Can National Security Justify Privacy Violations?
The 21st century debate about encryption that may never end.
Back in 2015 and 2016, Apple had received orders from the United States district courts to extract data from encrypted devices that were pieces of evidence. Apple couldn’t do anything but reject those requests, because they didn’t have the technical ability to break into them. Later, the FBI asked Apple to update their software in order to enable them to access the encrypted data, in other words creating a backdoor. Apple refused, for its users’ security and privacy’s sake.
This dispute got a lot of media attention, raising many questions, such as the relevance of privacy violations for a potentially better national security.
What Is Encryption?
Definition
With the use of formulas, or ciphers, encryption is a way to scramble and unscramble information. The most widespread form is the public/private key pair encryption.
If Alice sends a message to Bob, she can encrypt it with Bob’s public key, and throughout the transmission, even if someone were to intercept and read the message, there wouldn’t be a way to decrypt it. Only the receiver, Bob, can with his private key. So Eve, representing the man in the middle, is left in a complete dark.
Use cases
Today, there is a myriad of everyday life implementations. From banking systems to e-commerce, from secure hard drives to secure communications. Encryption makes sure all of these systems are safe to use and trustable. Very practical example: encryption can prevent a random guy from reading intercepted data at a coffee shop.
The major issue is that in essence, these messages can’t be unscrambled, and more and more mainstream messaging services are adopting full end-to-end encryption. To the extent that law enforcement is often unable to get access to these communications and it can sometimes prevent them from proving one’s guilt. For instance, Telegram, a widespread encryption-first messaging service has reportedly been the app of choice for ISIS members.
This kind of revelations obviously keeps the fire burning between the two sides of this debate. But what are their arguments?
The Encryption Debate
Encryption is a human right issue
No matter the location, people deserve strong encryption. All lot of people around the world live in continuous fear of reprisals, whether it’s minorities, human rights activists or journalists.
Quoting Amnesty International in their report Encryption: A Matter of Human Rights:
In the digital age, access to and use of encryption is an enabler of the right to privacy.
Because encryption can protect communications from spying, it can help people share their opinion with others without reprisals, access information on the web and organize with others against injustice. Encryption is therefore also an enabler of the rights to freedom of expression, information, and opinion.
In most countries, citizens monitoring has been drastically increased during the last decades. Therefore the need for a safe way to protect privacy and free thought has become more and more important.
The example of an unbreakable house
However, keeping an ultra-encryption point of view can have its caveat too. The following example comes from a great post from Ace Green.
Our smartphones are what our houses were in the 80s or 90s. It’s where we store our wallet, our photos, our most personal notes, credentials to all our accounts, even our heartbeat and our sleep cycles.
Now imagine if someone came up with an indestructible house. One that the military could not break into — rocket-proof, waterproof, you can’t go in from under or above, and even a nuclear attack wouldn’t crack it. Plus every time you attack it, it remembers and after 10 times it just self-destructs. The only way to get in is through a 4 digit password.
This kind of house would be very disturbing. It isn’t really what people would want to see in the world, and neither would governments.
It is common practice for law enforcement to get a warrant to search houses for evidence, why couldn’t it be the same with smartphones?
Backdoors weaken security
This kind of example can help to understand what lead governments to push for the introduction of “backdoors” in encryption systems, a way to gain access to these rapidly growing scrambled communications.
Nevertheless, the whole tech sector went crazy when these proposals were made, because they lead to a huge problem. Let’s roll back to our encryption diagram and include a backdoor.
So we’re still here with our simple encrypted message between our two protagonists, Alice and Bob. But something has changed as you can see. The introduction of a backdoor for the government created a new way to unscramble the data. Even if the government in question were the only owner of the key, the new path would be left to be found. How convenient would it be for Eve, our man in the middle, that can represent hackers, a foreign government or any entity, to focus her effort on exploiting this intended vulnerability, and gaining access?
Encryption is math, and you can’t manipulate math problems to be solvable by only one specific group of people — for instance, the U.S. government.
— Amul Kalia, Learn Liberty
Nowadays it is very common to hear about various hacks that compromise private information all around the world because designing 100% safe services is a really hard task. Therefore the introduction of intended vulnerabilities on top of this is nothing but a dead-end.
Villains are always one step ahead
And there is yet a bigger problem. Practically speaking, being able to access every encrypted service data would mean making contracts with every one of them.
And as an Open Technology Institute study showed, out of the 9 safest apps rated by ISIS, only 1 would be affected by a backdoor law in the US.
Why such a low score? Because the other apps are either company operating overseas, or open-source software. And this is a huge blocker towards the introduction controversial backdoors inside widespread encryption systems.
Current Situation and Future: Continents Roundup
How far are we in 2017? Most of the following content comes from a UNESCO report that was published a year ago. A section of it is dedicated to national level developments in places selected around the globe, in order to get a wide overview of the current situation.
USA
Since the Crypto Wars in the ’90s and the famous wiretapping law for phone calls, the debate about encryption has always been running in the United States. Many proposals have been made since then, without success. Snowden revelations about mass surveillance grabbed more public attention, and both the great community of NGOs and concerns about US companies competitiveness have really slowed down progress toward encryption control.
Germany
Since the late 90s when a ban was proposed but quickly withdrew, there was no new debate about this topic. Even in 2015 after the terrorist attacks in Paris, Germany was one of the rare countries in Europe that haven’t brought this matter back to the discussion. The Federal government has even been encouraging the use of encryption technologies.
India
Despite promoting encryption for banking and e-commerce purposes, India has set a limit of 40-bit encryption, which is considered insecure by experts. The debate has risen after a law draft for restriction, but many widely used apps have been exempted. Here’s a complete breakdown of the legal position about encryption in India.
Africa
With the lowest percentage of internet users, this continent has obviously been behaving differently from the others. There is indeed no legal framework in East and Central Africa. It is however regulated in South Africa since encryption providers must be registered, while being banned or highly restricted in many Northern Africa countries. For instance, selling an encryption product is punished with 5 years of imprisonment in Tunisia.
China
There was no data available for China in the UNESCO report, but last year some policy changes lead to controversy. The government has indeed passed an anti-terrorism law, forcing encryption services to provide support and decryption. Which represents a problem for companies that use true end-to-end encryption and can’t provide such data. More recently, the Chinese messaging app WeChat has updated its privacy statement, explaining that they would provide any user data to the government. And unsurprisingly, this has been followed by a WhatsApp ban in China.
UNESCO Recommendations
The situation is clearly not the same everywhere, which lead the UNESCO to write recommendations for many many different entities of our society. Here are the most important ones.
Generally
- Increasing the importance of Human Right in the debate
- Involving all stakeholders, not only states and governments
States
- Avoiding restrictions on deployment of encryption
- Providing for transparency, avoiding informal agreements between states and industry leaders
- Working toward a better international coordination
Private sector and intermediaries
- Continuing to deploy security measures and innovate
- Supporting open development of privacy enhancing technologies
- Promoting secure coding practices
- Improving confidentiality and anonymity in services
Users, civil society, and technical community
- Communicating the risks
- Making consumers protection agencies stronger
Final Thoughts
Looking at both Human Rights issues and practical problems regarding the implementation of such thing as backdoors in our encryption systems, it’s easy to see that rather than making our societies safer, bans on encryption lead to the exact opposite.
International coordination will also continue to be a major blocker, at least if things stay as fragmented between countries.
At SXSW last year, M. Obama had a very valid point saying that we shouldn’t have an absolutist view on this. A solution has to be found, that doesn’t include a so-called backdoor, in order to ensure national security without creating an easy path for both authorities and third parties to steal our privacy and security.
After having given it some thoughts, my first idea was to put the right to use encryption services as a birth right, that could be lost due to bad behavior. Just like people lose their right to freedom when they are sent to jail or have to wear an electronic tracking device. People would only be allowed to make use of encrypted communications for instance when their criminal record is clean. However, they are two major caveats to this approach. First, this would mean releasing sensitive data to encryption companies. Indeed, while the data per user could only be a boolean value saying if the user can or cannot benefit from encrypted communication or not, nothing more, this would still be too sensitive to give to non-governmental third parties. And secondly, even if it were possible to set this up in a country, how to deal with the rest of world and their own services?
This example shows exactly why the debate may never stop. There won’t probably be any perfect way to deal with the encryption issue waiting for us around the corner. Yet, I really hope that we find the best possible answer in a near future, before things escalate.
This is the content of a talk I gave at my University in France a year ago.
Some data and links have been updated to better match the current situation.
