The recent furore between Apple and the FBI over access to the San Bernadino shooter’s iPhone brought privacy debates firmly into the public eye. Despite tech giants, politicians and privacy campaigners explaining the potential ramifications of the case, many people remained on the fence.
A recent survey by the Pew Research Centre found that the majority of Americans sided with the FBI and believe that Apple should have complied with its demands. I find this deeply concerning because it shows how easily our collective privacy could be eroded in the name of national security, and also how little most people seem to understand the encryption technologies which protect us all.
As the UN high commissioner for human rights explained recently, encryption is vital to freedom of expression and opinion, and without it, lives may be endangered. Currently, the only way to communicate securely online is to encrypt everything, so that even if your data were to be accessed by someone else, it would remain private. But any process that weakens the mathematical models used to encrypt data will make the whole system less secure, because it will also weaken the protection.
In the Apple case, the FBI suggested that it could manipulate security in such a way that only it could take advantage of that subversion, but this is wrong. This is why Apple talked of the San Bernadino case setting a dangerous precedent. While it is possible to create an entirely new operating system which undermines the iPhone security features, there is no way to guarantee that this could not one day be used by someone other than the FBI. There is no way to determine when an attacker could discover a vulnerability, and once accessed, exploit it to harm anyone using that connected device, service or system. The same vulnerabilities used by intelligence agencies to spy on global citizens can also be used by criminals to steal your passwords. We either enable spying – by either governments or hackers – or we defend against it. Backdoors will be exploited by anyone, not just the US Government.
Just like the Snooper’s Charter proposals here in the UK, these demands also force tech companies to make a difficult ethical decision. How can you tell your customers that your products are secure, but also knowingly compromise that security by building backdoors, weakening encryption and storing personal data on a huge scale? Complying with this kind of warrant equates to a catastrophic invasion of customers’ privacy, and has historically required tech companies to collude with the Government and then essentially lie about it to their customers by not disclosing it to them.
The Snowden leaks revealed how the National Security Agency in the United States convinced Microsoft to make changes to security on its Skype program to make it easier for the NSA to eavesdrop on conversations. We also know from the Snowden leaks that the NSA subverted a government standards process to be able to break encryption more easily. Leaked documents revealed that the agency planted vulnerabilities in a cryptographic standard adopted in 2006 – effectively inserting a backdoor by writing a flaw into a random-number generator which made it easier to unscramble numbers generated by that algorithm and crack technologies using the specification.
These kind of scandals don’t just damage the products and technologies in question, but threaten to damage trust in the Internet entirely. Internet governance was historically left largely to the United States because most people assumed that they were focused on ensuring the security of the Internet, rather than using it as a means of surveillance. The Snowden revelations quashed that belief, and the system is now in turmoil. Some of the potential applications of the Internet that would benefit citizens and entrepreneurs have already been stymied by unresolved trust issues. E-Voting has stalled and migration to the cloud is suffering.
For the Internet to continue to grow and flourish, we need to re-establish the foundation for trust, and convince users that the systems they use online are not being used as a means to spy on them. This is no doubt why Apple is planning to hand over iCloud encryption key management to its users. Going a step further, advances in pairing-based cryptography will soon allow a private key to be split into several different parts, eliminating the single point of failure that currently exists. This means that governments wanting to access that key for surveillance purposes would have to fight across multiple different legal jurisdictions in order to gain access.
Even better, individual organisations may soon be able to choose how their root key would be split, empowering them to choose geographies which they feel are least likely to allow Government access. These kind of changes put power back into the hands of the individual and give users valuable new tools in the fight to keep our data secure.
Now that the FBI has dropped its court case against Apple, many will assume that the case is over. But there are no winners here, and a long battle over our collective privacy lies ahead. We all own the Internet, and we need to fix it together.
Brian Spector, CEO, MIRACL
Photo credit: Roobcio / Shutterstock