Unauthorized security : encryption
From an initial willingness to Counter-Terrorism, some governments are tempted by lawful access to encrypted information when data are used for criminal purposes. However, this lawful access would just produce the opposite effect, drastically reinforcing cybercrime and weakening governments’ ability to counterterrorism.
This article explains inefficiency of the measure, being even a counterproductive measure, leading to protect cybercriminals and unprotect civil society, businesses and governments and will provide link to related articles. It will conclude on the best approach to take: fight criminality and child-abuse, not encryption.
Inefficiency of the measure
As Internet is for everyone, any information you are sending through Internet could be intercepted by someone. To protect your security and privacy, most data exchanged on Internet are now sent encrypted, in a way that only legitimate recipients of messages can access to the content. This security enabled many services on the Internet: e-commerce, web banking, private messaging, e-government, etc.
The request pushed by the European Commission is willing to weaker this encryption, enabling access to encrypted data by a third-parties – governments – when it is required in case of inquiry about terrorism or child abuse. But… as Marcel Kojala, Vice-President of the European Parliament, stated: « It is impossible to weaken encryption for criminals, while keeping it strong for legitimate use.«
First, measure will be inefficient towards cybercriminals. Figure 1 below illustrates how it should be operated in theory: an “encrypted” message sent over the Internet could be intercepted by governments who will have a key to decrypt the message through a backdoor.
Figure 1 – lawful access to encrypted internet traffic
A first consequence is that cybercriminals will know that “encrypted” content could be read by authorities and will consider this channel as “unsecured” for them. A first solution for them would be to pre-encrypt messages a stronger way, so that even if governments get lawful access to encrypted content, they will just remove a first encryption layer, and would be able to access to… super encrypted content. This principle is named “encapsulation”, like Russian dolls, and is illustrated in figure 2 below.
Figure 2 – Use of encapsulation to pre-encrypt content sent over “unsecure” channel.
Lawful access to encrypted content will be not only inefficient against cybercriminals, but it will be even counterproductive. This can be explained with a system thinking approach as illustrated in figure 3 below.
Figure 3 – Illustration of some indirect consequences of lawful access to encrypted data.
Lawful access to encrypted content looks first as exceptional and as an answer to cybercriminal activities. But even if exceptional, it will require to weaker encryption by adding a backdoor. Opening of this backdoor will expand the surface of attack for cybercriminals, as they will get a new way to commit a data breach, by intercepting decrypted content, or even worse by usurpation of governmental identity, and phishing or social engineering have already proven it is still a reality, without total protection against those attacks.
By expanding the surface of attack, it will create new targets for cybercriminals, enabling something not possible before: getting access to any data of anyone on the Internet. Temptation is too high, and it will reinforce cybercriminal activities.
As a result, the raise of cybercriminal activities will increase the pressure to more control those criminal activities, and more requests of lawful accesses to encrypted data. By doing this and ignoring this was an indirect consequence of lawful access to encrypted data, it will become a vicious circle, what is named “reinforcing loop” in System Dynamics and marked with “R”.
Protect cybercriminals and weaken civil society, businesses and governments.
The vicious circle illustrated above is, unfortunately, not the only one.
With lawful access to encrypted data, it is certain cybercriminals will consider sending information over the Internet as less secure, and they will look at alternatives using « unauthorized security » : real strong encryption. When this lawful access would be required by a Law, then only tools used by cybercriminals would be really secured.
The initial request of accessing to encrypted content could come with a good spirit: counterterrorism and fight child sexual abuse. However, the request should have been to find the best way to counter those activities, and not to lower encryption.
MIT stated in a study from 2015 « Key Under Doormats », that « law enforcement demands for exceptional access to private communications and data shows that such access will open doors through which criminals and malicious nation-states can attack the very individuals law enforcement seeks to defend. The costs would be substantial, the damage to innovation severe, and the consequences to economic growth difficult to predict. »
Here are some useful references and readings:
- Encryption rights project from Internet Society Belgium;
- European Council: Encryption: Council adopts resolution on security through encryption and security despite encryption;
- MIT, 2015, Keys Under Doormats: Mandating insecurity by requiring government access to all data and communications. Authors: Harold Abelson, Ross Anderson, Steven M. Bellovin, Josh Benaloh, Matt Blaze, Whitfield Diffie, John Gilmore, Matthew Green, Susan Landau, Peter G. Neumann, Ronald L. Rivest, Jeffrey I. Schiller, Bruce Schneier, Michael Specter, and Daniel J. Weitzner.
- System Thinking and System Dynamics : System Dynamics Society;
- Human Rights Watch about Encryption;
- Photo by Matthew Henry on Unsplash
At the end, cybercriminals will be sole to use strong encryption to secure their data and their criminal activities, while civil society and legal businesses would not have this possibility as strong encryption would be « unauthorized security »… except if, with the rising of cybercrimes, people would start to protect themselves by using the same tools as cybercriminals. This would be the start of the End and of a dark period for our Humanity.
Strong encryption is a Human right in the digital age, and should remain a right.
President Internet Society Belgium Chapter vzw/asbl
Member of Global Encryption Coalition