The Implications of Weakening or Breaking Encryption

Encryption is fundamental to our daily life. Practically everything we do online makes use of encryption is some form. Access to our financial transactions, health records, government services, and exchanged private messages are all protected by strong encryption.

Encryption is the process of changing the information in such a way as to make it unreadable by anyone except for those possessing special knowledge (usually referred to as a “key”), which allows them to change the information back to its original, readable form.

Not only does encryption protect our sensitive personal data, but also secure communications between computerized medical devices, and in the near future, even autonomous, self-driving vehicles. And it is our important, last line of defense to protect Internet users globally and preserve core principles, such as freedom of expression and personal privacy.

Law Enforcement vs. Encryption

Recently, political and law enforcement leaders in the United States, United Kingdom and India have called for the Tech Industry, as well as private messaging platforms like WhatsApp and social media networks, to redesign their systems to ensure that governments can have access to the users’ information and content - even if encrypted.

The debate about encryption, or security versus privacy, is not new. In the 1990s, the governments of the United States and a number of other industrialized countries advocated for weakening encryption, claiming that the widespread use of encryption would prove to be disastrous for law enforcement. And in the last few years, some governments have introduced new controversial encryption laws that compel tech companies to grant law enforcement agencies access to encrypted messages, such as the Australian Telecommunications (Assistance and Access) Act, which passed into law at the end of 2018.

James Comey, the former FBI Director, held a speech in Brookings Institution in October 2014, which was entirely focused on the challenges posed by encryption. “The FBI has a sworn duty to keep every American safe from crime and terrorism, and technology has become the tool of choice for some very dangerous people. Unfortunately, the law hasn’t kept pace with technology, and this disconnect has created a significant public safety problem. We call it ‘Going Dark,’” he said.

The US Government considers “Going Dark” to involve its inability to access content in private messaging platforms such as WhatsApp, which uses encryption systems that prevent the service provider, e.g., WhatsApp, in this case, from being able to decrypt the contents of messages sent and received.

The world did not “Go Dark.” On the contrary, law enforcement agencies now have much better and more effective surveillance capabilities than they had before, as substantially more data—especially metadata—is available for collection and analysis by law enforcement.

Weakening encryption poses grave security risks, and there are four major problems we face. The first is that weakening encryption would force a U-turn from the best practices to make the Internet more secure by default; these practices include end-to-end encryption of private messages between Internet users.

Second, designing an exceptional access system to allow access to private encrypted data in global messaging platforms like WhatsApp would substantially increase the system complexity and vulnerability. Security researchers have always indicated that complexity is the enemy of security.

Designing such exceptional access on a global platform that has billions of users would have to be deployed and tested by literally hundreds of thousands of developers all around the world, making security testing difficult and less effective.

Third, providing governments or law enforcement with exceptional access would create concentrated targets that could attract bad actors. Security credentials that unlock encrypted data would have to be retained by the platform provider, law enforcement agencies, or other trusted third parties. If law enforcement has keys and guaranteed access to everything, then a potential attacker who has gained access to these keys would enjoy the same privilege on a massive, global scale.

Fourth, the position of governments in democratic and industrialized countries on encryption does not recognize that some governments around the world pose varying degrees of threats to the freedom and privacy of individuals. Encryption helps people exercise their internationally-recognized human rights, freedom of speech and expression in countries with authoritarian regimes.

The Way Forward, a Multi-Stakeholder Dialogue

The current polarized debate on the use of encryption to promote security regrettably assumes that solutions must have winners and losers. We should reject such an assumption.

Encryption plays a pivotal role in securing the data at the heart of our modern society and economy, and this effort involves not just tech companies that create products and services, but should also extend to include the millions of Internet users around the world who rely on private messaging platforms, products and services to empower their daily lives, civil society, digital rights activists, the companies that encrypt human resources, sales, or other data, and even to the law enforcement officials who investigate crimes.

With so many interests at stake, it is vital that these discussions about the future of encryption involve all perspectives and stakeholders affected at a national and global level.