Special Thank You to Adriana who acted as editor on this post.
Encryption has been in the news a lot recently, and for a number of reasons. Mainly wrong ones. So what is encryption? Why is it important, and why shouldn’t we get rid of it?
Encryption is a method for keeping your digital data secure. In the digital world, it acts like a lock. Imagine your house you more than likely have a lock on the door. A lock stops strangers from wandering into your house whenever they want and taking a look at your cool stuff, or worse, stealing your cool stuff. We all have locks on our doors, unless you live somewhere really nice (and if so please let me know in the comments so I can move in.) Your lock actually also performs a secondary function, that you probably don’t think about. It allows you to identify the person entering the house as being known to the household. Say you’re sitting on the sofa watching your favourite TV program, when you hear the key turn in the front door and it open and close. You know by that fact, the person entering had the key, and they are authorised to enter your home. Just like a lock, these are the two basic functions that encryption on the internet provides for us security and identity checking.
Security and Privacy
This is probably the one that we are all familiar with. Encryption provides security. When it dawns on you at 4am that you haven’t paid that bill, and you sign into your bank, the connection between you and the bank is instantly encrypted. If you want to know how, it uses something called Transport Layer Security (TLS). Honestly, I am not going to go into the technicalities about TLS and how it works as it’s not relevant, but it does and this is what you are using. This encrypted connection between you and the bank provides you with two things: security where no one can get access to your account details, and privacy where no one can see who you paid the bill to. These are probably important to you, you don’t want people stealing your hard earned cash and don’t want people to know who you paid. Privacy doesn’t mean you are doing anything illegal or wrong, it just means you don’t want people to know. Let’s take an example, you’re a young lady or man and you have issues with your intimate health, you go to a specialist that deals in this to get treatment, you pay for this treatment on your bank card. You probably don’t want the world and his dog to know about this. Let’s look at a variation on that example that doesn’t directly include the security element, i.e. nothing to do with your bank or money. So you have this issue in your intimate area, and you IM your friend or partner to talk to them and ask for advice. I am sure even though you won’t lose money by that chat transcript going public, you still wouldn’t want it to go public at all. In this example, you haven’t done anything wrong or illegal but you still don’t want that information to get out into the public. The same way that storing your underwear in a drawer in your house behind a locked front door isn’t wrong or illegal, but I am sure you don’t want strangers to come off the street and look for it. This is the first and probably most widely understood use of encryption. Encryption keeps your data secure so that you control who can access it.
Back to the bank example; it’s 4am you sign into your bank from your home. How do you know that’s your bank? How do you know you haven’t just given your bank login to a scammer? The answer once again comes down to encryption and the TLS system. When your first make contact with the bank in your browser, a little bit of what’s called “hand shaking” takes place, basically the browser tries the bank’s key that it has in the bank’s lock. If the lock opens, then it’s the bank. If it doesn’t, then it probably isn’t the bank. For all the security and internet experts out there, I know TLS is more complicated and doesn’t exactly work this way… but it kinda does. Like in the real world, only certain people can give you a key to the lock for the first time. The people that give out keys on the internet (and make the locks if you want to get carried away with this) are called Certificate Authorities (CA). They do a background check on the person asking for the lock and key, and check to see if they are who they say they are. This means that if Mr Scammer comes to the CA and asks for a lock and key to be created for “Your Magic Bank”, then the CA will check and find that Mr Scammer doesn’t have anything to do with Your Magic Bank and reject the request. You now know that if you have a key that is labelled Your Magic Bank, and it fits the lock of Your Magic Bank’s website and unlocks it, you’re accessing Your Magic Bank and not Mr Scammer’s Bank. The other function of a CA is that you can go to them with a key and say “Is this the key you issued Your Magic Bank” they will check it, and confirm yes or no. This is important just because if something is labelled as Your Magic Bank and fits the corresponding lock labelled Your Magic Bank, doesn’t mean that the lock and key belong to Your Magic Bank. How the CA know that the key and lock are valid and issued by them is complex and involves yet more encryption and more keys and locks, so as you can see this whole process relies on encryption to work. This is why you should always look for the padlock symbol whenever you go on a website and not just the https: bit at the front of the address.
I am Encrypted
So now you have read up to here, you probably noticed that in the address bar for my site there is a padlock. Yes, I am serving my content to you securely using encryption. This protects your privacy, and also tells you that the content you’re reading is coming from me. In the anonymous digital world, Security, Privacy, and Identification aren’t just “nice to haves”, they are essential to staying safe. Say that there is a nasty man out there, and you’re one of my friends who is loaded. The nasty man contacts you through instant message pretending to be me and asks you to meet them as some location. You think nothing of it, after all the instant message came from me, so it must be me, right? You go to the meetup, and the nasty man steals everything and runs of into the night. Luckily with modern Instant Messaging apps like WhatsApp and iMessage, this is a lot less likely to happen. And again it’s because of encryption. There are many many examples as to why Encryption is important to our daily lives and why we rely on it to keep us safe and secure and to protect our privacy. Privacy and Security are basic human rights, in the modern world where information flows outside of our control across the telephone system, through the air, and through other people’s systems, we have to rely on encryption to uphold these rights.
Apple V the FBI
I want to address another issue that was highlighted recently; Apple refused to create a system that could unlock an iPhone for the FBI (you can read about the case here). Lets use the very first scenario I proposed at the beginning of this post where I likened encryption to the lock on your front door. If the police want to access your home, if you had, or were suspected of doing something wrong, they can smash the front door down. However let’s say you live in a bad neighbourhood, and you don’t want just anyone smashing your door down and gaining access to your property, so you invested in an unbreakable armed door. Now the police can’t just smash the door in to gain access to your property, this doesn’t mean you’re doing anything wrong inside your home, it just means you don’t want the criminal element in your home. The reason for this example is that the internet, due to easy access and anonymity, is like a really bad neighbourhood. The only way to truly stay safe is to have the unbreakable door, and that is where we are at the moment. Don’t get me wrong, encryption isn’t completely unbreakable, but without the key, breaking through it is partly impractical. The reason for this is that just like the front door in the bad neighbourhood, you don’t want anyone from being able to break it. Going back to the unbreakable front door example, say you wanted to let the police have access to these homes, after all society is safer as a whole if criminals are caught. For that, the person needs to be arrested, evidence gathered, and anything dangerous or stolen must be confiscated. The police, however, can’t access the home because of the unbreakable front door (let’s just imagine that is the only way in), so the police ask the people that make these unbreakable locks for a special key that can open any old lock. This is basically what the FBI wanted Apple to do; to make a special key to unlock a certain lock. The problem with this is twofold. For one, you can’t make the key without coming up with a process for the key to work. You also end up having a key that can unlock any door out there. In computing terms such system is called a “backdoor” for it is a way of getting around the front door. A back door is dangerous because, once it exists, you weaken the security of the entire system. A criminal can now use the same system that is intended for Law Enforcement to access the lock. Whatever precautions that you take in order to keep the system and master keys safe, it will get exploited. Exploitation can happen in a number of ways: accidental access to the system or loss of the master key. Say someone leaves a copy of the system on a USB key in a taxi, someone finds it and now has access to the system, they can then if they want share this with anyone or everyone. Of course there is always the possibility of intentional access to the system or master key. In this instance, someone who has access to the system, for one reason or another, gives the access to someone else. The other way that it could happen is through reverse engineering. A criminal knows that the system exists, and has a lock of their own that belongs to them, they then spend a while working out how in the lock, the system works, and then makes an “unofficial” way of accessing that lock. As soon as you create a weakness in the system, that weakness can be, and eventually will be, exploited for reasons others than the one you intended. Even if somehow you managed to ensure that the system and master key where never lost and made it impossible to reverse engineer, you’re still left with one problem: authorised users of the master key and/or system could use it for a purpose that you did not want or wish for. The other and maybe darker concern is that authorised people could use the system for an authorised, yet completely unethical, purpose. An example of this maybe that the government don’t want anyone to criticise the way they run the country, they “unlock” everyone’s private communications using the master key and read it, they can then penalise anyone that they feel is voicing a criticism.
Balancing the right to people’s privacy, the risks of exploration either officially or criminally, and the upholding of laws, is a difficult balance. In my opinion, the risks far outweigh the benefits. This is because even if you did make every legitimate manufacture of encryption systems, or systems that use encryption, put in a way for this encryption to be circumvented by law enforcement, criminals will just move to illegitimate system to which you won’t have the master key. This will result that the only real reason to develop such as system is to enable you to spy on your citizens, which is a major breach of civil and human rights.
Hopefully you now have a better understanding of encryption, but more importantly how it benefits you and keeps you safe online. In the 20th century, the world changed with the invention of the internet. Now in the 21st century, we arguably lead as much of our lives digitally as we do physically, and so we need ways to keep us safe in our virtual lives as much as our real lives. This change is only going to continue, and more of our identity and lives will be digital. This means that we need to make sure that we think carefully and long-term when making any decisions over the way we manage or secure people’s data. Intentionally making these safeguards weak through ignorance or fear of the unknown will have long term and possible devastating effects on people’s lives. People need to understand that the response: “Well if you have nothing to hide, you have nothing to fear” doesn’t really hold water in the modern age. Protecting people’s privacy should be as important as protecting their security online, and a loss of private data in the virtual world can have real world and far-reaching ramifications. Technology companies are increasing understanding for this, not only because it can harm their bottom line if they don’t, but also because they have a better general and technical understanding and therefore a lack of fear when it comes to digital issues. A lot of lawmakers don’t understand, however, and therefore fear the digital world. Mixed with the mainstream Media reporting on digital issues, leaping on the use of technology in criminal and terrorist events means that they often suggest or even try to implement damaging and dangerous policies. There is also the perception that what happens in the digital world is far less meaningful than what happens in the physical world, which in contradictory because they want access to this data, but at the same time seem to view it with less importance than physical data. Any policies implemented now should be considered by experts, with a good understanding of the present, but also a talent for seeing future developments. A wrong move here, born of fear or a desire for power, could have far-reaching and ever-lasting effects on the human race. There are bills going through or in the process of being prepared by world governments, to weaken, or in some extreme cases, ban the use of encryption, and often these are based on fear or control. If you want to find out more on the arguments around encryption, a good place to start is the EFF, Fight For The Future, or the Open Rights Group.