Genuinely strong encryption – the sort of encryption that is as good as unbreakable if used correctly – is now readily available, even in consumer devices such as mobile phones.
In theory, therefore, even a non-technical user can prevent hackers or eavesdroppers (regardless of their motivation or legality) from getting hold of private emails, text messages, browsing history, browsing content, phone conversations, personal documents, pictures, location data, customer information, and much more.
So, the debate boils down to, “Is this a good idea?”
In the “No” camp are those who claim that strong encryption makes numerous important activities too hard, notably intelligence gathering, fighting terrorism and investigating crime.
The Noes propose some kind of build-in “backdoor” that would keep the system secure for the most part, yet would make it reliably possible for the encryption to be stripped off by a duly-authorised third party when necessary.
In the “Yes” camp are those who claim that strong encryption should be exactly what it says: strong.
That way, we can rely on it to keep terrorists, foreign spies, crooks and other ne’er-do-wells out of our own and our customers’ data.
Ironically, if you remove from the debate aspects such as whether privacy is a right; whether surveillance is morally sound; and whether governments can be trusted with sufficient power to unlock anyone’s secrets on demand…
…the Yesses and the Noes are as good as reaching the same conclusion from opposite propositions.
The Yesses: “If we deliberately weaken encryption products, then the Bad Guys will win.”
The Noes: “If we do not deliberately weaken encryption products, then the Bad Guys will win.”
Proposed laws in many jurisdictions – good examples include the Investigative Powers Bill in the UK, and bill 2015-A8093 in the State of New York – suggest that the obvious line for public servants and legislators to take is, “No! Strong encryption is not a good idea, and should be fitted with escape holes for use in emergencies!”
But the reaction of the technology industry, at least in the US – Tim Cook of Apple has been audibly vocal, and Facebook, Google, Microsoft, Twitter and Yahoo have stood together on this issue – is, “Yes! Strong encryption is needed for strong data security, and you can’t strengthen something by weakening it on purpose!”
As regular readers of Naked Security will know, we’re strongly in the “Yes! Strong encryption should be strong!” camp, and here’s why:
Mandatory cryptographic backdoors will leave all of us at increased risk of data compromise, possibly on a massive scale, by crooks and terrorists…
…whose illegal activities we will be able to eavesdrop and investigate only if they too comply with the law by using backdoored encryption software themselves.
The good news, if you’re one of the Yesses yourself, is that the IT industry is no longer alone in the “Yes” camp.
The public service in the Netherlands recently thought the issue through and concluded:
The government endorses the importance of strong encryption for internet security, for supporting the protection of citizens’ privacy, for confidential communication by the government and companies, and for the Dutch economy.
Therefore, the government believes that it is currently not desirable to take restricting legal measures concerning the development, availability and use of encryption within the Netherlands.
And now, France is on board, too.
Axelle Lemaire, the French government’s Minister for Digital Affairs, put it in language that Naked Security readers will probably enjoy:
What you are proposing is a vulnerability by design. […]
While the intention is commendable, it opens the door to actors whose intentions are less than commendable.”
And, for the French Digital Minister, that, quite simply, is that:
In the government’s view, this is not a good solution.”
We may be miles from the end of this debate, but that’s a great comment on which to pause right now!
SOPHOS STATEMENT ON ENCRYPTION
Our ethos and development practices prohibit “backdoors” or any other means of compromising the strength of our products for any purpose, and we vigorously oppose any law that would compel Sophos (or any other technology supplier) to weaken the security of our products.