enterprisesecuritymag

Can Encryption Ever Be Too Good? The Fight over Ultra-Secure Messaging

By David Popkin, Associate at Davis Polk & Wardwell, LLP And Avi Gesser, Partner, (Cyber Security & White Collar), Davis Polk & Wardwell, LLP

David Popkin, Associate at Davis Polk & Wardwell, LLP

In light of recent high-profile cyber breaches, and a resulting public push for data privacy, organizations are coming under increasing pressure to protect the personal information of their employees and customers, as well as their sensitive business information, from unauthorized access. One method of achieving better institutional cyber security is through encryption, the process of encoding a message in such a way that only authorized parties can read it. End-to-end encryption provides protection for data in transit and permits only the two parties involved in the communication the ability to decrypt and read messages, thereby locking out all third parties, including the provider of the communications service itself. Some recent cyber security regulations recognize the security benefits of data encryption, such as the New York Department of Financial Services’ Cyber Rules, which explicitly require that sensitive data be encrypted both in transit and at rest.

But, while certain government officials and agencies are requiring encryption as part of their requirements for better cyber security, some law enforcement officials are complaining about too much security. Because communications providers offering encrypted messaging are unable to decipher and hand over their customers’ messages, law enforcement officials are concerned that messaging apps, like Signal, will provide users with opportunities to hide their communications about a variety of illegal activity without fear that the police or the FBI will be able to intercept such communications on password protected mobile phones, even after obtaining a valid search warrant.

Avi Gesser, Partner, (Cyber Security & White Collar), Davis Polk & Wardwell, LLP

Last month, senior ministers from the “Five Eyes” international intelligence alliance, which includes Australia, Canada, New Zealand, the United Kingdom and the United States, announced their shared position that implementation of end-to-end encryption by tech companies would hamper law enforcement efforts to investigate and prosecute serious crimes. On July 23, U.S. Attorney General William Barr called upon tech companies to build encryption-bypassing mechanisms into consumer products to enable law enforcement to access encrypted devices. Last November, officials from the United Kingdom’s Government Communications Headquarters outlined a proposal to bypass encryption and silently add law enforcement participants into group chats or calls without notifying participants.

In his July speech, Barr acknowledged that there are residual vulnerability risks that result from inserting backdoors into security systems. A system that has a backdoor to enable law enforcement to gain access will be more likely to be breached by hackers who can somehow obtain access to the system through that very same backdoor. While Barr recognized the increased vulnerability, he contended that these risks are outweighed by the need for law enforcement to access data to respond to criminal activity, noting that potential vulnerabilities in messaging apps that contain consumer data are not the same as vulnerabilities for the communication systems of large business enterprises or critical government systems.

"Rather than seeking to curtail or undermine the advancement of new technologies that effectively protect personal information, perhaps we should accept that privacy solutions come with tradeoffs"

One can certainly understand the scenarios where law enforcement would have a legitimate interest in accessing encrypted messages. For example, if they uncover a terror plot that is about to be deployed, there is a clear public safety imperative to be able to break into the messages of the known perpetrators to determine who else may be involved and to stop other aspects of the operation. These kinds of ticking bomb scenarios give law enforcement a justifiable argument for bypassing consumer data protections in order to prevent a more immediate harm.

The question, however, is the likelihood and frequency of such scenarios arising, compared with the risk that governments will use their backdoor access for improper purposes. While some may view that concern as unreasonable as it applies to U.S. law enforcement, it is unlikely that backdoor access will be limited only to more “trustworthy” governments. Countries like China and Russia will almost certainly demand the same backdoor pass that is given to the FBI as a condition for an app being made available in their country, and it will be very tough for tech companies to refuse. Once one government is permitted to access data through the backdoor, companies will no longer be able to rely on arguments about the supremacy of customer privacy, or fear of government overreach, to defend their position on encryption with other countries. Instead, they would be forced to try and articulate why one government should be trusted with access while another should not – a position they do not want to be in.

In the end, people seeking to hide their activity will always find methods of communications that bypass the latest advances in interception or surveillance. For example, criminals in the 1960s conducted their business in saunas, where secret recording devices were not effective. It is unrealistic to think that giving law enforcement special access to encrypted messages will seriously impede criminals from communicating about crimes, especially once they know that a backdoor to their communications exists.

Rather than seeking to curtail or undermine the advancement of new technologies that effectively protect personal information, perhaps we should accept that privacy solutions come with tradeoffs. When color photocopying made it easier to counterfeit currency, the solution was not to ban the technology, but instead to make the currency itself more difficult to copy. So, it just may be that that the price that we pay for being able to effectively protect communications from unauthorized access, is that such protections really work, even if the people without authorized access are the police.

Read Also

Augmenting Cybersecurity in Healthcare Industry

Augmenting Cybersecurity in Healthcare Industry

Robert Napoli, CIO, Planned Parenthood of the Great Northwest and the Hawaiian Islands
Creative Solutions for Developing the Public Sector Cybersecurity Workforce

Creative Solutions for Developing the Public Sector Cybersecurity Workforce

Gregory Crabb, CISO, VP, United States Postal Service
Information Security: Your People, Your First Line of Defense

Information Security: Your People, Your First Line of Defense

Eddie Borrero, CISO, Robert Half [NYSE:RHI]

Weekly Brief