The weak case against strong encryption

Why can't politicians understand? Banning encryption is essentially no different than mandating backdoors

The weak case against strong encryption

I used to think that the idea of banning encryption was too absurd for discussion. Whenever a politician or government official suggested it, I figured it to be a ploy covering the real desire, which was not to ban encryption, but to require backdoors that would allow encrypted content to be accessed by government agencies.

So it goes in the United Kingdom, where the government of Prime Minister David Cameron seemed to be pushing for an outright ban. But now we hear from Cameron’s spokespeople that they don’t really want to ban encryption; instead, they would like to be able to decrypt anything they want at any time.

Apparently the prime minister didn’t read my column because that was exactly my point. A ban and backdoors are essentially synonymous -- encryption stops being encryption when there are built-in backdoors. Backdoors are inevitably exploited, rendering encryption merely a bit of bother to malicious actors.

We might learn a lesson from the scores of data breach events that have occurred over the past few years, releasing all kinds of sensitive data and financial details to nefarious interests all over the world. We should know very well by now that data security is an ever-escalating battle that is lost in an instant with potentially massive repercussions. Those breaches have occurred in spite of the availability of strong encryption and against what should have been the strongest security measures available. Yet they still happened.

To make the point crystal clear: We are hearing all manner of bluster about protecting the world against terrorists, yet one of the main requests made in that effort is to actually create an avenue for more security attacks, more breaches, and more data loss. Terrorist events aren’t limited to violent attacks that cost innocent lives. They can and often do involve gathering and manipulating data to be used for leverage and threats against people in positions of power and wealth, or orchestrating a massive data breach that threatens large markets and even economies. Hobbling strong encryption would assist those acts, not dissuade or prevent them.

Proceeding to undermine encryption will have the opposite effect of protecting anyone; it will instead expose nearly everyone, even those who have never used the Internet or sent an email. If you have provided sensitive information to your hospital, bank, or local or federal government, you should be concerned about any move to mandate backdoors in strong encryption.

If you’d like a very recent example of how technology (theoretically) used for good might suddenly be wielded as a weapon against the world, look no further than the Hacking Team compromise from early July. The Hacking Team built powerful tools for law enforcement, then lost those tools to bad actors. Now those tools have turned around on their creators and potentially threaten anyone in the world. That’s a story unto itself, but the parallels to the concept of hamstringing encryption are highly disturbing.

Let’s dispense with the idea that there was ever a desire to ban encryption outright -- there likely never was -- but let’s not mediate the discussion or “meet in the middle” and allow the scuttling of the technology that protects everything holding the world together today. This intentional mangling of phrases and meanings is likely an attempt to curry favor with the nontechnical populace, and it should be rejected outright.

We either go back to pen and paper to keep our records, or we maintain strong encryption in perpetuity. There is no middle ground.

From CIO: 8 Free Online Courses to Grow Your Tech Skills