Saturday, 4 June 2016

The silent web: Is encryption here to stay?

The silent web: Is encryption here to stay?

Introduction and government response

What's your secret? Encrypted instant messaging is the latest trend, from apps like BlackBerry Messenger (BBM), Telegram and Signal to Wire, Wickr and Surespot. Not forgetting Apple's iMessage and FaceTime. Before we know it, everything will be encrypted. It mostly already is.

Encryption often crops up when talking about criminals, usually painted as a tool for terrorism, but that's just spin from power grabbing politicians – we already live in an encrypted world. ATMs, phone calls, bank transfers, even the files we sync with Dropbox – it's all encrypted. It's got to be. The trend towards encrypted messaging apps is just the latest part of the jigsaw.

"Previously accessible only to those in the upper realms of technology and security, encryption has gone mainstream," says Jacob Ginsberg, Senior Director at email encryption company Echoworx. "We're seeing everything from apps and platforms being purpose-built specifically for encryption, to mainstream sites and messaging platforms choosing to now embrace it."

There's nothing weird about encryption. "It's about offering the same levels of privacy you get from closing a door or lowering your voice, which aren't seen as secretive actions," says Alan Duric, Co-Founder and CTO at secure messaging app Wire, who thinks that privacy should be a part of everyone's personal digital life.

Jacob Ginsberg, Senior Director at Echoworx

Who needs encrypted IM?

We all now know we're being watched, tracked, our preferences logged, and content targeted at us. Now we can stop it.

"There is a growing awareness of the importance of online privacy, whether it's defending against companies who mine their users' data and sell it on to third-parties, or thwarting malicious hackers who target end users and/or companies' servers," says Duric. "Now that people understand how much of their communications can be scanned or intercepted, they're choosing forms of communication that prevent this and as a result, encrypted services are on the rise."

How are governments responding to encrypted apps?

Not well. Not well at all. "Governments are fighting hard to be able to continue to access the data of anyone whenever they want," says Ginsberg, citing the Snooper's Charter in the UK and the FBI in the US suing Apple for access to encrypted information on an iPhone. In fact, grown-up discussions about the value of encryption and privacy seem to be banned in the media, despite the fact that government departments are constantly making accidental data leaks.

"Governments globally are constantly pushing ridiculous knee-jerk, slippery slope arguments about how every new piece of legislation that further erodes our privacy is 'essential' to keep us safe from terrorism, but without any proof or real consultation," says Fred Ghahramani, Co-Founder and CEO of Just10, who thinks that many governments exploit tragedies to push their own underlying agenda of eroding individual privacy and security.

Wire is one of many secure messaging apps

Let's ban text messages!

For example, after the Bataclan Paris attacks in November 2015, legislators in France tried to ban encryption, suggesting it was hampering efforts to catch the terrorists… which were later found to have used SMS to communicate. The Charlie Hebdo attacks in January 2015 had already heralded the French 'Big Brother Surveillance Law', a bulk data collection system like the NSA's Prism.

"Not only was encryption unfairly demonised, but the bulk data collection and mass surveillance program – that promised to keep everyone safe – didn't work," says Ghahramani. "Most of the time it's because legislators don't fully understand the full benefits of encryption, and how many parts of their lives are affected by it."

Dangers of backdoors

The dangers of inserting backdoors

As shown with the case of Apple's resistance to the use of the All Writs Act to demand that the company unlock the iPhone of one of the terrorists involved in the San Bernadino shooting, security services are increasingly demanding unfettered access to encrypted private messages and devices.

But when governments wave the 'national security' flag, it doesn't convince anyone in the communications business. "Shutting down free, encrypted messaging platforms only harms consumers, not the perpetrators," says Darran Rolls, CTO at independent identity and access management provider SailPoint. "Offenders will just move to other forms of communication – mediums built with bomb-proof crypto that embeds messages in the low bits of images published on the likes of Instagram." Rolls thinks that rather than open up a revolving backdoor, consumers should have more encryption, not less.

Backdoors equal corporate insecurity

There's also the small matter of corporate security, with the Stuxnet malware debacle firmly in mind. "We saw the US government creating a vulnerability that leveraged misused keys and certificates for its own means, which was soon hijacked and put to use in the worst possible way – an attempt to tamper with critical infrastructure," says Kevin Bocek, Chief Security Strategist at trust protection platform Venafi. Inserting a government 'backdoor' effectively created a blueprint for terrorists.

"Today's backdoors are tomorrow's vulnerability," says Ginsberg. "The average person today has access to technology that only governments could have got hold of not so long ago … there is almost a guarantee that any backdoors put in today will be accessible to terrorists or hackers a few years from now."

What company wants governments – which have a very poor track record on privacy and security – in charge of corporate security? "The gates to backdoors rust quickly with time," adds Ginsberg.

Fred Ghahramani, Co-Founder and CEO, Just10

Will handsets soon offer built-in encryption for calls and messages?

The iPhone is already encrypted, there are myriad companies and products – including Chinese firm Vargo's Zhuoyue – that are offering 'secure smartphones'. And anyone can download one of dozens of third-party VPN apps for their phones, or the Obscuracam private photos app; it's clear that privacy has become more than just a hot topic.

"It can offer companies a competitive advantage, so handsets offering built-in encryption seem a likely development," says Duric. However, the OS does make a difference. Apple has publicly stated its dedication to user privacy, though Android is a little different. "The more open nature of Android means that any carrier or manufacturer could use it as a base to build a more secure operating system, if they have the expertise and want to invest the development time," says Duric, who naturally thinks that, for now, it's apps like Wire that are leading the trend.

Chinese company Vargo's Zhuoyue has an 'anti-eavesdropping system'

What would the world look like without encryption?

No encryption equals civilisation over. Encryption is everywhere, and without it, modern life would be impossible. "Consider being unable to use your credit card, withdraw funds from an ATM, or make a mobile phone call," says Ghahramani. "Any legislation that weakens or bans encryption would have far-reaching social, political, and economic consequences – no different to banning air travel or public transport."

The internet and the wider IP-based world only operates thanks to a system of cryptographic keys and digital certificates that must remain secure. "The message from government is clear – they want the master 'God Key' to unlock all data, and are so desperate to get it that they no longer care about the dangers that will create," says Bocek, who fears that government access would mean encryption effectively disappearing. Any semi-competent hacker could then walk into a high street bank and empty bank accounts.

"Our whole world, our critical infrastructure, online commerce, hospitals, everything is connected by machines now," says Bocek. "If someone gains the power to take those machines over we face a 'Year Zero' scenario that could rocket us back over 100 years. Society could collapse."

If spies can access iPhones, terrorists will swap to something else

Is there a relationship between encryption and terrorism?

Obviously there is: encryption helps criminals evade detection. Lots of things do, including the internet, smartphones and public transport. "We certainly have evidence of some terrorists using encryption, but we also have evidence of terrorists using cars," says Ginsberg. "Encryption is like anything else – the more we do to control or hinder its use by some, the more we take it out of the hands of all of us."

The conclusion is pretty simple – surveillance damages free speech. "The suggestion that giving up our freedom is the only way of protecting the very same freedom is an untenable slippery slope, and should not be tolerated," says Ghahramani. Governments can insist they need access to private data, but technology companies will never trust their intentions nor their ability to keep a 'God key' safe. Encryption is indeed here to stay.

http://ift.tt/28aKJPP

No comments:

Post a Comment