The Dangers of Legislating Encryption
The Australian government is the latest to reveal it’s working on new laws that will require companies to be able to unscramble encrypted communications. Australian Prime Minister Malcolm Turnbull came under fire for telling reporters pointing out the mathematical impossibility of breaking into end-to-end encryption: “The laws of mathematics are very commendable, but the only law that applies in Australia is the law of Australia.”
The UK government’s Investigatory Powers Bill, more commonly referred to as the Snooper’s Charter, raised similar concerns in Europe last year over politicians’ understanding of encryption and the dangers of banning it or asking companies to include backdoors into their encryption solutions. There is also the problem of end-to-end encryption used in popular messaging applications like WhatsApp and Apple’s iMessage that allows only communicating users to read messages and that, like the Australian reporters pointed out, cannot be modified to grant access to third parties.
It is unlikely that application giants will hurry to make the necessary amends to meet the needs of a small localized market, when their user base is global. WhatsApp for example has amassed over a billion users worldwide, in part because of the protection end-to-end encryption ensures messages as it is one of the go-to tools used by journalists, protesters, activists and vulnerable groups to communicate safely.
Twenty years ago, encryption was a lot rarer and difficult to apply, but nowadays, with the digitization of public and company records, it has become a vital tool in the protection of sensitive data and has naturally evolved as a consumer product both in the B2C and B2B sectors. This also means that it has become widely available and has started being implemented directly at application and software level. That is when it started being, as far as governments and law enforcement agencies are concerned, an impediment to investigations and a crime enabling tool.
There are two sides to this argument:
- In an increasingly hazardous digital world, companies and individuals are looking for ways to protect themselves from potential breaches of their privacy or confidential information. Encryption has been one of the primary solutions they have leaned on, with Data Loss Prevention tools such as Endpoint Protector, providing it as a way of safeguarding data against malicious outsider and insider intervention.
- The other side of the argument, repeatedly raised by law enforcement agencies and politicians, is that encryption can be used by criminal elements to safely communicate and to secure information that might be vital to their apprehension, conviction and most importantly, the prevention of criminal acts from occurring. Many cite the cases of Khalid Masood, the man responsible for the 2017 Westminster attack, whose WhatsApp messages could not be read by police and that of the San Bernardino shooter’s iPhone that could not be accessed by the FBI, as examples of the problems encryption can cause law enforcement in situations of the utmost gravity and urgency.
Legislation such as the Snooper’s Charter demand that companies that use encryption also have the means to unscramble it. What this essentially implies is the existence of a so-called golden key or, more plainly, a backdoor into software that would allow companies to bypass the layer of encryption applied by users. Governments seem unconcerned by the fact this means adding vulnerabilities to encryption that can be exploited not only by the companies and law enforcement agencies, but also cyber criminals whose very purpose is to hunt them out. Pretending it will be otherwise is to ignore the innumerable recent cases of calculated attacks that relied on software vulnerabilities to infect millions of users worldwide.
Ultimately, encryption, like many other useful services both in the online and real world, can be used for criminal purposes. The internet itself, while it has revolutionized the world, is also full of malicious intentions which is why encryption has gradually become one of the go-to solutions to protect sensitive information. Allowing backdoors and government access to it, would imply the instatement of procedures that would make that data vulnerable not only to the probing of government agencies, but also cyber-criminals which is the very thing encryption is supposed to protect against.
Download our free ebook on
Data Loss Prevention Best Practices
Helping IT Managers, IT Administrators and data security staff understand the concept and purpose of DLP and how to easily implement it.