CIOReview
CIOREVIEW >> Identity Governance and Administration >>

Can Encryption Ever Be Too Good? The Fight Over Ultra-Secure Messaging

David Popkin, Associate at Davis Polk & Wardwell, LLP and Avi Gesser, Partner (Cyber Security & White Collar)
David Popkin, Associate at Davis Polk & Wardwell, LLP and Avi Gesser, Partner (Cyber Security & White Collar)

David Popkin, Associate at Davis Polk & Wardwell, LLP and Avi Gesser, Partner (Cyber Security & White Collar)

In light of recent high-profile cyber breaches, and a resulting public push for data privacy, organizations are coming under increasing pressure to protect the personal information of their employees and customers, as well as their sensitive business information, from unauthorized access. One method of achieving better institutional cybersecurity is through encryption, the process of encoding a message in such a way that only authorized parties can read it. End-to-end encryption provides protection for data in transit and permits only the two parties involved in the communication the ability to decrypt and read messages, thereby locking out all third parties, including the provider of the communications service itself. Some recent cybersecurity regulations recognize the security benefits of data encryption, such as the New York Department of Financial Services’ Cyber Rules, which explicitly require that sensitive data be encrypted both in transit and at rest.

But, while certain government officials and agencies are requiring encryption as part of their requirements for better cybersecurity, some law enforcement officials are complaining about too much security. Because communications providers offering encrypted messaging are unable to decipher and hand over their customers’ messages, law enforcement officials are concerned that messaging apps, like Signal, will provide users with opportunities to hide their communications about a variety of illegal activity without fear that the police or the FBI will be able to intercept such communications on password-protected mobile phones, even after obtaining a valid search warrant.

Last month, senior ministers from the “Five Eyes” international intelligence alliance, which includes Australia, Canada, New Zealand, the United Kingdom and the United States, announced their shared position that implementation of end-to-end encryption by tech companies would hamper law enforcement efforts to investigate and prosecute serious crimes. On July 23, U.S. Attorney General William Barr called upon tech companies to build encryption-bypassing mechanisms into consumer products to enable law enforcement to access encrypted devices. Last November, officials from the United Kingdom’s Government Communications Headquarters outlined a proposal to bypass encryption and silently add law enforcement participants into group chats or calls without notifying participants.

Rather than seeking to curtail or undermine the advancement of new technologies that effectively protect personal information, perhaps we should accept that privacy solutions come with tradeoffs 

In his July speech, Barr acknowledged that there are residual vulnerability risks that result from inserting backdoors into security systems. A system that has a backdoor to enable law enforcement to gain access will be more likely to be breached by hackers who can somehow obtain access to the system through that very same backdoor. While Barr recognized the increased vulnerability, he contended that these risks are outweighed by the need for law enforcement to access data to respond to criminal activity, noting that potential vulnerabilities in messaging apps that contain consumer data are not the same as vulnerabilities for the communication systems of large business enterprises or critical government systems.

One can certainly understand the scenarios where law enforcement would have a legitimate interest in accessing encrypted messages. For example, if they uncover a terror plot that is about to be deployed, there is a clear public safety imperative to be able to break into the messages of the known perpetrators to determine who else may be involved and to stop other aspects of the operation. These kinds of ticking bomb scenarios give law enforcement a justifiable argument for bypassing consumer data protections in order to prevent a more immediate harm.

The question, however, is the likelihood and frequency of such scenarios arising, compared with the risk that governments will use their backdoor access for improper purposes. While some may view that concern as unreasonable as it applies to U.S. law enforcement, it is unlikely that backdoor access will be limited only to more “trustworthy” governments. Countries like China and Russia will almost certainly demand the same backdoor pass that is given to the FBI as a condition for an app being made available in their country, and it will be very tough for tech companies to refuse. Once one government is permitted to access data through the backdoor, companies will no longer be able to rely on arguments about the supremacy of customer privacy, or fear of government overreach, to defend their position on encryption with other countries. Instead, they would be forced to try and articulate why one government should be trusted with access while another should not – a position they do not want to be in.

In the end, people seeking to hide their activity will always find methods of communication that bypass the latest advances in interception or surveillance. For example, criminals in the 1960s conducted their business in saunas, where secret recording devices were not effective. It is unrealistic to think that giving law enforcement special access to encrypted messages will seriously impede criminals from communicating about crimes, especially once they know that a backdoor to their communications exists.

Rather than seeking to curtail or undermine the advancement of new technologies that effectively protect personal information, perhaps we should accept that privacy solutions come with tradeoffs. When color photocopying made it easier to counterfeit currency, the solution was not to ban the technology, but instead to make the currency itself more difficult to copy. So, it just may be that that the price that we pay for being able to effectively protect communications from unauthorized access, is that such protections really work, even if the people without authorized access the police.

See Also:

Top Identity Governance and Administration Solution Companies

Top Identity Governance and Administration Consulting/Service Companies

Read Also

The Under- And Overestimation Of Data.

The Under- And Overestimation Of Data.

Dennis Wan Bregt, Director of Data and Content Management, Kramp
Protecting IP Amidst The Pandemic

Protecting IP Amidst The Pandemic

Kim Jessum, Chief IP Counsel U.S., Associate General Counsel & Secretary, Heraeus
AI Will Improve Talent Management Practice But Change Management Is Critical

AI Will Improve Talent Management Practice But Change Management Is...

Manish Verma, Global Head of Talent, Cargill
Keys To Reaching The Peak Of A Cyber Security Program Journey

Keys To Reaching The Peak Of A Cyber Security Program Journey

Christine Vanderpool, VP IT Security & CISO, Florida Crystals
Sailing through Uncertain COVID times

Sailing through Uncertain COVID times

Jarrod Sanfilippo, Group Managing Director, Burbank
Paving the Way for Incentivized, Ethical Waste Collection

Paving the Way for Incentivized, Ethical Waste Collection

Jenelle Shapiro, Sustainability Director, Webcor