The Case for Encryption

There has been a heated debate over the last several months about data privacy, and, in particular, encryption. Most consumers and corporations want it. Case in point: Apple. Government agencies, particularly those in intelligence and law enforcement, don’t. Case in point: the FBI. To whom does your data belong? It depends on who you ask. Nevertheless, terrorist attacks in Brussels, Paris and San Bernardino in addition to government responses to these attacks are bringing heady concepts like data privacy and encryption out of cybersecurity circles and into the mainstream.

With cries that national security is at stake, intelligence and law enforcement agencies are getting more vocal in the encryption discussion (or, to be precise, decryption), causing the private sector to get more cautious with what data it shares and with whom. While data encryption isn’t a new concept, it has taken on renewed significance of late. When Edward Snowden revealed in 2013 the extent to which the National Security Agency (NSA) was monitoring private citizens’ communications, it created a backlash from privacy advocates and sparked an international debate between privacy and national security advocates. Government cyber monitoring of citizens of interest and several high profile terrorist attacks have led to several pieces of legislation being proposed or passed including: the Cybersecurity Information Sharing Act (CISA) in the U.S., the General Data Protection Regulation (GDPR) in the EU, Privacy Shield between the U.S. and EU, and bills in New York and California that requires all smartphones sold in these states to be decrypted. It has also led to lots of companies redoubling their efforts to encrypt their data. Apple is currently the poster child for encryption however WhatsApp recently announced that all of their users’ messages, attachments and calls are now encrypted.

It begs mentioning that the data that needs encrypting isn’t what one might suspect. What’s most important to intelligence and law enforcement agencies is a user’s metadata, not his/her content (data). Metadata is where the details are: to whom did you send an email, when was it opened, where was it opened, how big was a file attachment, etc. This information should all be encrypted. Hackers target metadata to socially engineer their victims to commit identity theft. The NSA and Department of Justice (DOJ) also focus on metadata because it connects suspects to other suspects, which can both broaden or sharpen an investigation. Content like emails, databases, files, pictures, etc. by comparison, is just the smoking gun. The smoking gun can be compelling but it’s a lot harder to find what really matters. It’s like searching for a single frame in a movie or single note in a composition.

Encryption keys - secret unique numerical sequences used to manage the encryption and decryption of files in order to limit access to authorized users – are also an important consideration. Key management in fact is just as critical as encryption, since whoever has access to the keys can unencrypt any protected data. Many enterprises typically leverage a public cloud provider to host (store) their data however in many cases the service provider has sole or at least shared ownership of the enterprise’s encryption keys. Under the USA PATRIOT Act, should a U.S. law enforcement or intelligence agency request access to an individual or an organization’s data, the cloud service provider is required by law to use the encryption keys to unlock and deliver the data. What’s worse, the vendor is forbidden from telling the individual or organization that they are under investigation. This practice was the impetus behind the invalidation of the Safe Harbor agreement between the U.S. and EU in October of last year. By contrast, if the enterprise maintains sole ownership of its encryption keys, it is the only one that can decrypt their data.

Terrorist attacks, data breaches, and proposed legislation in reaction to those events highlight a divisive issue: is privacy or national security more important? We can have both but not to the extent where anyone would be sufficiently pleased. Our best bet therefore is a compromise, essentially a balance between a world characterized by George Orwell in his book 1984 and a world where terror and mayhem prevails behind a cloak of 1’s and 0’s.

While that balance will inevitably enable terrorist attacks to continue to occur, it will also enable tech companies to continue to develop technology to keep ordinary citizens’ personally identifiable information (PII) safe – and private from hackers and snooping government agencies, both considerably larger problems than terrorism. It’s not a perfect solution but it’s a balance that works and should be pursued.

 

Written by Yorgen Edholm, CEO of Accellion

Accellion