Major players take sides in the encryption debate, and not uncommonly, both sides. While it remains to be seen if encryption itself will come down on the side of big business, consumer rights, government oversight or cyber criminals, everyone has some skin in the game and is out to play. The work-from-home landscape has only added to the melee, so we’re re-including some quick tips to stay safe. Also, find out what the future could hold for medical deployment as more of our lives are given to new technology—and the IoT has yet to be regulated. Encryption becomes the unexpected juggernaut between what we have and what we want, and at a time when it couldn’t be more important, it’s being tugged at both ends.
The encryption contradiction: key players fight on both sides
Pick a side, any side.
This time five years ago saw now-FBI Director Christopher Wray litigating on behalf of Facebook, and all the privacy issues surrounding it. While details have been less than forthcoming, what can be pieced together is that WhatsApp (owned by Facebook) had some sort of run-in with the US government over the matter of user data privacy, and Wray argued for Facebook, as an attorney of the hired firm King & Spalding.
Interestingly, three years ago Senator Richard Blumenthal launched the Consumer Privacy Protection Act, along with Senator Patrick Leahy (D-Vt.), who was quoted to say that privacy /data security “is about protecting our privacy and even our national security.” Now Senator Blumenthal backs the anti-encryption, anti-privacy bill known as the EARN IT Act.
King & Spalding argued for WhatsApp in the little-known privacy debacle, and now represent NSO group, an Israeli cyber-arms dealer who was once accused of hacking WhatsApp in a Facebook-filed lawsuit. Facebook is now arguing that because King & Spalding once represented them, and necessarily “involved the provision and exchange of WhatsApp’s highly confidential information,” there would be some “serious ethical concerns for their representation of NSO today.”
With all the twisted lines of an incestuous Greek tragedy, it could be said that another one of the hush-hush issues of American politics and power is becoming user data encryption.
While companies fight for our data, the public sector pushes back. Rallying again for private-sector oversight, the Democrats pushed through a privacy agenda backed by Senators Diane Feinstein (D-Calif.) and Richard Blumenthal (D-Conn.), which included the COPRA Act, late last year. Said Senator Blumenthal, “I know from having fought for stronger privacy protection over decades, federal action is woefully overdue and urgently necessary now." Incidentally, both senators are also behind the EARN IT Act, an attempt to legislate government mandated backdoors.
On the surface, quite the dilemma.
Senator Richard Blumenthal, supporter of both the COPRA and EARN IT Acts
While it may seem like a contradiction that Senators Feinstein and Blumenthal are simultaneously fighting to support and oppose encryption, the key lies in who holds it—literally the encryption key.
Legislation like the Consumer Privacy Protection Act belies a mistrust in public entities, while the EARN IT act seems to advocate for more data control in the hands of government. One could easily support both and be vying for the same thing.
In either event, encryption is still being pulled both ways, by both sides, and we hope it won’t break.
With data surpassing oil in value (old news), what’s left to decide is who gets it—and how much.
Three years ago, that might have been the private sector. Today, it’s up for debate. Consumers have yet to realize their potential as “wealth holders”, but there’s no denying the issue will be argued. Potentially, by the same lawyers.
- Venafi Survey: The Negative Impact of Government Mandated Encryption Backdoors
- Why are Government Officials Who Know Next to Nothing About Encryption So Eager to Mandate Encryption Backdoors?
Hide your kids, hide your WIFI: WFH encryption challenges
The work from home landscape may seem like a bleak no-man's-land of new crypto threats and cyber mines. But, it’s not without hope. If properly used (i.e., if used) encryption was made for moments like this.
- Data comingling: We email our family, chat our bosses, facetime doctors and access sensitive work information over the same internet connection, on the same devices, with basic home provisions. Time to upgrade?
- Personal IP addresses looking to authenticate: Existing networks will have a lot of new and often personal IP addresses standing in line waiting for authorization. The foot traffic alone will draw a lot of unwanted eyes, so keep in mind that cybercriminals could be lurking in the unencrypted abyss. Until all internet highways and byways are secure (we’re still trying to push for unilateral HTTPS here), companies might want to start looking into more encrypted options.
- Infrastructure Providers have a special burden: With the whole world relying on the internet, who does the internet rely on? While this hasn’t changed from at-office days, the landscape certainly has. Black hats need only find one weak link in the employee chain of IBM, AT&T or any number of internet infrastructure companies and the fragility of the system reveals itself. What is sent carelessly over an unencrypted channel could have dire consequences.
This global work-from-home situation could be encryption’s finest hour. Ironically, it’s also its most vulnerable. The past few months have been a field day for cyber attackers, and bills like the EARN IT act threaten to weaken the encryption that could save us. While transitioning to a more mobile work force, let’s make sure moving one step forward doesn’t bring us two steps back.
- How Criminals Are Leveraging SSL and HTTPS
- What Are Man-in-the-middle Attacks?
- TLS Vulnerability in iOS Apps Opens the Door to Man-in-the-Middle Attacks
Medical implants: yet another reason to encrypt the IoT
We’ve mentioned encryption safety on the home front, but upon reemergence from crisis mode, the IoT will likely be one of the industries to thrive. Not surprisingly, how we take our medicine might be an interest of top concern.
Daré Biotech is pushing the bounds in IoT technology, releasing a microchip drug “designed to store and precisely deliver hundreds of therapeutic doses over months or years in a single implant.”
The Bill and Melinda Gates Foundation backed firm can implant a device within patients that releases pre-stored contraceptives from the chip into the body. According to the website, “The implant is intended to be operated by the patient to deliver medication on demand or on a pre-determined schedule that can be activated or deactivated wirelessly, as required.”
Bill Gates, Founder of the Bill and Melinda Gates Foundation that funded the Daré Biotech microchip project
Wireless control of in-body contraceptives is just one reminder of how crucial encryption is to the upcoming wave of IoT devices—and an eye-opener to the new landscape.
As Venafi’s CEO Jeff Hudson explains, securing devices is not just about smart doorbells; as machines take over more of our integral tasks (even bodily functions), the stakes become higher.
We’ve seen IoT medical devices before, and as we covered in our story of remote-controlled insulin pumps, encryption levels on these machines have yet to be standardized or regulated. In a worst-case scenario, the unencrypted wireless connections of these devices were breached, showing the potential for hackers to injected potentially lethal amounts of insulin into the patient. Drug-releasing microchips connected to wireless networks would need to be under the same scrutiny.
And far better encryption.
As the IoT landscape evolves to include human health, encryption the machine identities of every device becomes not only a matter of protocol, but of life and death.