Euro Security Watch with Mathew J. Schwartz

Encryption & Key Management , Endpoint Security , Governance & Risk Management

Strong Crypto Again the Target of Western Governments

'Lawful Access' Means Weak Crypto on Which Anyone Can Eavesdrop - Not Just the Cops
Strong Crypto Again the Target of Western Governments

Stop me if you think that you've heard this one before: Some governments in the West and beyond are continuing to pretend that criminals will get a free pass - and police won't be able to crack cases - so long as legitimate services that offer end-to-end communications continue to safeguard them using strong encryption.

See Also: Live Webinar | Special Delivery! Defending and Investigating Advanced Intrusions on Secure Email Gateways

On Sunday, the Five Eyes intelligence alliance governments - Australia, Canada, New Zealand, the United Kingdom and the United States - as well as India and Japan, published a letter calling on technology companies to only use weak encryption.

The letter begins by stating the importance of strong encryption, noting that it "plays a crucial role in protecting personal data, privacy, intellectual property, trade secrets and cybersecurity," as well as "serves a vital purpose in repressive states to protect journalists, human rights defenders and other vulnerable people."

That is all true. But in a bait-and-switch move, the signatories say any system that uses encryption should allow for law enforcement access.

Cryptographers have a name for encryption systems that facilitate this so-called backdoor or "lawful" access: weak crypto. Here's another name: poor security.

The letter also overlooks another solid use case for strong encryption: to protect individuals from mass surveillance. Indeed, it's worth remembering that Apple and Facebook began building strong encryption into their products and services only after Edward Snowden's leaks revealed a massive U.S. surveillance dragnet, including taps on all of the big service providers' data centers. Captured information, including email content and phone metadata, was being shared across the Five Eyes partnership.

Only Strong Crypto is Strong

Only strong encryption - free from backdoors - offers the protection consumers and businesses alike require. That's because weak crypto can be easily cracked by everyone from unscrupulous business competitors and organized crime gangs to bored teenagers and unfriendly nation-states. Backdoor access also doesn't prevent malicious insiders - including individuals with law enforcement day jobs - from abusing such access.

For too long, encrypted communications have served as a straw man for governments, for example, when their intelligence services fail to prevent terrorist attacks. Rather than asking if inadequate funding, poor public services, inadequate information sharing or legacy intelligence silos might have been a culprit, it's easier to single out Apple, Facebook or WhatsApp for blame.

The same goes for online child exploitation, which governments often cite as a reason for why strong encryption should not be allowed to exist. Child abuse is horrible - full stop - but outlawing encryption won't magically allow police to identify and arrest every perpetrator.

Proportionality is also key. Just because criminals can abuse a system, does that mean it should be made unsafe for everyone in the name of making it easier for law enforcement agents to eavesdrop?

Investigators Have Many Resources

In fact, numerous law enforcement investigations succeed even when encrypted communications or other systems are in use. Witness the takedown of innumerable darknet marketplaces; busts of illicit narcotics buyers and sellers who interact using legitimate, encrypted messaging apps, such as Telegram, Discord, Jabber and Wickr; or takedowns of numerous encrypted communication systems - and arrests of their operators - which have been designed to serve criminals.

Focusing on how criminals might use strong, legitimate services also overlooks their ability to create their own encrypted communications systems or to choose from a multitude of off-the-shelf offerings produced outside the countries attempting to ban or otherwise curtail strong crypto.

Indeed, four years ago, a team of security experts conducted "A Worldwide Survey of Encryption Products" and found that 865 hardware or software products used encryption. Those products had been developed in 55 countries. Thus, any attempt to restrict the use of strong crypto by criminals or terrorists would fail, argued authors Bruce Schneier, Kathleen Seidel and Saranya Vijayakumar.

Target: Strong Crypto Everywhere

The signatories to the Sunday letter, which include U.S. Attorney General Bill Barr and U.K. Home Secretary Priti Patel, aren't just targeting end-to-end encrypted communications services but also "device encryption, custom encrypted applications and encryption across integrated platforms."

They write: "We challenge the assertion that public safety cannot be protected without compromising privacy or cybersecurity. We strongly believe that approaches protecting each of these important values are possible and strive to work with industry to collaborate on mutually agreeable solutions."

But here's the bottom line: Weakening security does not allow for strong security - even if politicians continue to pretend otherwise.

Yes, giving everyone access to strong encryption by default - which criminals will continue to access even when governments ban or otherwise restrict it - can complicate some police and intelligence investigations. But to maximize individuals' privacy and the security of their personal data and the systems they rely on, there is no good or acceptable alternative to strong encryption.

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.