Ever since Edward Snowden’s leaks, data security has become a topic of constant presence in the public domain. After revealing the extent and depth of monitoring of personal conversations and data by the NSA (National Security Agency) as well as other intelligence agencies, much effort has been geared towards achieving personal privacy.
Most of the “achievements” are reactions of large companies to increased consumer demand for privacy. Yet while everyone seems to have an opinion on it, most people do not understand the technology behind it and therefore what can and cannot be achieved with it. In this weeks blog post we aim to clarify some of these points.
Cryptography is a technique used to secure communication between two parties in a way so that the message cannot be understood by any other party, even if it is intercepted on the way from the sender to the recipient. The standard way of encrypting such messages is symmetric encryption. This uses a pre-defined key that both parties know and use for encryption as well as decryption.
However exchanging such secret keys over the Internet, especially between two parties who might not be familiar with each other is very risky, as anyone who knows the key, can get access to the contained information.
One of the answers to this is asymmetric or public key encryption, which reduces this risk and is therefore widely used online. Many of the services we access every day, from Gmail, online banking to Whatsapp and even tumblr, use secure connections based on such asymmetric encryption.
So where is the problem?
Before the rapid advancement of the Internet messages between people were primarily exchanged in writing or over the phone. Usually not encrypted, those messages could be intercepted and understood by whoever got their hands on them, whether that was governments, intelligence agencies or criminals. Yet we had trust in those external third parties (such as the Royal Mail or BT) to guarantee the privacy of our messages.
The internet however, the primary tool for current telecommunications, is a network of distributed nodes and our messages are likely to exchange “hands” an unpredictable amount of times, between multiple parties, that can even change with each message and therefore no such obvious third party exists anymore.
This means two things: Firstly, we as consumers have no single party to lay our trust in and hold accountable if our privacy is compromised. And secondly, governments and intelligence agencies don’t have a clear partner either, through whom they could access the necessary information, if needed.
Consumers have addressed this issue by developing an active distrust towards all involved parties and therefore demanding increased encryption. Given the relative ease of remotely accessing any private information through cyber attacks, rather than physical interference as would have been necessary in “Mail days”, this is a defendable conclusion but causes even further difficulties for intelligence agencies.
Strongly encrypted communications are physically impossible to decrypt with current computational power, even for intelligence agencies and given the distributed nature of communications it is not enough for them to simply persuade a handful of companies to give them access to necessary information.
How to go about it then?
Terrorists and criminals are increasingly able to act alone or in small groups thanks to the Internet, making it ever the more difficult for intelligence agencies to identify, monitor and disarm them. Since most of our everyday communication tools are secure, they could simply be using Whatsapp or Gmail and still keep their communications private. Therefore governments have suggested prohibiting strong encryption or solving the issue by forcing all companies to create “back doors”, which would allow them access to sensitive information. But unfortunately neither of these is a solution.
Prohibiting strong encryption would merely mean a slight complication for criminals as they will have to use ‘illegal software’, which is currently legal and therefore by the very nature of software would not be difficult to access even after being labelled illegal. Furthermore if one considers the severity of the crime these individuals are planning to commit, using ‘illegal’ tools will hardly be a deterrent.
Finally, such a move could actually cause an increase in criminality, as cyber criminals would be able to access our bank accounts, read our emails, or interfere with any other of our online activities far more easily.
Therefore such a policy will decrease security for the general public, enable common criminals, and is not likely to increase the decipherability of criminals’ communications.
Building back doors into encryption algorithms to allow intelligence agencies to access secure information is equally unhelpful. As one might imagine, such a ‘back-door’ is a security vulnerability that criminals could exploit. In other words encryption is either secure for everyone, or it isn’t secure. You can’t have the cake and eat it too – as the saying goes.
Clamping down on terrorists and criminals will not be achieved by regulating encryption. It might ease the access of intelligence agencies to information, but it will certainly harm everyday business, might increase data theft and will leave the cyber population protesting for their privacy rights.
By the very nature of software, supremacy will be very difficult to achieve and hackers will access any secret or illegal tool sooner or later. Therefore the only way to both have strong enough encryption for users to be safe and yet for intelligence agencies to access information would be if they would be in possession of quantum computers that could break currently unbreakable encryption and the technology for building quantum computers. Therefore associated intellectual property would be kept in exclusive possession of such agencies, physically safe. But that is far in the future.
We take security very seriously in our projects and have developed websites operating through secure connections as well as bespoke, highly secure systems for some of our clients.
If you would like to speak about secure systems, feel free to get in touch here.
- Why is data security a topic?
- How does it actually work
- Recent developments and what IAs/govts ask for
- Why that is not possible/problems/shortfalls
- General wisdom (if you want something to be secure)
- Hardware solution
- We have also done projects focused on the highest level of personal security. (Daedalous)