I was catching up on some tech related news stories after a hectic 2 weeks of professional service engagements when I came across discussion of a New York Times article (archived version in the link; NYT allegedly pulled the original article after some negative feedback,) that indicated that “European Officials” were pointing the finger at encrypted communications being a facilitating factor in the recent events that unfolded in Paris.
The attackers are believed to have communicated using encryption technology, according to European officials who had been briefed on the investigation but were not authorized to speak publicly. It was not clear whether the encryption was part of widely used communications tools, like WhatsApp, which the authorities have a hard time monitoring, or something more elaborate. Intelligence officials have been pressing for more leeway to counter the growing use of encryption.
It would be nice to know exactly WHICH European officials are making this claim, what proof they have, and what country they are from but I digress. It does not surprise me that this is the immediate reaction we see from someone with authority in the EU, considering David Cameron’s consistent negative stance on encryption technology.
Don’t think that the problem is limited to the EU, either. US legislators have called for the weakening of encryption protocols as well in the wake of these events.
Since this is a tech oriented blog, I am going to keep my personal views on politics personal. I’m not here to talk about the risk/benefit analysis of intercepting and monitoring messages to root out potential enemies. I’m here to talk about why inserting a back-door into ANY encryption standard is a terrible, terrible idea for John Q. Public.
What is encryption, and why is it important?
Encryption is a method of obfuscating the contents of your data, ideally making it unreadable to no-one but the creator of the data and any intended recipients of the data. If someone manages to acquire a copy of your data being transmitted on an unencrypted channel, that data will be visible in plain text. If someone manages to do the same over an encrypted channel, they will only see an unintelligible string of letters, numbers, and symbols.
There are two primary types of encryption: Encryption “at-rest” and Encryption “in-flight.”
At-Rest refers to data that resides on-disk, and typically this type of encryption is designed to prevent a physical attack on your data. If someone were to steal your powered-off desktop or laptop computer and you were using hard drive encryption, they would be unable to read the data on this device without your pass-phrase or private key file. For you corporate IT-types, replace “desktop or laptop” with “SAN or NAS.”
In-Fight refers to encrypting data prior to the data leaving your computer and being transmitted to its destination. For instance: if you use an instant messaging application that supports encryption, the message you type into the text field is plain text and readable to you while on your local machine. When you hit the “Send” button to transfer the message to your friend, the encryption algorithm will generate a random number and apply that number to a complex mathematical equation that will scramble the contents of the message. When the message is received by the recipient, they will have a decryption key that will allow them to unscramble the message and read what you typed to them. Anyone sniffing your communications will only see a random string.
There are many types of in-flight encryption; some common ones being HTTPS, SSH, and TLS/SSL. These types of encryption typically rely on a public/private key architecture, and I could drone on about the technical details of it for a long time so I’m going to cut it short and encourage you to do your own research. The main takeaway I want for you to understand regarding in-flight encryption is that it is extremely important for the safety and security of your data.
There are many freely-available tools that allow anyone with access to the same network you happen to be sharing (I’m looking at you, Starbucks Mac-using hipster,) to watch what you’re doing.
You can test these out for yourself if you’re the tinkering type. Try starting one of these tools and browse to an HTTP site while logging traffic and observe the log. Then try doing the same when visiting an HTTPS site.
Reminder: There is undeniable evidence that some Alphabet Soup Agencies have been putting devices that do the same things as these tools throughout Internet Service Providers in the US thanks to the Edward Snowden information leaks (and people like the fellow in the linked article above.)
Who benefits from Encryption?
The short answer is: We all do.
Many public and private institutions rely heavily on data encryption standards for the secure transfer of their customers sensitive Personally Identifiable Information (PII,) securely processing financial transactions (PCI,) and securely transmitting messages without (or at least, with less,) worry that their transmitted messages will not be intercepted and read by a malicious third party or oppressive government. There are even government-created regulatory standards that call for the use of encryption for these types of data. I hope the irony of this is not lost on you, given what’s been said so far.
There’s not a day that goes by without some form of data breach at the hands of digital miscreants. Whether it be the script kiddie just learning about computer networking trying to sniff your wi-fi traffic or a sophisticated targeted attack on an institution by a nation state, In-Flight data encryption makes their jobs far more difficult. It is essential that these encryption protocols that are relied on every day by law-abiding people like you and I remain strong. By injecting back-doors to allow Government Entity X to easily break the encryption, talented hackers the world over have proven that they are more than capable of discovering and exploiting these weaknesses too.
I believe there is an old Ben Franklin quote that applies to this situation, and I’m paraphrasing here:
“Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety.”
Currently there is no law (to my knowledge, at least) in the US or the EU that bans the use of encryption techniques when transmitting data, meaning that encryption is currently a “liberty” when applied to the quote above. There is no viable proof that weakening encryption standards that are used by millions will have any effect on preventing future events such as what occurred in Paris.
There is, however, viable proof that weakening encryption standards will put the secure transfer of sensitive information for millions of Americans and Europeans at risk to the very people that legislators are claiming they want to protect their constituents from.
We certainly are living in strange times.