Should strong encryption be banned?
Every one of us places a premium on data security. Consider how you’d react if your financial information and passwords for your banking applications were stolen, an unauthorized person gained access to your stolen phone, or an unauthorized person read your private messages instead of the intended receiver. Data at rest, when stored, or in transit is kept safe with high security and confidentiality by the use of Encryption.
Encryption is the process of encoding data or converting it into incomprehensible text, also known as ciphertext, using a cryptographic key (a set of mathematical values agreed upon by both the sender and the recipient of an encrypted message), and decryption is the process of decrypting the data by the intended and authorized user. Highly secure encryption employs complex keys that are unbreakable by unauthorized users or by brute force (simply guessing the key). Over 53% of the internet traffic is now encrypted.
Strong vs Weak Encryption
Strong encryption employs a very large number, typically 128 bits in symmetric encryption(use of one secret key to encrypt and decrypt information) and 1024 bits for asymmetric encryption(use of two keys, public key to encrypt and secret key to decrypt information) making it nearly impossible to break the code. Most governments around the world use strong encryption to protect communications over internet or to protect data at rest, when stored in laptops or mobile phones.
Weak encryption employs a cryptographic key of insufficient length, as less as 56 bits, and the possibility (or probability) of breaking the code is high.
In recent times, there has been a huge debate among government officials in multiple countries such as the United States, United Kingdom, Canada, Australia, New Zealand, India, and Japan to ban strong encryption because it has proven difficult for law enforcement agencies to identify multiple issues such as terrorist propaganda, planning of attacks and data recovery which also challenges national security. While the debate is on whether to ban strong encryption in order to protect national security by providing a back door to law enforcement agencies, the issue is of great concern to the general public because it may result in a lack of privacy and security of the data they store or share.
Benefits of Encryption
We use ”http://url” or ”https://url” to access any website on the internet. HTTPS is a secure version of HTTP. HTTPS uses cryptographic protocols such as TLS (transport layer security) or SSL(secure socket layers) to encrypt normal requests and responses. When we use HTTPS, we see a lock icon at the beginning, which indicates that we are on the right website and that no intruder can spy on the connection, which may contain confidential information such as credit card details, financial documents such as tax returns, or an application form to buy a house, among other things.
Second, cybercriminals may use malware to infect our computers even if we have antivirus software installed in order to steal sensitive data. It is not only about the security of data during transmission over the internet, but also about the security of data while it is at rest, which is why file encryption is also of utmost importance.
In the following section, we will go over the advantages of encryption in detail:
1. Encryption protects your privacy:
Individuals are frequently targeted by cybercriminals in order to steal sensitive data such as credit card information, Netflix queues, shopping lists saved in browsers, or personal data stored on the computer such as a tax return or loan document which can provide identity details to the attacker, photos stored on phones embed location details, so a birthday photo can reveal someone’s name and date of birth, or a house photo can reveal the address. Travel itinerary data stored on a computer can reveal financial information as well as when the house will be vacant.
2. Identity theft and ransomware blackmail are both prevented by encryption:
The scariest thing seen recently is an increase in the use of ransomware to steal one’s critical data and then blackmail them into paying a ransom, failing which the attacker leaks the critical data all over the internet, uses it for identity theft, or sells it to the highest bidder. However, if the data is encrypted, cybercriminals do not have access to it and only see the cipher text, which is useless to them because it cannot be used to obtain ransom.
3. Encryption enables you to securely share your files:
It is very common to share text, files, and pictures via WhatsApp, Facebook, and various cloud services. Every day, over 100 billion messages are sent via WhatsApp. If the files we share are not encrypted, malevolent users can access them. Consider how you would feel if your personal photos and bank account numbers were leaked all over the internet. Encryption, on the other hand, allows for the sharing of files while maintaining confidentiality and anonymity, and only authorized individuals can open the file.
4. Encryption safeguards against lost/stolen devices:
According to GSMA real-time intelligence data, there are 5.13 billion mobile device owners worldwide, which equates to 66.5 percent of the global population. The use of mobile phones, tablets, and laptop computers has skyrocketed in recent years. Following the Covid 19 pandemic outbreak, the use of corporate laptops increased dramatically. However, it is also common for these devices to be misplaced or stolen. Encryption protects our files even if they are lost or stolen by unauthorized users. Each file on the device is encrypted, and the encryption key is securely stored and password protected. Without access to the password, the attacker is unable to scan the hard drive and steal personal information or confidential company data.
Risks of Encryption
As strong encryption makes decryption nearly impossible for third-party users, it also introduces some risks. Although it provides liberty, several crimes such as fraud and money laundering, human trafficking, and terrorist activities which include political acts of violence are untraceable due to strong encryption. Also, even if suspicious hard disks, mobile phones, or computers are recovered from various sting operations, they are rendered useless for further investigation because the information cannot be decrypted.
As former vice president of United States Al Gore once stated, ”unlawful criminal activity is not unique to the internet but the internet has a way of magnifying both the good and the bad in our society”. While criminals and terrorists misuse encryption, many foreign countries participate in the planning and execution of cyberattacks on their adversary’s computer infrastructure in order to steal critical information through the use of several untraceable encrypted codes.
Many analysts believe that if another world war bubbles up, cyberspace will be used instead of the battlefield. The financial and social scenario of a country can be quickly brought down by sending a well-written encrypted code, which, once downloaded by the innocent masses, can begin erasing critical data, crashing critical systems, and slowing down networks.
Tradeoff between National Security and Privacy
Since the 1990s, law enforcement agencies and technology companies have been debating whether decryption keys or backdoors should be provided to private companies and law enforcement agencies. Following a wave of terrorist attacks in multiple countries, particularly the United States, the debate has heated up recently.
One of the first examples of a government attempting to weaken encryption was in the United States. Given that encryption was widely used in public and private networks, the United States National Security Agency (NSA) developed Skipjack in 1993 to be exclusively used by government agencies to decrypt messages using a block cipher or an encryption algorithm. Because the internet was not widely available at that time, most sensitive information was still routed through the government’s public and private networks. Officials became concerned because they believed that with open access to encryption, more criminals could engage in confidential communication protected by the same strong means.
Agencies later proposed the Clipper chip in 1994, where conversations on mobile devices were scrambled using Skipjack’s algorithm, and the government was given a record of each key that they might use to decrypt messages whenever required. The clipper chip, however, quickly failed because the cryptographic community and advocates did not support the idea of weakening encryption and installing a clipper chip on each and every device was an expensive and time-consuming task.
Later, the US government also implemented key escrow, which required all encryption systems to provide a spare key to a trusted third party but later was heavily criticized for risking the privacy of individuals and got banned.
It is practically impossible for tech companies to provide private and secure communications to users while also providing a key to law enforcement agencies to decrypt messages. Moreover, they do not want to open a backdoor that could allow attackers to invade their customers’ privacy and lead to unwanted surveillance by government agencies. The tech companies usually delete the users’ messages after a certain period of time and do not keep any software to decrypt the users’ messages.
Furthermore, computer scientists and advocates all over the world believe that providing the government with tools to intercept and decrypt messages would be a violation of human rights. Weakening encryption would also allow other governments to intervene if necessary, as users’ data would cross national borders and land on the radar of other countries.
Ban vs No Ban
Technology in and of itself is inoffensive to everyone on the planet. It could end up in either good or bad hands. Everyone, including terrorists, has access to the same tools, as a result, unless businesses can encrypt their data in order to protect their business model, it can be hacked by attackers or terrorists.
According to Tim Watson of the University of Warwick, making encryption illegal will have no effect on high-level serious organized criminals because they will use steganography (hiding secret data in a non-secret file to avoid detection) instead. Watson also stated that while banning encryption may appear to be a good idea, the effect would be primarily on the general public, and the small group of people, such as terrorists, for whom the encryption would be banned would have no effect because they do not pay attention to the law. A ban would primarily affect ordinary people and not criminals or terrorists. So changing the law will not help because it will not stop them.
Adrian Sanabria, co-founder and director of research at savage security, once stated, ”Encryption is an idea,” and if you ban all encryption software available today, someone will create other encryption software the next day out of the many sources available today. It’s no longer under our control, it’s a Pandora’s box.
The moral of the story is that having control over encryption is an illusion. The government that tries this will end up in the ecommerce slow lane. If a country ever requires businesses operating within its borders to hand over encryption to the government, it is highly likely that the businesses will relocate to another country because they do not want their privacy shared with anyone, including the government.
Final thoughts
Encryption protects us. We don’t worry when we use our credit card details to make an online payment because we know the information is encrypted and safe. We also safely store critical information online and engage in private conversations online because encryption provides confidentiality and anonymity. I recently lost my phone while traveling abroad but as the device was encrypted, I felt safe as I knew no unauthorized person would be able to access the phone and steal the sensitive data I had. That is the power of encryption. Encryption is used in a variety of contexts. For example, journalists use it to communicate with their sources, lawyers use it to privately communicate with their clients, NGOs use it to protect their work in oppressive countries, critical information shared over the internet is protected, and so on. I
In today’s world, where data security is critical, I am convinced that strong encryption, unbreakable encryption, is the only way out. During criminal investigations, the FBI and other government agencies stated that they desired a backdoor. However, as a technologist, I believe that providing a backdoor in exceptional circumstances would merely weaken encryption. If there is a backdoor, no matter how sophisticated it is, anyone can exploit it eventually, and it cant remain hidden for a long time. The internet works because of security, and data encryption is a critical component of security. If we want to protect national security by tracking terrorist activities, we must understand that terrorists don’t care about the law, they will continue to communicate and terrorize by devising alternative methods, such as developing their own encryption applications. A ban on strong encryption would only affect ordinary people by making their data vulnerable online and offline.
Lastly, The government wants to break encryption and protect us right away. Can anyone guarantee that we will be safe and that our information will be safe if a totalitarian leader takes power in the next 10, 20, or more years? Given the preceding discussion, I strongly disagree that prohibiting strong encryption is a solution to protect us and national security rather it makes us vulnerable to attackers. In a true sense, it is not a trade-off between National security and privacy. It’s actually trade-off between more security and less security.
Thank you so much for reading!
Please 👏and follow me if you liked this post, as it encourages me to write more! You can reach out to me via www.linkedin.com/in/avisarika-tripathy for your suggestions or queries.
References
https://www.researchgate.net/publication/307528400Shouldencryptionsof twarebebanned/stats
https://www.cloudflare.com/en-gb/learning/ssl/what-is-encryption/
