Encryption is not the enemy
28 August 2016
Encryption is a well-understood and well-known technology in the world of computing. Though the media would have us believe otherwise, encryption is not much more than fairly basic math involving some large, random numbers. There’s a little more to it than that, but it’s based around the fact that modern computers take a really long time to do certain things. That’s not that it’s complicated, just that it’s something computers happen to be fairly bad at. Most things that use encryption use methods that are widely used and known; it’s the keys (or passwords) that are not. No dark magic, and no weird science, just a little math and some keys. If you felt inclined, you could do the tedious job of encrypting something without a computer as long as you had some notes on the math and a calculator.
While it isn’t always made clear, encryption is imperative when doing almost anything in the modern world. The green lock icon in your address bar means you’re using a website over an encrypted connection. If you have medical records, do banking, or use a credit card, encryption is involved in keeping you safe. All of us are directly or indirectly using some form of encryption in our daily lives often without noticing. Without this encryption, our data would be open for everyone to see and access. Stealing unencrypted information, especially while it’s moving over a network, is incredibly easy to do and requires nearly no “hacking” skills. In fact, there are apps available for “network sniffing”, as it’s called, for your phone and even for your web browser, because it’s a useful tool even in applications that don’t involve stealing data.
Unfortunately, as we hear in the news in cases such as the San Bernardino iPhone case, encryption can keep valuable information out of the hands of governments involved in investigations. These cases get used to demonize encryption technologies to push for everything from backdoors (alternate ways of getting access to the information) to outright bans on encryption. These suggestions raise a lot of potential problems.
Backdooring encryption is often propositioned as a reasonable “compromise” approach, but it doesn’t work. On the darker side of society, knowledge of how to break into a system and steal data via a backdoor can sell for huge amounts of money. It’s so lucrative, that there are people, companies, and governments all over the world who find and sell backdoors, and there are even people who do it for a living. No backdoor is perfect; for any of them, it’s only a matter of time before they get discovered, leaked, or sold by an unhappy employee to the highest bidder. In just the past month this has happened twice, resulting in the leaks of NSA hacking tools and Microsoft’s Secure Boot master key. Earlier this year, Juniper Networks announced they had found and released a patch for a backdoor possibly placed by the NSA in their systems - which are used by NATO and the U.S. government, among others. There is no such thing as a secure, invisible backdoor and the U.S. is far from the only entity trying to find and exploit backdoors.
Like all technologies, encryption gets used from time to time by unsavory people. However, that does not give us a reason to compromise all of our safety in order to see what they’re hiding. The amount of fraud, data theft, and hacking that would result from the loss of secure encryption is far more dangerous. As far back as 2001, NIST estimated that the net value of encryption ranged from $345 billion to $1.2 trillion which puts a number to the major implications of breaking encryption (via a ban or backdoor). Encryption is a huge and important part of the modern world, and the calls to require backdoors, bans, or to start “Manhattan Project[s] for Encryption” as we hear officials suggest, are misguided.
Endnote: I highly recommend reading the resources linked throughout if you’re interested in learning more. They’re highly informative and not overly technical in most cases, and provide a good overview of real-world events and research.