Encryption technologies are the proverbial double-edged sword. If you ask anyone on the street whether they want their data to be secure from prying eyes, they’ll likely answer in the affirmative. If you then ask them how that’s accomplished, many will most likely say something along the lines of “encrypt it”.
This connection is partly a function of how the internet evolved. Early on, there was no encryption for websites. No lock icon and no green address bar. Once the public realized their credit card information used for online purchases was being sent in plain text, businesses were pushed towards encrypting their transactions. Businesses seeking to prove that they were doing the right thing would have FAQ pages outlining the value of HTTPS. This process has been so successful that it’s rare to encounter any website that doesn’t encrypt its traffic.
None of what I’ve just described is “end-to-end encryption” though. While the connection between browser or app and the website might use encryption technologies, there’s nothing to say that the data once at the website isn’t plain text.
Put another way, while your credit card information might be encrypted on the internet, that doesn’t mean it’s not available to read in plain text by employees of the website. If there is a bad apple on staff at that website, they could just as easily be copying your credit card information as they could if you gave it to them over the phone. This weakened internal security is precisely what enables hackers to profit from the data they steal in breaches.
We can all agree that protecting personal information like healthcare data and credit card information is the right thing to do. We can also agree that there are far and away too many data breaches going on in the world today. These data breaches have gotten the attention of legislators who have enacted a variety of laws intended to force businesses to do a better job of protecting consumer information. Often these laws have incredibly sexy names like GDPR, PIPEDA and CCPA. The latter being a California law which went into effect on July 1st, 2020.
Striking a balance
In response to these laws, businesses are looking hard at how they handle data. Some are imposing limitations on the scope of data they collect. Others are reviewing how long they keep data and just who has access to it. Each of these helps move the needle towards better security, but the hot topic in some circles is the concept of end-to-end encryption. The core idea behind end-to-end encryption being to ensure that those gaps where data could be in plain text are gone.
This concept becomes very important when you talk about conversations, chats and video streams between two people. After all, we can all agree that we expect the conversation we have with our doctor over a video link or in an app to be private – as in no one can listen in.
The same expectation is there if you change the topic to video from a baby monitor, or an online call with a spouse or parent. Group conversations also fall under that expectation, as would business transactions and conference calls. Absent technologies like end-to-end encryption, there is the potential for someone to intercept and view the data – precisely the type of situation we’ve seen with various home security hacks over the recent past.
So, if we can all agree that we want our data protected, and government can agree that our data should be protected, then why are laws being proposed to break that social agreement? The simple answer is that terrorists, child predators, gangs, and the like trust encryption technologies to conceal their activities.
Governments are then challenged to strike a balance between the societal benefits of encryption and its potential misuse. What must not get lost in the political debate is that any form of a backdoor in encryption is tantamount to leaving a key to your house under the mat in front of your locked door. Eventually someone is going to find that key, unlock the door and do what they want inside your home.
A key tenet
Locating and exploiting weak security measures, like the key under the mat, is precisely what cyber attackers do. Whenever there is a newly published vulnerability in software, these teams seek to exploit it, and the outcome is all too often an attacker copying millions of pieces of sensitive user data. Such teams are unfortunately rather adept at finding these proverbial needles in haystacks.
Bringing things back to the topic of laws and encryption, we all need to recognize that weakening digital security, even for well-intentioned reasons, also weakens the security stance of an entire organization—and with it all the sensitive user data it processes and stores. Well-resourced cyber-attackers will sniff out weaknesses in the implementation of any highly publicized backdoors and will continue making their own rules around how best to profit from such welcoming attack vectors.
We need only look at the data breach stats to see that a single data breach impacts the public more than a single act of any other criminal activity. While thwarted criminal activity does happen thanks to digital sleuthing on the part of law enforcement, and while such criminals are no doubt taking advantage of technological advancements, a solution to solving one type of criminal activity shouldn’t also increase the potential for other crimes like consumer data breaches.
Software development, like any form of engineering, is a problem-solving exercise. Tell me your problem, not your desired solution, is a key tenet of that process. If the problem is so broad that it can’t be broken down into implementable chunks, then the problem isn’t yet in a solvable state. And that’s the core challenge legislators face in attempting to define a technology solution to a social problem complicated by technology and the pace of technological innovation.
Tim Mackey, principal security strategist, Synopsys CyRC