Why Collaboration Across Industries is Key to Better Security
Answer: It’s totally irresponsible.
The spirit of the U.S. Deputy Attorney General’s call for “responsible encryption” is noble; the practice, however, flies right in the face of our most basic rights to privacy and security.
The (flawed) idea is that building backdoors into iPhones and other secure messaging services will make it easier for law enforcement to collect evidence and investigate crimes. AG Rod Rosenstein suggested, “Responsible encryption can involve effective, secure encryption that allows access only with judicial authorization.”
But, as I shared in a recent interview with Christopher Burgess at Security Boulevard, it’s simply not that simple. Here just a few reasons “responsible encryption” is actually totally irresponsible:
You cannot achieve privacy without strong information security. Contrary to Rosenstein’s claim, individuals in the U.S. do have the right to privacy in the Fourth Amendment. This has been supported multiple times throughout U.S. history. Intentionally weakening encryption to give the government access to an individual’s personal information directly opposes that right.
Backdoors created to fight crime will be used to commit crime. The very criminals “responsible encryption” is designed to thwart will discover the technology’s weaknesses. And it’s not only the traditional bad guys we need to be concerned about. Backdoors open for malicious insiders and even the authorized unaware (good guys who make mistakes on the job).
There are other ways to obtain evidence. Instead of promoting flawed reasoning, law enforcement should consider all the other (better!) ways to obtain data, such as analyzing metadata. Some of these methods, such as embedding agents inside criminal groups, have been successful for centuries.
Domestic rules have global implications. Changing laws governing encryption in any one country often has impact beyond its borders. Look at the EU General Data Protection Regulation (GDPR), for example. Although established in the EU, the regulation applies to all companies processing and holding the personal data of subjects residing in the EU (not only customers, clients and patients, but also employees, contract workers, generally anyone whose personal data you possess regardless of the reason), regardless of the company’s location.
Weakened encryption harms the economy. As a result of countless security breaches, consumers understandably want secure products and services from companies they trust. Implementing policies that force these companies to weaken their security could have a significant negative impact on the information technology sector.
Strong encryption can be obtained in many other countries. Criminals won’t care if the U.S. government compels weak encryption to be used in U.S. based businesses; they will just get strong encryption elsewhere. So crooks will continued to use strong encryption while everyone else’s privacy will have been degraded because their data is no longer secured with strong encryption…millions of people can now go through the back door to get to it.
Encryption is not designed to inhibit investigators from collecting evidence. In fact, it’s quite the opposite. By preventing access to data and protecting privacy and confidentiality, strong encryption is intended to work with law enforcement, not against it.
“Responsible encryption” will lead to compromised information security. And when information security protections are weakened, privacy protections are, too. There are ways for law enforcement to investigate crimes and gather evidence without making security tools, such as encryption, weak and vulnerable to exploitation.
To learn more, check out Christopher Burgess’ “DOJ, AG Tout ‘Responsible Encryption’ to Bolster Prosecutions” on Security Boulevard.
#Encryption #DataSecurity #RiskManagement #ResponsibleEncryption #Privacy #CyberCrime
Related posts
