3 encryption myths, debunked

Businesses are getting better at protecting your privacy, but not everyone is happy about it.

The November 13 terrorist attacks in Paris, which killed more than 125 people, reignited a decades-long debate over data encryption. Although evidence suggests that those responsible may not have been using encrypted communications, law enforcement and government officials argue that tech companies need to create ways for them to unscramble encrypted information.

“The inability of law enforcement to overcome these barriers has already led to numerous instances where investigators were unable to access information that could have allowed them to successfully investigate and apprehend criminals or prevent terrorists from striking,” the International Association of Chiefs of Police and the National District Attorneys Association wrote in a joint statement last month.

But tech leaders, security experts, and privacy advocates said the proposed backdoors and forced decryption would be ineffective and dangerous.

“Weakening encryption, or creating backdoors to encrypted devices and data, for use by the good guys would actually create vulnerabilities to be exploited by the bad guys, which would almost certainly cause serious physical and financial harm across our society and our economy,” the Information Technology Council, whose members include Apple, Google, and Microsoft, said in a statement. “Weakening security with the aim of advancing security simply does not make sense.”

The divide between Silicon Valley and the government is a testament to misconceptions surrounding encryption—from how it’s used to the validity of backdoors and alternative solutions, experts say.

“The truth is that [opponents] are looking at encryption from the wrong end of the telescope,” said Graham Cluley, cybercrime researcher and computer security analyst. Here’s what experts say the opposition gets wrong.

1) ENCRYPTION ENABLES CRIME

Encryption and nefarious activity are not mutually exclusive—and the misconception that encryption benefits only criminals is dangerous, said Eva Galperin, global policy analyst for the technology rights group Electronic Frontier Foundation.

In November, Dianne Feinstein, a California Democrat on the Senate intelligence committee, criticized terrorists’ use of encryption and Silicon Valley’s inaction to protect against it. “If you create a product that allows evil monsters to communicate this way—to behead children, to strike innocents, whether it’s at a game in a stadium, in a small restaurant in Paris, take down an airliner—that’s a big problem,” she said.

Not in question is the encryption of things such as emails or Web searches, which are scrambled on your device and stored on a server. Instead, raising concerns is end-to-end encryption, used in tools such as iMessage and WhatsApp, in which data is encrypted on one device and decrypted once it reaches the recipient, Galperin said.

“It’s not fair to say that encryption is only used by bad people who have something to hide—that’s simply not true,” she said. “Encryption is a basic human right. We have the right to privacy and to protect our communications.”

Encryption, added Tyler Shields, principal analyst at Forrester Research until December 2015, is a fundamental part of everything online. “It’s the underpinning of security on the Internet. Any company that’s worth its salt from a security perspective is encrypting. There’s so much crypto behind the scenes that without it, the Internet would break down.”

That’s a reality highlighted by recent high-profile data breaches, at Sony and the IRS, for example, Cluley said.

“We hear enough already every day about individuals and big companies being hacked, the rise of identity theft, and the underground trade in credit cards and personal data,” he said. “Imagine how much worse things would be if there was no end-to-end encryption, and if no businesses could be certain that their communications couldn’t be spied upon or tampered with.”

2) ENCRYPTION BACKDOORS PROTECT US

Some government officials, including CIA director John Brennan, believe that creating backdoors in end-to-end encryption, and handing over encryption keys to law enforcement, will help them monitor communication systems for potential threats to national security and investigate crimes.

Security experts say they have it all wrong: Creating backdoors and encryption keys would inevitably do more harm than good.

“Backdoors are begging for snooping and spying and the compromising of those keys,” Forrester’s Shields said. “Imagine a repository somewhere with encryption keys for every company—then it’s hacked by a foreign nation. It’s too juicy a target. It’s like giving out your password.”

That’s not only a potentially devastating security risk, the EFF’s Galperin said, but backdoors that only law enforcement officials can access simply aren’t plausible.

“When the government says they want the geeks of Silicon Valley to come up with something that works this way, it’s a fundamental misunderstanding of math. It’s like asking them to get four-plus-four to equal nine,” she said. “You just can’t do that. Backdoors create the risk that someone else can get this information, and the notion that it’s only for the government to access is crazy.”

3) GOVERNMENTS ARE STYMIED WITHOUT ENCRYPTION BACKDOORS

There’s no denying that encryption makes criminal investigations more difficult for law enforcement, Shields said. FBI director James Comey echoed this sentiment during a speech in October 2014, saying, encryption is “the equivalent of a closet that can’t be opened. A safe that can’t be cracked.”

But the government and law enforcement are not defenseless without backdoors, Galperin countered.

“Governments and law enforcement have many ways of compromising computers and cell phones. There is an entire industry devoted to selling ‘lawful interception’ technology to them,” she said. “The NSA has an entire division of tailored access operations that does nothing but compromise endpoints.”

According to the U.S. Courts’ 2014 Wiretap Report, law enforcement encountered encryption in just 25 of the 3,554 wiretaps it reported. Of those 25 instances, investigators successfully bypassed encryption to access communications 21 times.

“Governments and law enforcement are not completely helpless without backdoors,” Galperin said. “Pretending that they are is disingenuous.”