|
The debate around encryption has become a hot topic in a world where communications are increasingly becoming digital. The modern encryption debate is a complex and nuanced issue, with many players from different backgrounds trying to influence the conversation. The question of balancing the need for national security with the right to privacy has been a matter of public debate for years. Only recently has the issue been framed in terms of encryption, but the discussion is certainly not new.
There are many opinions about encryption and its role in our society, and many of those opinions are contradictory. Still, the general public is largely unaware of the nuances of this issue, which can lead to confusion or misunderstanding about what encryption really is and why it is crucial to all internet users. By retracing the main stages of the modern debate on encryption, we hope to shed light on its importance in today’s digital world.
While many people think that modern cryptography is too complicated for anyone to understand, this isn’t necessarily true. Simple concepts underlie all current cryptographic algorithms. The first thing to understand is the concept of a key. It is a string of data used to encrypt and decrypt messages. Each key should be unique and unpredictable. The longer the key is constructed, i.e., the more bits it contains, the harder it is to break the encryption code. If you have two keys, you’ll use one to encrypt and the other to decrypt the encrypted messages.
These days, encryption is applied as a standard with TLS/SSL certificates to encrypt traffic in most web browsers, while S/MIME is used for email communications. Encryption also comes into play to authenticate and verify software applications with so-called code signing certificates.
The history of encryption is a long one, spanning thousands of years. It has been used throughout history to protect trade secrets, military communications, sensitive personal information and, more recently, data stored on computers. Today it also protects your conversations when using messaging apps or your credit card details when making online purchases.
The ancient Greeks and Romans were the first to use some types of encryption mechanisms. The Caesar cipher is an example of an ancient encryption technique. Julius Caesar invented the Caesar cipher to communicate securely with his generals during wars. It is a simple shift cipher, which means it shifts every letter of the alphabet by a fixed number of positions, in this case, three. So A becomes D, B becomes E, and so on. But this encryption technique is vulnerable. Once you know how it works, you can break into the message.
The modern concept of encryption dates back to World War II, when Allied forces realized they needed a way to protect their communications from interceptions by the German troops. At that time, this meant using coding techniques that were complex enough to make it difficult for an enemy interceptor to understand the message if they captured it. These coding techniques included substitution ciphers (also known as exception substitution) and transposition ciphers (also known as polyalphabetic substitution). During the war, the Nazis used Enigma, a cryptographic machine based on an electromechanical rotor mechanism that scrambled the 26 letters of the alphabet. Alan Turing is probably best-known to the general public for his ability to crack the coded messages that were intercepted. He helped create the first machine capable of using computing power to break encryption.
Modern cryptography relies on computers and mathematical functions to secure data. If cryptography is the mathematically and logically based science of hiding a message, encryption is the process of converting a plain text file into cipher text. Nowadays, encryption is the standard measure to protect communications in the digital ecosystem. This is done through digital certificates specified by the X.509 or EMV standard. They are stored, signed and issued by certificate authorities (CA). Their protective shield spans from HTTPS connections to the data transmitted in data centers. There are different ways of encrypting data. These fall into two main categories.
We can distinguish between two forms of encryption today, namely symmetric and asymmetric encryption. The main difference lies in whether the same key is used for both encryption and decryption.
Symmetric encryption – When the sender and the recipient share only one single key, we speak of symmetric key cryptography. The single key is used to both hide and unlock the message. Compared to other types of encryption, it is quick and easy. Well-known examples of symmetric encryption include:
Asymmetric encryption – Asymmetric algorithms use two interdependent keys, a public and a private key. One is used to encrypt the data and the other to decrypt it. The recipient knows both keys, the private and the public one. You should never share the private key that you need for decryption. The sender uses the public key to encrypt the message. One of the most common uses of asymmetric cryptography is to digitally sign a certificate in order to verify the authenticity of a document or the integrity of a message. Examples of asymmetric encryption include:
The modern encryption debate is a public discussion about the use of encrypted digital communications. It started around the ‘90s when the US government tried to ban cryptography because, according to them, it would threaten national security. In recent years, the debate has been revived due to terrorist attacks and security breaches that have occurred all over the world.
The discussion is mainly polarized around two opposing views. Some people believe that strong encryption should be banned because it makes it easier for criminals to hide their illegal activities online. Others argue that encryption helps to protect personal data from being accessed by unauthorized sources. The debate heated up again when Big Tech stepped into the ring and took a stand. In 2014, Apple and Google declared they would start encrypting their devices by default, assuring users that customer data would be protected at rest without requiring them to enable the function. It is the beginning of a series of controversies that puts governments, tech companies, but (most importantly) also the security of internet users at stake. Here we want to examine the milestones that outline the modern debate on encryption.
In 2013, Edward Snowden revealed US privacy and data breaches globally. The documents revealed that the NSA was monitoring the communications of millions of Americans and people worldwide and gathering data on users’ searches, emails and social media posts. The documents also revealed that the NSA had been working on the PRISM program to collect user information from companies like Google, Facebook and Apple.
We learned about how the NSA had been hacking into computers worldwide to access data and communications. The impact was huge, making headlines worldwide. These leaks have helped the general public understand the role of encrypted communications. They also help us see how security systems can be compromised by malicious actors - including those who are actually supposed to protect us from such threats. From IT experts to the general public, there was a realization of how insecure the internet ecosystem was. Most internet traffic did not use secure protocols such as HTTPS, making data susceptible to surveillance, infiltration and other potential crimes.
Snowden’s revelations have given powerful momentum to the implementation of better security systems and the use of encryption. The tech and internet community has made communications more secure in response to these revelations. Over the years, several tech companies rolled out new security measures for their users, for example:
The run towards end-to-end encryption globally had begun! It also represented the start of the new modern debate around encryption.
In 2014, the IETF (Internet Engineering Task Force) published the RFC 7258 entitled “Pervasive monitoring is an attack”.
In this paper, the internet technical community expressed strong agreement: pervasive monitoring is an attack on internet privacy of users and organizations. This threat needs to be mitigated via the design of protocols that will revisit internet standards’ security and privacy properties. The scope of this document is broad. It covers topics like authentication, encryption, authorization, confidentiality and integrity. These are all critical matters because they are necessary for protecting sensitive data as it travels across the internet. The paper represents a milestone from the technical community in pushing towards the creation and implementation of standards in our network, thus creating a more secure and resilient internet.
After Snowden’s revelations, more and more companies implemented improved security systems and encryption solutions aimed at safeguarding the privacy of communications. Digital communication shifted from a public communication channel, where it could be monitored, to a private communication channel that prevents eavesdropping. National security and law enforcement agencies had their say.
In 2015, the encryption debate saw the entry of the new expression “going dark”. It was coined to talk about the restricted capabilities of US national law enforcement agencies in accessing communications and information on the internet due to the increasing use of encryption. When an agency has evidence of a crime but cannot access a suspect’s phone, they are “going dark.” There are two main reasons agencies think they’re going dark. Firstly, they argue that encryption makes it harder for them to access data on devices. Secondly, they maintain that criminals might use encrypted communications platforms like WhatsApp and Telegram to communicate with each other and plan crimes in secret.
According to the US FBI Director, James Comey, “We have the legal authority to intercept and access communications and information pursuant to court order, but we often lack the technical ability to do so.” Law enforcement agencies want to access encrypted data because it would help them solve crimes and bring criminals to justice. Using the “going dark” argument, law enforcement agencies in the US and elsewhere warned that criminals are able to hide their communications and actions without raising suspicion thanks to encryption, while law enforcement officers struggle to decrypt data during their investigations.
Over the years, several law enforcement agencies worldwide have proposed solutions, including requiring companies to provide law enforcement with access to encrypted data where possible. They also mandate that companies design their systems so that law enforcement can gain access. For example, the US government has advocated so-called backdoors since the emergence of the “going dark” argument.
On the other side, technical experts have argued that there is no way for a third party to access one person’s encrypted data without putting all users on that system at risk. So why is creating backdoors harmful to the security of encryption? Suppose the US government succeeds in implementing an encryption backdoor. In that case, it will mean that anyone - from hackers and other malicious actors to governments - can access private information stored on computers and devices worldwide. The consequences would range from financial loss due to identity theft to physical harm caused by blackmailers or stalkers who gain access to sensitive information through these vulnerabilities. Backdoors are not the solution and the tech community is unanimous in rejecting the introduction of backdoors in the encryption system.
Later that year, a group of 195 experts, companies and civil society organizations from more than 42 countries wrote an open letter demanding an end to global governments’ efforts to flaw encryption protocols: “Users should have the option to use—and companies the option to provide—the strongest encryption available, including end-to-end encryption.” - but they were not the only ones. A group of distinguished computer scientists and cryptographers also opposed the attempts to weaken encryption in their “Computer science and artificial intelligence laboratory technical report”. In this publication, the authors state that mandating government access to all data and communications will create significant security vulnerabilities: “Exceptional access will open doors through which criminals and malicious nation states can attack the very individuals law enforcement seeks to defend. The costs would be substantial, the damage to innovation severe and the consequences to economic growth difficult to predict.”
The mobilization of the tech community has created two fronts in the debate: those who support an intact encryption system and those interested in gaining access through backdoors.
Thanks to the joint work of the internet community and IT experts, the first calls to create backdoors in the encryption system failed. However, attempts to break into the end-to-end encrypted communication chain keep cropping up. The dispute between Apple and the FBI in 2016 is emblematic.
In 2016, the United States Federal Bureau of Investigation (FBI) requested Apple’s assistance in opening one of the San Bernardino terrorist attacker’s iPhones. The FBI wanted to access information on the device that could be used to help further their investigation into the attack. The FBI argued that they needed access to this information because they believed it would provide evidence that could lead them to other people involved in planning or carrying out the attack. In addition, they argued that this information might assist them in identifying other targets that ISIS could attack in the future. Apple opposed the FBI’s request to break into the phone! The company published an open letter to their customers expressing their concerns about the request explaining that unlocking the San Bernardino iPhone would set a precedent to allow government agencies to access private data. Although Apple refused, the FBI eventually managed to “unlock” the iPhone with the help of a small Australian hacking firm.
In 2016, the UK government passed the Investigatory Powers Act (IPA). The bill nicknamed “Snooper’s charter” allows UK intelligence agencies to hack into computers, networks, mobile devices, servers and more in order to access communications. The act also gives UK law enforcement the ability to access encrypted data. The IPA was passed as a reaction to the increased use of encryption on mobile devices and social media sites like Facebook and WhatsApp. However, the government could now require access to all this data at any time, without a warrant or consent from the user.
The positions about encryption in the European Union have been quite inconsistent. While on the one side, Europol’s chief publicly denounced encryption as the “biggest problem for the police and the security service authorities in dealing with the threats from terrorism”, on the other side, in May 2016, Europol and ENISA agreed that “built-in backdoors .... would increase the attack surface for malicious abuse, which, consequently, would have much wider implications for society”. This last statement suggests that the EU would act against the trend set by other countries. Overall, the EU seems to understand the importance of an encryption system without the presence of backdoors that could create vulnerabilities in the system.
In 2018, the UK intelligence and security organization Government Communications Headquarters (GCHQ), submitted the so-called Ghost Proposal Access proposal. The agency describes the idea in an article authored by the National Cyber Security Centre (NCSC), a public-facing branch of GCHQ. The proposal suggested a technique that would have required encrypted messaging services to direct a message to a third recipient while sending it to the user. We face the same problem: this technique would enable eavesdropping, which is precisely why we rely on encryption.
The response from the internet community was prompt. The following year, 47 signatories, including Apple, Microsoft, Google and WhatsApp, signed an open letter to urge the UK agency to abandon its plans for the so-called “ghost protocol”. They claim this proposal creates a backdoor that, if discovered, could be exploited and replicated, creating a massive flaw in the E2E encryption system. The pressure from the public pushed GCHQ to abandon its proposal.
In 2018, Australia followed the UK in designing a law that would force tech companies and service providers to build capabilities for law enforcement to access encrypted communications. According to Senator George Brandis, the Assistance and Access Act 2018 (TOLA Act) aims to deliver a law “sufficiently strong to require companies, if need be, to assist in response to a warrant to assist law enforcement or intelligence in decrypting a communication.”
Australia was the first Western country that passed a bill to crack encrypted communications, allowing law enforcement secret access to messages on platforms like WhatsApp and Facebook. The step taken by the Australian government does not sit favorably with the community of technical experts and tech giants who vigorously defend an encryption method free of third-party access. “Several critical issues remain unaddressed in this legislation, most significantly the prospect of introducing systemic weaknesses that could put Australians’ data security at risk.” so the Australian Digital Industry Group Inc. (DIGI), whose members include Facebook, Apple, Google, Amazon and Twitter.
In 2019, the debate around encryption in India already had some precedence and was not new. The first and probably most well-known case occurred when the Indian government mandated Research in Motion’s (RIM) BlackBerry to give law enforcement access to its encrypted data. The disagreement lasted from 2007 to 2012, culminating in the Department of Telecommunications (DOT) asking the company to stop its services in India. For fear of losing access to the thriving Indian market, the tech company agreed to submit the plaintext of communications sent over the BlackBerry Messenger to Indian law enforcement agencies.
In 2015, the country drafted its National Encryption Policy. It was abandoned after public pressure but in 2019, following the steps of other countries, the Indian government introduced the Data Protection Bill (DPD). With this bill, India proposes strict rules for international data transfers and gives the Indian government the authority to request this data.
Over the years, the bill has gone through several changes and add-ons. In 2021, India was the first to introduce the intermediary liability concept under the “Intermediary Guidelines and Digital Media Ethics Code” (2021 Rules). The rules would make intermediaries liable for user content on their platform unless they met requirements such as content monitoring and message traceability. Both measures endanger encryption since only the sender and the intended recipient should know the content of communications between them. Although tech and security experts warned that this would weaken end-to-end encryption and other security measures, the government released the law in February 2021.
In 2020, the US Congress proposed another bill that threatens safe encryption procedures. The EARN IT Act (Eliminating Abusive and Rampant Neglect of Interactive Technologies Act) aims to combat child abuse but the problems it creates overshadow its good intentions.
Although initially rejected, the bill was reintroduced in 2022 with even bigger threats to online safety. The document does not mention encryption, but backdoors to end-to-end encryption would be required as good practice to follow the law. Furthermore, in the new version of the EARN IT Act, if a platform is suspected of hosting child sexual abuse material, its use of encryption can be used as evidence against them in court. In February 2022, 60 privacy and human rights groups sent an opposition letter to lawmakers expressing their opposition to the EARN IT Act. While the bill aims to combat children’s sexual exploitation online, it erodes strong encryption and established security protections.
In this context, Apple seemed ready to create scanning mechanisms for users’ private photos in iCloud and iMessage after years of pressure from US law enforcement agencies. A coalition of more than 90 US international organizations sent a letter to Apple CEO Tim Cook urging Apple to abandon its plans.
Fortunately, Apple agreed to cancel its plan for the phone-scanning in messages and the EARN IT Act is still not law in the United States, but other types of CSAM detection are still planned.
Meanwhile, in 2021, the UK drafted the Online Safety Bill (OSB) aimed to protect internet users from digital threats imposing new obligations to social media, search engines and other user-generated content platforms. Unfortunately, the implications are the loss of online anonymity and, once again, of secure encrypted communications.
In May 2022, tracing the idea of the US, the EU proposed legislation to prevent and combat child sexual abuse online. In the name of fighting crime against children, the government demands regular plaintext access to users’ private messages, from email to texting to social media. Mandating a backdoor into encrypted communications does not make the problem better, it makes it worse. No one wants child sexual abuse material (CSAM) to spread on the internet but damaging encryption isn’t the answer.
Encryption has never been more important. It is so critical that many tech giants advocate classifying access to encrypted communications as a human rights issue in today’s digital age. A backdoor to encryption makes messages, phone calls, video chats and personal data easier to crack and access due to the potential liability new legislation could impose on businesses. Any restrictions on using encryption will make the internet less free and more hazardous.
Encryption is vital in the digital world because it’s a way to protect your privacy and security. It’s also a way to ensure that you aren’t accidentally sharing sensitive information with people who shouldn’t have access to it. It’s used in many industries and is especially important in a digital world where nearly all our data is stored electronically. Users’ personal data, user confidentiality, and freedom of expression should be protected by robust encryption and legislation that imposes adequate and certain security standards with no room for uncertainty and, above all, that guarantees limits on access for investigations by government authorities.
End-to-end encryption protects all internet users. It is essential that we safeguard it.
Sponsored byCSC
Sponsored byVerisign
Sponsored byIPv4.Global
Sponsored byRadix
Sponsored byVerisign
Sponsored byDNIB.com
Sponsored byWhoisXML API