This week marked the 11th annual Data Privacy Day initiative and TechRadar Pro is helping to improve data protection awareness with a series of articles exploring data privacy and how it impacts consumers and the businesses they interact with on a daily basis.
The digital privacy debate has grown larger and more urgent this year. Governments across the world have made an effort to give people more power over their personal data, from the GDPR in Europe, to the Californian CCPA, and new data protection laws in Brazil.
However, these restrictions have caused conflict between government agencies and technology organisations, like the US government demanding access to Facebook’s encrypted Messenger. The intelligence agencies of ‘Five Eyes’ recently called for access to encrypted information through backdoors. These ’backdoors’ would provide a means for companies and governments to bypass encryption, and access messages without a users’ knowledge.
With this pressure from governments, we have to ask what is the greater good? Should we have end-to-end encryption (E2EE) and allow people to protect their digital lives, or break that protection for everyone just to potentially stop some crimes from happening?
Some proponents who advocate access to encrypted data may seem like they have legitimate and sound concerns. They argue that governmental access is pertinent and necessary to protect against all credible threats. But is this worth the risk of weakening the protection of every single digital record that exists or will be created?
Another point that has yet to be fully grasped by legislators is that is that the encryption we use today will have to stand up to the challenges of the future. Of all the systems created, only E2EE offers the possibility of withstanding the power of quantum computing, so our communications now must be protected or risk future harm.
Encryption myths and the technical impossibility of weaker E2EE
First, it’s important to realise that a lot of the confusion in the public debate is caused by lack of understanding of how E2EE works. There are many sensationalist stories which ignore the ‘nuts and bolts’ to create a dialogue of fear.
At its core, encryption is a process used to secure data from being accessed without the right permissions. End-to-end encryption is a stronger type of encryption where the process is managed between two or more devices (known as end-points), and only those devices have the keys to unlock the content. A non-E2EE system has central key management which creates more ways for a malicious actor to gain entry.
This level of security is the reason why E2EE is becoming the norm, protecting the communication of over a billion law-abiding citizens. E2EE is seen by many as the only way to secure the future of business and public communications.
Yet there are nation-level actors who want to bypass E2EE for the ‘greater good’ such as the ‘Five Eyes’ intelligence agencies and the UK and US Governments. A UK Home Secretary once famously called for access to encrypted information, claiming that ‘real people’ don’t need end-to-end encryption. Since then the majority of mass-market communications tools have embraced E2EE, proving that statement grossly incorrect.
Despite having many robust methods for intelligence gathering and specific individual targeting, governments are very quick to scapegoat encryption in their fight against crime.
The security industry has taken a clear stand – any weakening of E2EE creates entry points for everyone, not just for governmental organizations who have the official “keys” to the backdoor. Endangering both public and enterprise digital security is not the solution to the same groups’ security problem. We cannot simultaneously keep people safe, and make another door that can be opened.
Companies caught between security and conflicting legislation
2018 research into the type and worth of data being sold on the dark web revealed that PayPal and online banking log-ins are among the most valuable types of data, with a typical sales price of £279.74 and £167.81 respectively. Passport details and proof of identity were also high on the list at around £40 per item. Over 4 billion people around the world have access to the internet, and majority generate data that is worth stealing, so there is a clear need to protect all of them.
Even with the GDPR in effect across the EU, we have seen several large data breaches. In June, 1,750 breaches were reported in the UK alone, up from 400 in April, a month before the GDPR was implemented.
This new legislation (and CCPA in the US) was put in place to incentivise organizations to better protect all personal details of their staff and customers, force them to look for better processes, more secure tools for communication, data processing and management. End-to-end encryption doesn’t solve all the problems but it will offer best protection for customers, and shareholder value.
This brings companies into direct conflict with the government’s proposed anti-E2EE policies. If all the services you use – from banking to shopping to health care – deploy E2EE wherever possible, what business wants to be ‘the weak link’ that exposes people’s details to hackers and risks potential massive fines and reputation damage.
We are at an impasse. If legislation is passed to mandate that companies create a way to access E2EE data, this ‘backdoor’ will expose the sensitive business communications of any company that uses the software.
Removing end-to-end encryption will not stop people with malicious intent, it will only allow more people access to systems with less protection. Government mandated backdoors combined with data protection legislation is like asking a shopkeeper to protect their goods whilst removing the locks and alarm system. Businesses are the real loses, who will have to face damage caused by data breaches, revenue loss, reputation damage, and also fines.
Only the good guys will follow the rules
The technology and source code for end-to-end encrypted messengers is well understood and publicly available. It is trivial for malicious actors to build their own services, they don’t have exactly a habit of following the laws.
The result is that the “good guys” operate with weakened security, while the “bad guys” continue to take advantage of the best protection available. This is not good for anyone.
Where do we go from here?
Private organisations like Facebook, a company which holds the data of 1.47 billion people, have shown their lack of commitment to privacy by allowing firms like Cambridge Analytica to harvest the data of up to 50 million people to encourage them to take certain political leanings. The same company is installing ‘trust scores’ into their application, something that is reminiscent of the Chinese Social Credit System, which will give people a ‘social credit score’ based on their lifestyle and choices. The effect of this sort of system on political discourse in a country would be huge, which is why it is in the governments favour to mandate for strong encryption that prevents this data gathering.
Within the security industry the “Cold War” on end-to-end encryption will continue. Technology providers have a clear position in this matter – they cannot weaken it without making the system less secure. The governments will continue to keep demanding mechanisms to weaken or bypass strong encryption.
We have seen what happens to the security industry in countries when encryption is restricted. France had notoriously tight control over the use encryption to the detriment of online services that needed to be secure, this damaged the the French security industry with knock-on effects for any online business from ecommerce to banks. Four years ago when Wire rolled out end-to-end encryption we had to apply for special permission in France – it took our app offline for a month and was a significant bureaucratic burden.
Small and innovative companies can’t afford any delays to getting a product to market. They may be forced to skip over countries with strict encryption control. This results in stagnation, less choice, and weaker protection for people and businesses across the country. International companies will just seek alternative solutions bypassing the local market entirely and local businesses will suffer.
It is in the best interest of the technology industry to continue campaigning for strong end-to-end encryption. We must protect the public and businesses from all threats, but weakening strong encryption is not the solution.
Morten Brøgger, CEO of Wire