“They who can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety.” So goes the quote from Benjamin Franklin, one of the Founding Fathers of the United States, in 1755. Little did he know that over 250 years later, his words would be frequently cited in one of the most complex debates of modern times.
In a world where data is collected, shared and sold as the norm, the liberty vs. security question has never been so relevant. The topic has been brought into the public eye by the UK Home Secretary’s draft Investigatory Powers Bill – or ‘Snoopers’ Charter’ – and honed-in on the issue of encryption. More specifically, whether government agencies should be given the power to access encrypted, private communications, by forcing service providers to hand them over.
Since many communications providers use end-to-end encryption to protect user privacy and operate with ‘zero knowledge’ of what is being communicated, the only way for law enforcers to obtain this level of access would be to weaken encryption or change the way users’ private keys are stored. There is no way for the mediator to simply decrypt content; they would have to fundamentally change the way the system works, creating a backdoor of sorts.
The revised bill, published this week, comes as Apple’s CEO, Tim Cook, publicly fights a court order to build an encryption backdoor to unlock an iPhone belonging to one of the terrorists in the San Bernadino attacks. To do so, argues Cook, would “be equivalent to a master key, capable of opening hundreds of millions of locks” and would “undermine the very…liberty our government is meant to protect.”
The problem with encryption
At the heart of this issue, as Franklin’s quote articulates so well, is the idea that the actions being taken by governments on both sides of the Atlantic come at the expense of our own freedom and progression. On the one hand, encryption makes the communications of potential terrorists more difficult to intercept, but on the other it protects the privacy of every other British and US citizen, safeguarding against data thieves and other malicious activity.
Fundamentally, encryption underpins just about every platform for collaboration, connection and communication that exists today. Reforming how it functions could have far-reaching consequences and requires careful management.
A question of trust
It is thanks to encryption that we, as consumers, can shop online or pay monthly bills with the click of a button, assured that our personal details are safe. From a business perspective, encryption enables organisations to work across enterprise boundaries in the cloud, sharing commercially sensitive data or legal documents without gambling on security.
The trust that we put into the internet - the smartphones and tablets that we carry, and the platforms we communicate through - is a key driver for economic growth. If the UK is to maintain its global role and influence, protecting business interests against potentially massive economic espionage is essential. If we weaken encryption, we weaken trust in the entire system.
An exodus of service providers
Yet, the proposals outlined in the draft Snoopers’ Charter in particular seem to ignore this - the end goal being that ISPs or other organisations providing a service protected by encryption must be able to bypass it. Downgrading algorithms in this way would set a global precedent that technology providers must assist law enforcement in breaking users’ security, which would eventually make private data more vulnerable and visible.
This could have the effect of forcing service providers to jurisdictions outside the scope of the Charter in order to be able to provide the type of secure services their customers want and expect. The nature of the internet accommodates this free movement, to the potential detriment of the British technology sector and wider economy.
Taking back control
With the spotlight firmly on privacy and a rapidly evolving threat landscape, businesses must implement solutions to ensure the confidential and personally identifiable data they control remains secure across all the countries and jurisdictional boundaries they need to operate.
The increasingly dynamic and globalised nature of business has brought rise to innovative technology solutions that can enable strong protection and encryption to travel with content wherever it needs to be shared in the course of doing business. With state-of-the art Information Rights Management solutions, content can effectively protect itself. We need trust in these systems to enable global trade and collaboration.
Companies and individuals are becoming more aware of the need to protect their information and we see an increase in requests for self-ownership of encryption keys used by service providers regardless of the physical location of the data - a model known as “Customer Managed Keys” (CMK).
We now stand at a crossroads in the encryption debate, and the only way forwards will be through collaboration between governments, global technology companies, and wider business. Decisions taken now could have profound consequences on the future growth of the internet globally. At the same time, individual jurisdictions are at risk of eroding the critical element of trust in services provided within their domestic markets and simply pushing the most secure services to operate beyond their borders.
Let’s hope that as new legislation unfolds, policy makers remember the words of Benjamin Franklin, and deliver solutions that strike the right balance between freedom and security.
Richard Anstey, CTO EMEA, Intralinks
Photo credit: Maksim Kabakou / Shutterstock