In my ongoing blog series “Hacker Mindset,” I explore an attacker’s assumptions, methods, and theories, including how information security professionals can apply this knowledge to increase cybervigilance on the systems and networks they steward. In this article, I explore the intense debate surrounding encryption and what it means for policy makers and consumers alike.Cryptography and CommunicationsCryptography protects our information systems by changing the way data is transmitted and stored. Through the use of mathematical formulas, it prevents anyone except the intended recipient from reading any given email or message. Because security experts consider encryption to be virtually unbreakable, it has been an essential layer of protection for individual users, businesses, and government agencies.
Source: Wikimedia CommonsThe increasing reliability of cryptography as a secure method of transmitting messages is a dilemma for law enforcement. Criminals and other bad actors using encryption can carry out malicious acts partly because law enforcement cannot monitor the content of their communications. Furthermore, in the event police do arrest these bad actors, they are often prevented from accessing critical email and text messages for purposes of obtaining evidence for trial. As a result, leaders in the law enforcement community have used their bully pulpits to advocate for so-called “backdoor” technologies that would allow the government special access to encrypted contents.Mandated Backdoor RiskMandated backdoor access, if compelled by government, could take any number of forms. One proposal would require that telecommunication providers to manufacture computer chips with a built-in backdoor accessible only by government. The Clinton administration proposed such an idea in the 1990s, but the proposal faded away after strong pushback from the technology industry. Another example was the litigation between Apple and the Department of Justice. In that case, the DOJ attempted to require that Apple develops a backdoor to an iPhone that was used by an assailant in the terrorist attack in San Bernardino, California.
Source: FlickrFreedom of expression is predicated on the assumption that two or more people want to collaborate and exchange ideas. Knowing that the government can access all channels of communication is truly a 1984-type scenario. The effect mass surveillance would have on the population would be detrimental. An individual’s freedom of expression is infringed upon if anyone can intercept and understand private thoughts and intentions. Some Americans proudly proclaim they have nothing to hide and invite the scrutiny. This point of view is flawed in numerous ways. Many people might not know they are violating a law in any given situation and would be unpleasantly surprised to learn that even a minor violation can result from law enforcement’s access to their personal computers and smartphones.The Road AheadThe United States leads the world in technology innovation, and policy makers should look to established experts in the field when crafting cybersecurity policy. The next few years will define the very nature of how we relate to the internet and technology. Books, journal articles, and other existing literature demonstrate that backdoors into encrypted communications cannot be accomplished without compromising the information’s confidentiality and that such backdoors can have severe unintended consequences.One consequence is that backdoors run counter to certain American values. U.S. citizens are accustomed to believing that they can privately exchange information free from government intrusion. However, backdoors will diminish this expectation of privacy. Moreover, providing law enforcement with a cryptographic key to protected communications will almost certainly mean that criminals and other bad actors will eventually acquire it. If such a key were leaked to the public, one’s data would be available not only to police but common criminals as well––a concerning prospect given that legal due process requirements tend to limit the actions of law enforcement but not those of ordinary citizens committing a crime. Requiring that ordinary citizens hand over a key to their most private communications will only serve to erode privacy and put individuals at risk for identity theft, computer hacking, and other cybercrimes.