Sorry, dad, security isn't what it used to be

It's tempting to understand data encryption in terms of locks and other physical metaphors, but the digital world is completely different

Sorry, dad, security isn't what it used to be

Much has been said in this space on the continued attacks on encryption by politicians across the globe. This demonization of the mechanism that holds the Internet together is as enduring as it is inexplicable. As I’ve said before, it’s impossible for anyone who works with network or data security to accept any argument that includes implementing a master key or backdoor in encryption standards.

In general, two sides of any particular issue will have some overlap. There may be discussion and argument on the best method to achieve a certain goal, but at least there’s agreement on the goal. In the case of encryption, however, there’s no common goal. The major issue is the technologist understands that encryption is a binary concept -- either an item is unbreakable, or it’s insecure. There’s no middle ground, no gray area. You either have strong, unbreakable encryption ... or you don’t. An encryption standard with a built-in backdoor is breakable encryption. It’s insecure by design.

A generational gap seems to come into play here. As I discuss these topics with my father, I note that this concept is as difficult for him to grasp as the converse is to me. I’m as puzzled by his thinking that an encryption standard with a master key is acceptable as he is by my belief that encryption isn’t secure if there’s a backdoor that only authorities can use. It’s an impasse, and I think most of the reason for this stark conflict is generational in nature.

My father grew up in a physical world. In my father’s world, if the authorities needed to find evidence or information on a suspected criminal, they had to get a warrant and execute that warrant in person. They had to obtain physical evidence to prove a crime was committed. This may have included safecracking, breaking down doors, or any other breach of a secured space. As long as the warrant was granted for that space, then the search and seizure was legal and acceptable by society’s standards.

This physical security framework is the basis for all of my father's reasoning about encryption. If the bad guys are hiding something, then the authorities should be able to get a warrant and crack the safe or break down the door in order to uncover it. However, the modern world is not physical. Evidence is not stored in safes, on paper, or on magnetic recordings. Evidence is stored in bits, and those bits are encrypted, and if strong encryption is in use, then there’s no way to break down that door. To my father’s generation, that’s not an acceptable scenario -- surely there's a way around it.

It’s surprisingly hard to dislodge this notion. If you try to translate the terms, it quickly becomes impossible. Describing a backdoor in encryption standards as a master key to all the safes in the world doesn’t really have an impact -- even if you had a master key to every safe, it’s impossible to visit and inspect the contents of every safe in the world. Thus, this comparison falls flat. Another major issue is trust in authorities. It could be argued that older generations have more trust in authorities than newer generations. The idea of the government having a master key to encrypted communications doesn’t disturb my father like it disturbs me. 

Newer generations do not have the same grounding in the physical world. They grew up in the Internet age and don’t view modern technology as magical. They’ve seen firsthand what happens when private information becomes public. They understand more about how the Internet operates from a user’s perspective. They’ve grown up with cameras on street corners, spyware and malware, email hacks, doxxing, and any number of other modern maladies. They’ve been carrying extremely sensitive information on the phone in their pocket for almost a decade now. They use lock screens, and they know the difference between HTTP and HTTPS. 

The politicians attacking encryption are doing so out of either cynicism (grandstanding) or ignorance, but given their life experience, ignorance might be closest to the mark. Those of my father’s generation truly don’t understand the core issues, but are applying the standards of a different time to the modern world. We need only look at Hillary Clinton’s cavalier use of a wildly insecure email server as an example. There’s a significant generational gap in the understanding of what modern information security means.

Fortunately, my discussions with my father have brought him around to a better understanding of why strong encryption matters and why efforts to undermine it are extremely dangerous. Minds can be changed, and frankly we don’t have a choice in the matter. Strong encryption is not an option. It’s the only way the modern world can operate.

Oddly enough, the attacks on encryption may have a silver lining. All of the misdeeds of government agencies in appropriating data through quasi-legal or illegal means have not been missed by tech companies. Whereas retaining user data was once looked upon as an asset, it’s now becoming a liability. Perhaps we have a bit of a Streisand effect in play -- the more you push against security, the more secure we might actually become. Stranger things have happened.

Copyright © 2016 IDG Communications, Inc.