Encryption, why do we need it?

In principle, the answer is simple: for the same reason that we lock our doors or curtain our windows – to protect us from unwanted visitors or observers with bad intentions. Knowing stuff about the people around you has always had its advantages. To gain this information, in the past, letters were intercepted, conversations were overheard, and people were observed. In substance, nothing has changed – it’s just that the possibilities to puncture people’s privacy have become much wider – scarily so. We may look to technology for ways to enhance our freedom – look at the Arab Spring – but it also makes possible just as many opportunities to spy on us. The thing is that internationally, privacy laws are great at covering the old media. There is newer legislation governing telecommunications and our brave new cyber world of e-traffic. However, when it comes to digitization, new technology is evolving so swiftly that the law is like a dog running after a bus, with little chance of catching it.

And who protects you when it’s that same law-making government which decides that its interests come before your privacy? Communication law has always hinged on balancing rights to privacy, anonymity, autonomy and free association, with the public interest and safety.

So, although these laws are supposed to protect us, practically, the government can overrule them, claiming that it’s in your best interests. This means that Joe Public can be subjected to surveillance anywhere, anytime, with no warning or reason supplied. It’s Big Brother. So encryption methods are no longer only needed by those with something to hide when they transmit data, but the rest of us as well, who just want to rest assured that we’re not living under an all-seeing eye. Your cell phone is a cool way of keeping contact with your friends across the globe, but it also niftily triangulates your position. So the tech that supplies you with ultra-local weather information also allows an interested agency to track you. Those online searches that gather information to target you with useful advertising? They form a neat little goodie bag of your personal info for companies to sell to the highest bidder.

Because encryption is a complex issue, many lay-people see it as exotic; not for the man in the street. However, with the amount of monitoring performed, through everything from tracking buying-habit data, to downright spying, one cannot rely on other people’s honesty to guarantee you the privacy promised in the constitution. In the digital arena, you have to play an active role in ensuring the encryption of data into your own hands. To put it simply: Encryption is what guarantees your privacy and protects your transmissions against manipulation. Since digitization has penetrated so deeply into all of the control areas of business and society, sufficiently strong encryption is the only protection against digital terrorism. That’s how important encryption has become for individuals.

Encryption protects our data. Medical, financial, insurance… stored locally on a personal computer or out there in the cloud, or just as it zips across from your computer to your broker’s. It protects conversation, whether video, voice or text messages. It guards our privacy and our anonymity. This is important to all, not just to journalists, and political and rights activists who use information professionally. It protects our data from interference at all levels: from crime and industrial espionage, to nosy neighbors and family members. It guards our data from malicious attack and misuse of data gathered from lost or stolen mobile devices. With increasingly fierce competition in the market, information is gaining in importance, and its misuse and exploitation can have serious consequences. Misuse of sensitive information can have unpredictable consequences for your business. This alone makes encrypted mobile communication a necessity for modern entrepreneurs.

Electronic cash and electronic/internet banking are only viable if sufficient, current security and authentication methods are embedded. These must be independent of state intervention, since all it takes is one disgruntled employee, or one with a vast debt owing, to use his or her security clearance to make a little cash on the side with customer credit card details. Then there are the hackers…

Right now, encryption is still the best privacy-preserving technology that we have. It is our best chance at protection from the mass of cyber surveillance, which, on one hand capacitates governments to control their citizens, and on the other, allows criminals to seek out vulnerable victims.

Efforts by governments to reduce security to enable monitoring.

Since the emergence of data and the information society, the secret services no longer limit their activities to letters and wire-tapping: Since the adoption of various laws regulating telecommunications services in most countries globally, data services, mobile telephones and other electronic communications facilities are also included in the monitoring process.

In August 2014, Germany‘s the “Digital Agenda” was published. It contained a chapter on “Security, Protection and Trust for Society and Business”. This stated: “We support more and better encryption. We want to be the # 1 encryption site in the world. Therefore, the encryption of private communication in the main should become a standard.” However, six months later, the International Forum on Cybersecurity declared: „Authorities must be empowered and able to “decrypt or circumvent” encrypted communications.” It said: “If the operator protects the messages entrusted to him for transmission by means of technical measures against unauthorized third-party access, he must have an interface… provide access to the unprotected messages”. Law, therefore, mandated created artificial weaknesses. Public authorities such as courts, customs, police and constitutional protection have relatively free, indeed almost uncontrolled, access to private data. And private companies get to help in the fight against crime.

Knowing all this, it seems less paranoid to encrypt your personal data so that your business is shielded from government agency monitoring. As mentioned earlier, websites gather profile information, and cell-phone transmissions enable location tracing. Since you can’t control the data stored by a telecommunications provider, the least you can do is to protect your own data, when you transmit it. This “problem” is well-known to governments who seek to control telecommunication services, and in some states, laws have already been passed that either completely prohibit or restrict encryption.

In the 1990s, the FBI already started the fight to prohibit encryption techniques which did not ensure easy access for law enforcement to crack encrypted messages. Washington‘s Electronic Privacy Information Center (EPIC) and other rights organizations urged the National Institute of Standards and Technology to ensure the evolution of “secure and resilient encryption standards, free from back doors or other known vulnerabilities.” Their fear was that the National Security Agency (NSA) would lean on standard-setters to allow monitoring of private communication. EPIC previously advised NIST not to support for the random number generator algorithm that the NSA had compromised. EPIC also made recommendations that NIST ensure public awareness of the NSA‘s extensive interference in the Cybersecurity Framework. EPIC President Marc Rotenberg raised the alarm, testifying before Congress back in 1989 – that the NSA would influence NIST encryption standards. EPIC’s 1999 report found that countries with strong domestic controls on the use of cryptography are mostly countries with little respect for human rights. These included China, Vietnam and Russia. It reported a trend towards relaxing restraint on encryption. By 1997, France had abandoned the Escrow system, while other countries rejected it outright. Internationally, the UN Special Rapporteur on Freedom of Expression supported strong encryption and anonymity tools. Its finding was that encryption and anonymity are essential to enable rights of expression and opinion. EPIC has lobbied the UN to support these aims, since, as they say, „In our modern age, encryption is the key technique and anonymity is the core legal right that protects the right to privacy.” EPIC previously urged the UN to support secure, anonymous communications, stating, “In our modern age, encryption is the key technique and anonymity is the core legal right that protects the right to privacy.”

Further down the line, government is still at it. In 2014, Director Comey of the FBI was still arguing for ‚broken encryption‘ to enable monitoring of private citizens by law enforcement departments. Efforts have been made to restrict use of the Clipper Chip to only one state-approved encryption system. EPIC argues for strong encryption measures, and petitioned then President Obama to resist encryption-weakening proposals. EPIC’s stance was championed by Apple’s Tim Cook, who pointed out that if hackers know of a way in to a system, they won’t rest until they discover it. And they normally have more time than security employees.

Some EU law resembles that of the US. In France, once again cryptographic systems are subject to authorization. In Russia, a similar decree prohibits all cryptosystems not licensed by the government, and permits are issued only by FAPSI (successor to the KGB).

Mostly, these prohibitions contradict the demands of a modern economy which requires a cryptographic system secure enough to be trustworthy for confidential data such as bank connections. The record shows that hackers regularly crack or undermine government security standards. It is obvious, therefore, that if government authorities want to keep a Back Door, sooner or later, the Back Door Men will find it.

We are vulnerable – in more ways than ever before. We should – we must – encrypt our data.