There’s the war on terrorism, and then there’s the war on how to fight the war on terrorism.
With recent attacks in Paris, Beirut and Mali, some in governments and law-enforcement agencies are renewing their calls to expand electronic surveillance to thwart potential attacks. Communications that cant be tapped or unscrambled pose aseriousnational-security risk, authorities argue, because they can be used by terrorists tohidetheir activitiesand planning. Technology companies and cybersecurity experts generally takeadifferent view: If encrypted communications can be accessed by the government or a company — or anyone other than the sender and intended recipient — they inherently are vulnerable to bad actors and prying eyes.
Why is this such a complex and often heated debatewith noapparentresolution in sight? For starters, encryption is really complicated. Here’s what you need to know to understand the issues:
Encryption, sometimes called crypto by techies, is a fancy word for a type of code. Encryption schemes transform words into seeming gibberish. Heresa mereportionofencrypted textthat,if printed in full,would translate to”happyholidays:”
hQIMA2dX93ZaYL95AQ//ZSZ/n0VSK7ZZ9kkRk3X8nn+m2YLzHj5L4zrsrCesPOKw ZQG5FXuHz9/02Be3tyXelAiFpGdCh+Tdnx0r1wLOChitSPaydW0hcReG6cp9Nplk QZL5sYRr0NYWjx2EkwFO0j6lNcGMNo3qAoxMNe3rfENPjxpv1UCRl6nHfEmSk1BO swjBOUXrsWxbbphdJqSZtdWoPLlOnFftRjgqLe9hC9rmWF/Q7/RIkZ5TEYmSfJkI aGB3Vrf/XEwXOHuss+HgE9z/XalJtaNLCZeCgNgO/Lk26nVyS0R5XfNz9VtFszhT pjk2rpxMecOlCs4a62oSYykI63E04G0OZkZaPrUlir4GoSV4OVivFgbFDNtIq5Lk hX1TF3y/PsuVb8bF7XhvqCt/q9HF0n0LY9v+tJfMOT885c6uNX9Rm6ZUUFR++jgv X4EfNYSmX6HjmYTflqQyivWeTpGl13tQP7b+UppJr0v9vH7Wd0PmRdvLDhKHqCiq
Only a user or machine with the so-called encryption key can unscramblethe message to get its meaning. So the same phrase — “Happy Holidays” — would be encrypted differentlydepending on the software used and the people involved.
Once the province of spies, encryption is widely used on the Internet. The little padlock next to a Web address indicates the connection is encrypted. Wi-Fi routers, Gmail, Yahoo mail, Snapchats, tweets and 4G cellular phones all use some form of encryption,to protect personal information, such as passwords, location coordinates, bank-account and credit-card numbers and sometimes — depending on the type of encryption used — the text of messages and other content.
In addition to those receiving the data who need to decipher it, the companies that employ this technology typically hold keys, sothey canget to the information if they need to. Among other things, this letscustomers reset passwords, etc.It also allows companies to decrypt messages for the authorities when faced with lawful requests for customer records or the contents of communications.
In the past few years, several tech companies have adopted encryption schemes for which they say they dont hold the keys. Most notably, Apple Inc. and Alphabet Inc.s Google in 2014 released smartphone operating systems that, by default, they said precluded them from unlocking phones for law enforcement, even with a warrant.That’s because the companies said they would no longer maintain a key to unlock their devices’ encryption. Those keys would only be on the devices themselves and could only be unlockedwith users’ passwords.Before the switch, companies could comply with court orders to unlock phones, and usually did.
Here is FBI Director James Comey — who has called these actions an assault on law enforcement –testifying before Congress on the issue:
But tech and telecommunications companieswerecriticized after documents leaked byEdwardSnowden showedsomefirms cooperating with governmentsto allow access to some of their users’ communications. Companies also said the government was overstepping its monitoring activities without their knowledge, compromising user confidence in the privacy of their information. A lot of trust between the two sides was broken. Companies say that thenew encryption protocolswill make their products safer, because thieves and spies would have a harder time seeingand stealingtheir contents or communications.
Here’s Apple CEO Tim Cook, making this point at the Wall Street Journal’s WSJDLive tech conference in October:
The debate has widened as U.S. and European officialsalsostarted criticizing makers of apps designed to encrypt messages, such as Wickr, Signal and Telegram.Makers of theseapps have not changedtheir systemssince the Paris attacks.ButTelegram, which features both private chat and a Twitter-like public bulletin feature, saidrecently thatit had deactivated some public channels linked to the Islamic State. The shift, if small, was notable given Telegram founder Pavel Durov’s previous statements that his company “shouldn’t feel guilty” for reports that the app has been used by terrorists.
There is no evidence it played a role in the shootings and bombings in Paris. To the contrary, French media have reported some of the attackers coordinated using ordinary SMS text messages, which usually are easy for law enforcement to tap. However, Islamic State members have documented that they use some messaging apps that rely on strong encryption. Some U.S. officials have said this is a problem if the goal is to prevent another Islamic State attack. Here’s a tutorial used by the Islamic State to rate the relative strength of various communication apps:
Several reasons. One, technology companies in general chafe at the idea of the government telling them how to make products. When the Clinton administration in the 1990s proposed a system where the government would maintain the ability to decipher commercial communications through a so-called “Clipper chip,” the proposal was beat back due to civil liberties concerns. One alternative would have technology companies maintain all or part of the so-called master key, which they would only use if faced with a court order. Technology companies don’t like this solution because they fear it makes the key a target for hackers. In short, if someone steals the digital key,everything is potentially lost.It’s also unclear how such a system would work in practice.
Privately,some government officials say technology companies are overstating the risks of creating such a system. But technology companies counter the risks are real. The catch is that a lot of the risks are assumed and hypothetical. Building extra keys and loopholes into secure systems could, for example, introduce weaknesses from bugs, but it’s hard to know what those bugs are ahead of time. “The complexity of todays Internet environment, with millions of apps and globally connected services, means that new law enforcement requirements are likely to introduce unanticipated, hard to detect security flaws,” wrote 15 cryptographers in a paper published by the Massachusetts Institute of Technology this summer. There is some precedent though for this concern. Washington once required American firms sell foreign customers only weaker, more easily cracked encryption to help U.S. spies keep tabs on overseas targets. Even though that requirement was dropped in the 1990s, the weakened encryption can still be found on computers and can now be exploited by other hackers. Lobbyists for tech firms such as Apple argue these problems would only be worse now. Because companies do more business overseas, they would likely have to replicate any deal they make with the United States. For instance, Apple sells a lot of iPhones in China. What if overseas governments demand the same types of keys?
In that case, all bets could be off. For instance, if an iPhone user uses iCloud backups for the content on their phone, Apple is able to hand over the latest backup if faced with a court order, the company says.Some cloud providers automatically erase such data after a period of time, but policies and procedures vary.
In January, Mr. Obama said, If we find evidence of a terrorist plot and despite having a phone number, despite having a social media address or email address, we cant penetrate that, thats a problem. The president and Mr. Comey have said they believe Silicon Valley should be able to come up with a solution. Congress also is examining the issue. On the other hand, former NSA Director Mike McConnell and other retired national security officials have publicly said that finding a way to maintain access to encrypted communications could be bad for security. The Obama administration has indicated that, for now, it doesnt want to issue orders to tech firms or push Congress for new laws.
Here’s Adm. Michael Rogers, head of the National Security Agency, at the WSJDLive conference urging government and the tech industry to bridge the gaps:
In 1999, a federal appeals court more or less ended the first “Crypto wars” when it ruled computer code, including encryption schemes, is protected speech under the First Amendment. Apple is fighting the Justice Department in a New York federal court over whether it should be forced to figure out a way to unlock an encrypted iPhone.
White House and congressional staffers have reached out to some Silicon Valley executives, asking them to come to Washington, D.C., for another round of encryption talks. Some lawmakers are seeking a so-called “Blue Ribbon” committee that would include experts from both sides of the debate. Sen. John McCain (R., Ariz.) has pledged to conduct hearings on the matter and pursue legislation. The British parliament meantime is exploring a new spy powers measure that could give authorities more power to force companies to be able to unscramble customer data.
- Encryption - Wikipedia - May 21st, 2019
- The World's Email Encryption Software Relies on One Guy, Who ... - May 5th, 2019
- Encryption breakthrough could keep prying eyes away from your ... - May 5th, 2019
- What Is Data Encryption? Definition, Best Practices & More ... - May 1st, 2019
- IronClad Encryption Partners with Data443 Risk Mitigation ... - April 30th, 2019
- What Is Encryption? An Overview of Modern Encryption ... - April 30th, 2019
- Symmetric vs. Asymmetric Encryption What are differences? - April 29th, 2019
- Difference Between Hashing and Encryption - ssl2buy.com - April 29th, 2019
- What is Advanced Encryption Standard (AES)? - Definition ... - April 29th, 2019
- How to Encrypt Your Wireless Network - Lifewire - April 29th, 2019
- After Paris, Encryption Will Be a Key Issue in the 2016 ... - April 22nd, 2019
- Email encryption - Wikipedia - April 8th, 2019
- What is Encryption, and Why Are People Afraid of It? - April 8th, 2019
- Data encryption | cryptology | Britannica.com - April 8th, 2019
- How to Enable Full-Disk Encryption on Windows 10 - April 1st, 2019
- After Paris, Encryption Will Be a Key Issue in the 2016 Race - March 27th, 2019
- AES and RSA Encryption Explained - March 27th, 2019
- Encryption: What it is and why its important - Norton - March 23rd, 2019
- Email encryption in transit - Gmail Help - March 21st, 2019
- Authenticated encryption - Wikipedia - March 19th, 2019
- Email Encryption Options for MDaemon Email Server - March 14th, 2019
- How to Encrypt Files on Windows - Tutorial - Toms Guide - March 6th, 2019
- Encryption, Key Management - bank information security - March 5th, 2019
- Which Types of Encryption are Most Secure? - February 7th, 2019
- JSON Object Signing and Encryption (JOSE) - February 4th, 2019
- What Is Encryption, and How Does It Work? - January 26th, 2019
- The Pitfalls of Facebook Merging Messenger, Instagram, and ... - January 26th, 2019
- Encryption: Avoiding the Pitfalls That Can Lead to Breaches - January 14th, 2019
- Encryption | Information Technology Services - December 31st, 2018
- Encryption - Investopedia - December 16th, 2018
- How to Protect Data at Rest with Amazon EC2 Instance Store ... - December 9th, 2018
- Next Generation Encryption - blogs.cisco.com - December 4th, 2018
- 3 Different Data Encryption Methods - DataShield blog - November 22nd, 2018
- Security and encryption | Documentation | Turtl - November 18th, 2018
- Encryption | General Data Protection Regulation (GDPR) - November 16th, 2018
- Using Encryption and Authentication Correctly (for PHP ... - November 13th, 2018
- Encryption | SANS Security Awareness - November 9th, 2018
- Types of Encryption | Office of Information Technology - November 5th, 2018
- Use Your own Encryption Keys with S3s Server-Side ... - October 29th, 2018
- What is Tokenization vs Encryption - Benefits & Uses Cases ... - October 12th, 2018
- Device Encryption | it.ucsf.edu - October 12th, 2018
- 5 Common Encryption Algorithms and the Unbreakables of the Future - September 15th, 2018
- Top 5 best encryption software tools of 2018 | TechRadar - August 26th, 2018
- New EBS Encryption for Additional Data Protection | AWS ... - August 22nd, 2018
- Best Encryption Software 2018 - Encrypt Files on Windows PCs - August 20th, 2018
- Download BestCrypt Volume Encryption 3.78.05 / 4.01.09 Beta - July 26th, 2018
- End-to-end encryption - Wikipedia - July 24th, 2018
- Download Symantec Encryption Desktop 10.4.0 Build 1100 - July 15th, 2018
- HTTPS - Wikipedia - July 10th, 2018
- AES encryption - June 20th, 2018
- Encrypt email messages - Outlook - June 20th, 2018
- Download Sophos Free Encryption 220.127.116.11 - softpedia.com - June 19th, 2018
- Does Skype use encryption? | Skype Support - June 16th, 2018
- Encryption- Computer & Information Security - Information ... - May 25th, 2018
- Enable BitLocker on USB Flash Drives to Protect Data - May 25th, 2018
- Transparent Data Encryption (TDE) - msdn.microsoft.com - April 12th, 2018
- Encryption Software Market - Global Forecast to 2022 - March 24th, 2018
- What AES Encryption Is And How It's Used To Secure File Transfers - March 24th, 2018
- Encryption vs. Cryptography - What is the Difference? - March 24th, 2018
- Energy-efficient encryption for the internet of things | MIT News - February 16th, 2018
- The Best Encryption Software - TopTenReviews - February 16th, 2018
- File-Based Encryption | Android Open Source Project - February 7th, 2018
- Beyond Encryption | Secure Enterprise email using existing ... - February 1st, 2018
- Azure Search enterprise security: Data encryption and user ... - January 26th, 2018
- Skype finally getting end-to-end encryption | Ars Technica - January 13th, 2018
- FBI chief says phone encryption is a 'major public safety issue' - January 13th, 2018
- Encryption and Export Administration Regulations (EAR) - December 27th, 2017
- Key (cryptography) - Wikipedia - December 21st, 2017
- security - Fundamental difference between Hashing and ... - December 15th, 2017
- What Is Encryption? | Surveillance Self-Defense - December 4th, 2017
- Comodo Disk Encryption Download - softpedia.com - December 1st, 2017
- Encryption - Simple English Wikipedia, the free encyclopedia - November 24th, 2017
- BitLocker Drive Encryption Overview - technet.microsoft.com - November 23rd, 2017
- The Encrypting File System - technet.microsoft.com - November 18th, 2017
- FBI cant break the encryption on Texas shooters smartphone - November 13th, 2017
- DOJ: Strong encryption that we dont have access to is ... - November 13th, 2017
- DOJ Fires Up New War With Apple Over Encryption - November 12th, 2017
- Security Awareness - Encryption | Office of Information ... - October 15th, 2017
- Data Encryption and Decryption (Windows) - October 14th, 2017
- Trumps DOJ tries to rebrand weakened encryption as responsible ... - October 11th, 2017