Zoom looks to implement an end-to-end encryption strategy for all users, not just those with paid subscriptions. Before, those who choose not to pay could remain on the unencrypted version. But the people have spoken, and they demand privacy for all. In other news, maybe a paid model (if there were one) would be best if it could provide a truly safe online voting experience for Puerto Rico. Currently, security expert Bruce Schneier and a host of others have signed their names to a letter explaining the intricacies of electronic voting and how such an idea might outstrip the security of its time. In short? We’re not ready. Find out what else we’re preparing for and how, as California companies find compliance with CCPA and what the best options are for covering your assets. Within the new paradigm of a work from home culture, encrypting everything has never been more vital. The challenge in the coming months will be to figure out just how we do so.
Encryption is valuable enough that many of us are willing to pay for it. I pay a nominal fee for an encrypted email host. Another small fee goes to using an encrypted cloud storage provider. In the future, I may continue to pay for further encrypted assets to protect my digital identity, which increasingly reflects my actual identity. It’s a trend, and for a private person, privacy is a premium.
Zoom also recently attempted to put a price on that privacy, offering end-to-end encryption only to paid subscribers.
I get it. The resources and additional assets involved in fully encrypting any platform are not insignificant, and so for practical reasons, a fair price for a fair trade may be expected. However, with privacy being a key selling point, many other companies had been previously willing to add E2EE just to up their market value. Look at Facebook’s broad sweeping announcement last year to fully encrypt all platforms in their whole. Even though that plan has been put on pause, the larger point still stands that encryption is a valuable enough resource to be commoditized.
Zoom sparked a wide backlash when the company announced that it would leave its free option unencrypted according to the logic that doing so will allow law enforcement to easily access Zoom criminals online.
“Free users for sure we don’t want to give [end-to-end encryption] because we also want to work together with FBI, with local law enforcement in case some people use Zoom for a bad purpose,” reported Zoom CEO Eric Yuan.
While a laudable aim, practically speaking it remains to be seen how many baddies were left on “free Zoom” after this announcement. Seeing as the government already has crypto experts and crack teams devoted to this sort of thing, the answer is no, not likely. If they want to catch a criminal, they can. But that didn’t mean that all free Zoomers should have their data exposed to whoever else might be out there.
Encryption is not touchy-feely, idealistic or full of altruism, but it is practical. And, compared with the ugly alternative, extending encryption to all users may have been a privacy pill well worth swallowing for Zoom.
- Why True End-To-End Encryption is Important for Distributed Apps
- Is the War on Encryption a Fight Between Privacy and Safety?
What makes voting work? The fact that the ballot is A) Anonymous—no repercussions for how you decide, B) Secure—what you mark down stays that way, and C) Submitted—your ballot actually gets in. According to Bruce Schneier, the ACLU and everyone else who wrote this letter, online voting could undermine all of that. And Puerto Rico is well on its way.
Notes Schneier on his blog, “under current technology, no practically proven method exists to securely, verifiably, or privately return voted materials over the internet.”
He goes on to explain, “That means that votes could be manipulated or deleted on the voter's computer without the voter's knowledge, local elections officials cannot verify that the voter's ballot reflects the voter's intent, and the voter's selections could be traceable back to the individual voter.”
In addition to being just bad practice, the whole thing could also be illegal. Without those protections (our “A” “B” and “C”), the right to a secret ballot—a provision accounted for in Puerto Rico’s Constitution—could be violated.
Apparently, the US Federal government barked up the same tree, only to be repelled by NIST’s findings at the top. According to NIST,
“The study concluded that Internet voting systems cannot currently be audited with a comparable level of confidence in the audit results as those for polling place systems. Malware on voters’ personal computers poses a serious threat that could compromise the secrecy or integrity of voters’ ballots. And, the United States currently lacks a public infrastructure for secure electronic voter authentication. Therefore, NIST’s research results indicate that additional research and development is needed to overcome these challenges before secure Internet voting will be feasible.”
The letter argued that “no such system is commercially available” and that developing such a system on their own would be “prohibitively expensive”.
The letter is an open call to the government of Puerto Rico to stand down where electronic voting is concerned. The risks are too high, the gains too little, the possibility of guaranteeing the right to a secure ballot nonexistent with current technology. And, although no election method has ever been faultless, the argument seems to be—you could do a lot better than this.
We’ll see if the Puerto Rican government agrees.
- Electronic Voting and Election Fraud
- American Election Insecurity in 2020 [COVID-19 and Beyond]
- Will Encryption Backdoors Hurt Election Infrastructure? Security Professionals Say Yes.
California has a lot. A lot of palm trees, a lot of Boba shops, a lot of drivers, a lot of data breaches. And now, a lot of legislation that aims to take breaches off the list. However, to adhere to the California Consumer Privacy Act (CCPA) without using encryption would be like serving Boba without the tapioca. Impossible.
Your business could go under with a CCPA infraction
In Europe, GDPR can only fine for 4% of global turnover, securing your organization in the event of a data disaster. However, the CCPA has no such limit caps, making your business potentially liable for the full amount of damages, regardless of ability to pay.
By encrypting the consumer data under your control, you protect yourself against the private right of action under CCPA. Encrypting ensures you’ve done your due diligence and liability will be mitigated accordingly.
California is also privacy-forward in that it has a data breach notification law, known as Data Security Breach Reporting. By encrypting your data, you also limit how much you’re required to report when a breach occurs, as again, diligence on the front-end limits responsibility down the pipe.
Encryption is the lock on the register
Aside from legal sidestepping, fully securing your consumers’ confidential information through end-to-end encryption not only protects your reputational and financial assets, but ensures attackers have less vectors from which to penetrate your network. You don’t want a data breach hitting the news and blindsiding your organization when a few drops of prevention would do. You don’t want to be crushed by compliance lawsuits when finding easily accessible E2EE assets were available within the year’s IT budget.
Nobody wants to spend all their resources selling the inventory only to leave the lock off the register. More than “a way,” encryption is “the way” California companies are expected to secure consumer data and adhere to consumer privacy laws. Hopefully, one day soon California will be able to add more “a lot” to the list: encrypted consumer assets.