encryption is an essential technology for safeguarding sensitive information. The fact that terrorists use encryption technology is not a reason to deprive American citizens and others the use of secure communications methods. The government must find other means to counter terrorist threats and provide security against terrorism without jeopardizing the security of our private information.
Any technology in the wrong hands can be used to bring sinister designs to fruition. That doesn’t make the technology itself corrupt, or mean that no one should ever use it for anything. Fear of terror that prevents technological tools from serving the public good is only accomplishing the aims of terrorists. Encryption is not evil.