Two different approaches to encryption

November 3, 2015 |

Encryption is a key part of data security.  A realistic assumption is that at some stage even with the best of planning, up to date programs and proper training there will be a data breach.  A slip by an employee in leaving a USB on a bus, infiltration through a compromised third-party with access to the site or a fault that is not detected in time can all lead to a breach.  Encryption is then an important part of any data security plan.  Privacy regulators support encrypting data.  It is similarly critical in maintaining security in the transmission of data.  The goodwill and reputation of service providers who operate in the transfer and storage of information relies heavily on having data properly encrypted.  Part of that is ensuring that third parties don’t have access to the keys.  That has been at the source of considerable dispute between companies such as Apple and the US Government and the National Security Agency.  The revelation by Snowden that government had bad door access to communications caused uproar in the internet community.  It is bad for business. The other problem with building in backdoors to supposedly secure programs is that it creates a weakness for hackers to test.  Access by government can lead to access by criminals or foreign powers.  Similarly providing keys to government does not guarantee they will remain secure and not find their way into the hands of others.  Government security can be appallingly weak.

Conversely having apps which enable anonymous communication and encrypt data has a ready and willing market as reported in Tor Just Launched the Easiest App Yet for Anonymous, Encrypted IM and Signal, the Snowden-Approved Crypto App, Comes to Android.

In the United States, home to the worlds largest and most dynamic internet companies, the government has backed off on its earlier demands for access to encrypted data as reported in Obama won’t seek access to encrypted user data.   In the United Kingdom has taken a diagonally opposite approach, to legislate that companies keep encryption keys.  This is reported in UK to make tech companies retain crypto keys.  It provides:

 Bill to mandate access to encrypted content.

Britain is working to push through new laws that will effectively ban the use of strong encryption in the country, forcing companies to provide unscrambled content if served with a court warrant.

The government’s new Investigative Powers Bill proposes to make tech companies such as Apple and Google retain decryption keys for encrypted devices and services.

Baroness Joanna Shields, the Conservative UK minister of internet security and a former executive with Google, Facebook and RealNetworks, said there was no intention by the government to weaken encryption or provide backdoors.

The move comes despite an election promise by prime minister David Cameron in January to ban communications the government could not read.

Shields denied Cameron advocated banning encryption, claming the government was worried about companies building “end-to-end encrypted applications and services and not retaining the keys [to them]”.

“The prime minister has repeatedly said that there cannot be a safe place for terrorists, criminals and paedophiles to operate freely, with impunity and beyond the reach of law,” she said.

“This is not about creating backdoors; this is about companies being able to access communications on their network when presented with a warrant.”

Shields claimed there had been an “alarming movement towards end-to-end encrypted applications” and that it was essential the companies building such technology are able to decrypt that information and provide it to law enforcement.

When the Investigatory Powers Bill becomes law, internet providers and companies will also be required to retain users’ web browsing histories for a year for law enforcement purposes.

Following revelations by former United States National Security Agency (NSA) contractor Edward Snowden, Apple and Google decided last year to do away with the ability to decrypt customer devices and not retain the keys.

Apple is currently embroiled in a court case in the United States where it is arguing it has no ability to decrypt newer iDevices.

Its stance is being challenged by the country’s Department of Justice, which insists the company must be able to decrypt the devices if required to by law enforcement.

One Response to “Two different approaches to encryption”

  1. Two different approaches to encryption | Australian Law Blogs

    […] Two different approaches to encryption […]

Leave a Reply