Well known novelist, journalist and software engineer, Jon Evans recently shared his opinions relating to the ongoing battle between security and privacy in the United States in an online essay on the website RealClear Politics late last year. He stated that he doesn’t share the view of many in the intelligence and law enforcement communities that it is an either-or proposition, saying that the dichotomy between personal privacy and public security is a false choice “promulgated by people who should know better.”
He also made the case in an earlier piece for Tech Crunch that the massive accumulation of personal data is itself compromising the wellbeing of the average American because as government controls on privacy continue to evolve there is a potential threat to dissidence and original thinking. Evans added in the RealClear Politics piece that “private spaces are the experimental Petri dishes for societies. If you know your every move can be watched, and your every communication can be monitored, so private spaces effectively don’t exist, you’re much less likely to experiment with anything edgy or controversial.”
As senior Trump administration officials currently work with the National Security Council and other influential intelligence agencies to debate the federal government’s authority to outlaw end-to-end encryption of all network devices, Silicon Valley tech companies are girding for a fight to protect their software and digital products, along with the privacy rights of their customers.
The Catch 22 for law enforcement and the feds is if and when legislation prohibits end-to-end encryption, the same opportunities that will provide them easier access to a suspect’s data and personal digital information will also open the information floodgates to bad actors around the globe. A shortsighted government solution will put every individual and organization that relies on encrypted and scrambled communications in danger.
Laying Down the First Gauntlet
As communication technology continues to explode in complexity and reach, and global engagement across social media platforms enables both innocent outreach and criminal enterprise, striking a balance between what constitutes public safety and how to protect private data is a societal paradox. The most visible and publicized gauntlet was thrown in 2016 when the FBI went to Federal Court to demand Apple aid law enforcement in its investigation of San Bernardino terrorist Sayed Farook, who in 2015 killed 14 people and seriously injured 22 others in an attack at the Inland Regional Center, by demanding the Silicon Valley tech giant unlock his cellphone. Apple CEO Tim Cook refused the order – 11 times.
The FBI was asking Apple to create new software that would enable the FBI to unlock a work-issued iPhone 5C it recovered from Farook. The FBI eventually found a third-party that was able to unlock the phone avoiding further escalation of the issue. The Los Angeles Times later reported that the FBI found no information on the phone other than phone numbers and work-related information. There was nothing connected to the terror plot.
The FBI and the Department of Justice make the case that security is more important than privacy contending that the proliferation of data – if inaccessible by law enforcement – is more of a public safety threat than an issue of personal (and expected) privacy. However, a growing number of cybersecurity professionals aren’t buying what the government is selling when it comes to privacy versus public safety.
“Last year it was revealed that the number of law enforcement cases impacted by end-to-end encryption was significantly overstated. At the same time, weakening encryption would allow not just law enforcement access, but would inherently make that data vulnerable to compromise by malicious actors as well. That not only means that corporate data would be more at risk, but end-to-end encryption is an essential safeguard for individuals. From domestic violence survivors to journalists to activists, end-to-end encryption is an impactful way to protect their digital and physical safety, while for any individual user end-to-end encryption provides a layer of data security to help prevent against unauthorized data access,” emphasizes Dr. Andrea Little Limbago, a former Senior Technical Lead at the DOD’s Warfare Analysis Center in Dahlgren, Va., and currently the Chief Social Scientist at Virtru, an email encryption and data security company. She argues that end-to-end encryption is an effective safeguard and should remain a core component of any security and privacy approach.
Advanced Encryption Fuels the Fight
Dr. Limbago admits that the Apple case may have brought the public’s attention to the looming battle between Tech and Feds but says that the issue is as also being fueled by more advanced encryption technologies being developed and pushed by the technology sector.
“While that case (Apple vs. FBI) still lingers, the root of this latest push coincides with an expanded emphasis on end-to-end encryption by some of the big tech companies as well as impending data privacy legislation. Keeping in mind this was a National Security Council discussion and not a legislative proposal (yet), this latest push likely has more to do with government concerns that more data may be inaccessible to them if the major platforms implement a strategy based on end-to-end encryption, such as Facebook has publicized,” says Dr. Limbago. “There also is a growing push for a federal data privacy law, which is a frequent topic at hearings and over a dozen data protection laws have been proposed this year already. Some of these may include end-to-end encryption as a security safeguard, and so that likely also is impacting the timing.”
Apple upped the encryption ante a little over a year following its confrontation with the FBI by unveiling a new security feature that would disable data transfer through the Lightning port an hour after a phone was last locked. This feature essentially locks out third-party hacking tools that law enforcement has used to access what they consider possible forensic data. Obviously, government agencies were none too happy about this development. The question now posed is how are tech companies going to be able to adequately ensure the integrity of their customers’ data and personal information if government mandates continue to erode protections?
Undermining Cybersecurity Serves No One
According to Dr. Limbago, any mandate that weakens security will inherently erode any organization’s ability to protect customer data.
“This is not just an issue in the U.S. but across the globe. Many authoritarian regimes are banning apps with end-to-end encryption and mandating access to data. U.S. policies should seek to prompt tech innovation for security and privacy, instead of undermining it and help promote a race to the top for data security. The U.S. must take a stance in favor of heightened - not weakened - data security, which is essential to our economy, our national security, and is at the center of a modern open society,” she adds.
Willy Leichter, Vice President of Marketing at Virsec, a cybersecurity solutions-provider based in San Jose, Calif., says that the encryption debate resurfaces frequently because it frustrates law enforcement, but he stresses that banning encryption or opening back doors simply won’t work and can potentially undermine overall internet security.
“Encryption is simply advanced mathematics, and banning math is like banning an idea – it won’t just go away. Practically unbreakable encryption algorithms are widely available – if a U.S.-based service can’t provide end-to-end encryption, then dozens more will pop up outside the country that is equally effective. And if one government requires ‘secret’ backdoors, then many others will follow, and the encryption needed for privacy and day-to-day business will no longer be effective,” warns Leichter. “Banning end-to-end encryption will have one real effect – it will undermine the competitiveness of U.S. tech firms and weaken security for businesses and consumer when it is more important than ever.”
Politics or Public Service?
Those in the cybersecurity community are wary of any government intrusion into such a volatile and complex ecosystem. The Cybersecurity and Infrastructure Security Agency knows the importance of encrypting sensitive data, especially in critical infrastructure operations, but ICE and the Secret Service regularly run into encryption roadblocks during their investigations. So given the present climate, has the encryption issue turned into a political football or a legitimate homeland security concern that trumps privacy? On this question, there is an overwhelming agreement that less is more.
“Once again, we have politicians trying to legislate what they do not understand. The message just doesn’t seem to be getting through – if you undermine encryption, create a backdoor, then you will weaken security defenses that are used by our very own government. It’s a really bad idea; once a backdoor is created it won’t stay secret for long and will just create blueprints for cyberattackers to steal private data and sneak into encrypted communications,” chides Kevin Bocek, Vice President of security strategy and threat intelligence at Venafi, a cybersecurity company based in Salt Lake City. “I understand that it’s frustrating that police can’t access encrypted communications, but creating a backdoor isn’t the answer and it’s totally unrealistic to simply ban the use of such services – this will only hurt their legitimate, law-abiding users.”
Dan Tuchler, the Chief Marketing Officer for SecurityFirst, a data-centric security provider out of Rancho Santa Margarita, Calif., states that while there is often a fine line between positions on an issue, this one has no grey area.
“An authoritarian government will always seek to exert control by monitoring its citizens, using the reasoning that the safety of citizens is more important than any erosion of their rights. The United States has a long history of mottos such as ‘Live Free or Die’ emphasizing the common conviction that the balance should always lean towards freedom of speech. We don’t like it when suspected terrorists can communicate on encrypted channels, but we need to catch them a different way so that we can protect one of our most important fundamental rights,” Tuchler says. “So yes, phone vendors will need to improve their ability to protect our private data, using stronger encryption.”
Dr. Limbago concludes that the number of cases that might have been hindered due to a lack of access to data is minuscule when compared to the elevated vulnerabilities and risks that would be introduced due to weakened security.
“There already are significant challenges with protecting personal and corporate data given the proliferation of attackers and adversaries. These challenges will only worsen with an encryption ban, which would lead to even more frequent revelations of data breaches and compromises that would hit at the foundation of our economy, national security, and privacy. Given the nature of a digital economy and society, weakening security puts our economic and national security at risk and significantly undermines privacy, while introducing significant vulnerabilities for data misuse and abuse,” she adds.
About the Author:
Steve Lasky is the Editorial Director of SecurityInfoWatch.com Security Media, which includes print publications Security Technology Executive, Security Business, Locksmith Ledger Int’l and the world’s most trafficked security web portal SecurityInfoWatch.com. He is a 30-year veteran of the security industry and a 27-year member of ASIS.