Why are government officials who know next to nothing about encryption so eager to mandate encryption backdoors?
The ability for law enforcement or governments to access encrypted data to assist with ongoing investigations is a debate taking center stage in the media yet again. Both policy makers and law enforcement officials have called to weaken encryption in efforts to ease their burden when investigating criminals or people of interest. The concern then comes into play that by weakening the encryption on a device it also introduces the risk of malicious acts being directed to similar technology from a more nefarious perspective. Once a backdoor is created within the encryption an individual no longer has any expectation of privacy moving forward.
Policy makers are openly debating against the use of encryption on our devices and we recently heard Amber Rudd, UK’s home secretary, state that, “I don’t need to understand how encryption works to understand how it’s helping the criminals.” When officials in a place of authority, who have decision making or influencing power, make similar statements about encryption we in the security industry need to assist from an educational standpoint.
Yes, there are malicious people using encryption for illegal acts and there will always be individuals bending technology for their own mischievous purposes. This, however, doesn’t mean we should remove the ability to protect ourselves and is exactly the reason why putting a backdoor into encryption is a bad idea.
There are exponentially more people using encryption to protect themselves and their privacy from being subjected than those looking to harm others. We put bolt locks on doors to keep out those we don’t want to enter. If criminals are using bolt locks to prevent law enforcement from entering, it’s not the locks fault.
We, as citizens, should strive towards embracing privacy as a human right. Privacy is a liberty and encryption is a way of enabling it. Allowing a government or law enforcement the ability to bypass these privacy-enabled features allows them to forever have the access to a person's private life.
CIO Study: Outages Escalating with Massive Growth in Machine Identities
Many people take the approach that they’re not a criminal and have no reason to hide anything. This is the wrong side of the debate to stand on. You don’t need to be a criminal to want or need encryption. When allowing such intrusive power into your personal data and devices to an authority is making the assumption that these authorities won’t abuse their power, or have their access compromised.
We’ve seen malicious regimes in government today and in the past, like the Stasi, that made it their purpose to spy on their citizens. Once power is given it’s historically very difficult to have it taken back. If a key was given to allow others to access the data of another there’s no guarantee that this key won’t be accessed by a malicious third party.
We can look at the examples of both the NSA and CIA having their hacking tools breached in the past year. By allowing government authorities this level of access they’ll be under constant attack for this key or another method of bypassing encryption to numerous people. The past track record of governments holding sensitive data and abusing their access is far from stellar. This also assumes that governments or regimes won’t in time change ideologies to allow more intrusive clandestine operations.
By giving up our privacy it doesn’t automatically make us more secure. The influx of privacy and security is consistently at play and we should first look at other ways to achieve the same goals before we start looking to punch holes into encryption. We’ve seen multiple cases call for Apple to assist with breaking into their phones, but the government can still gather much of this data with warrants to the ISPs and social media accounts on the person of interest.
With this being said, the misconception that encryption is a major factor limiting investigations is misleading. By allowing a backdoor into encryption it would cause more harm than it would help and the privacy of data and lives, depending on what country you live in, would be put at risk.
Get a 30 Day Free Trial of TLS Protect Cloud, Automated Certificate Management.
Related posts