Encryption’s curse is also its blessing

Bruce Schneier considers the value of encryption and the risks of backdoor access by governments and law enforcement. Ultimately, he argues, we need to develop better investigative tools.

The Internet has become vital to society, and attacks against it have serious consequences. Denial-of-service attacks against popular platforms costs millions. Ransomware affects hospitals. Privacy violations threaten to undermine our democracies. And the Internet of Things means that vulnerabilities in computer systems can allow attackers to crash cars, disable medical devices, and otherwise affect both life and property.

It is against this backdrop that we need to debate the value of encryption and the dangers of backdoors. Currently, some politicians in the US, the UK, Australia, and other countries are trying to pass laws limiting the effectiveness of encryption. Citing police investigative needs, they want encryption products in their own countries to have a mechanism to give police officers access to encrypted content – messages and stored data – without the knowledge or consent of the user. It’s a myopic and short sighted idea that 1) won’t have the desired effects, and 2) will make us all much less safe.

I’ll take the second point first. Encryption is a powerful security tool. It secures our data and communications against eavesdroppers such as criminals, foreign governments, and terrorists. We use it everyday to hide our cell phone conversations from eavesdroppers and our Internet purchasing from credit card thieves. Dissidents in China and many other countries use it to avoid arrest. It’s a vital tool for journalists to communicate with their sources, for NGOs to protect their work in repressive countries, and for attorneys to communicate with their clients. Governments around the world use encryption to protect themselves against foreign espionage.

The never-ending litany of attacks illustrates how important computer and Internet security is, on a personal and national level. Anything that forces companies to create alternate access mechanisms that bypass the user will only exacerbate the risks. As technologists, we can’t build an access system that only works for people of a certain citizenship, or with a particular morality, or only in the presence of a specified legal document. If the FBI can eavesdrop on your text messages or get at your computer’s hard drive, so can other governments. So can criminals. So can terrorists.

And while it’s data that encryption primarily protects today, encryption will be essential to protect our physical safety tomorrow. Computers are permeating everything from airplanes and automobiles to toys and home appliances, from drones to nuclear power plants. We need technology companies to make encryption ubiquitous, and to design it to be as bulletproof as possible. This is for our own security and safety.

Now to return to the first point. Criminals and terrorists use tools like WhatsApp and iMessage to prevent authorities from eavesdropping on their communications and accessing their data. If those tools were weakened to allow for surreptitious access, those same criminals and terrorists would use something else. Last year, I surveyed the commercial encryption market and found 865 hardware or software encryption products from 55 different countries. A UK-only law, or even a law that encompasses the US, UK, and Australia, will have no effect on companies operating in Algeria, Argentina, Belize, Chile, Cyprus, Estonia, Iraq, Malaysia, Tanzania, or Thailand. And it’s simply not possible for a country to prevent its citizens from using these – or any other – encryption products. As soon as Apple’s – or any other major company’s – encryption is known to be weakened, foreign companies not bound by such requirements will spring up to meet the demand.

This doesn’t mean that we’re “going dark” by any means. The truth is that most bad guys aren’t very smart. They store their files and communications in the cloud where some cloud providers may have plaintext access. They carry around devices like smartphones that track their location 24/7. We’re living in the golden age of surveillance and both law enforcement and national intelligence organisations have more ways to track our movements than ever before. As many encryption experts have repeatedly said, law enforcement needs better investigative technologies, not computer backdoors.

Weakening encryption reduces our collective security against Internet attackers and at the same time doesn’t prevent the bad guys from using the technology. It’s a knee-jerk reaction to an immediate problem – one that doesn’t take the greater context into account.