Every now and then, police or someone in government will complain that encryption is bad. The arguments are pretty much always the same: encryption is bad because it allows criminals to hide or because it enables terrorists to communicate without the intelligence agencies able to read along. Or, if all other arguments fail, it allows people to deal in child pornography. While technically there is some truth to these arguments, they aren’t good arguments against the use of encryption. Let me share with you why the war on encryption is a bad idea.
What is encryption?
The simplest explanation is that encryption is a way of turning something that is readable by everyone into something that is readable only by a select few. There are many ways to do that. There are simple transposition ciphers which basically shift characters around. And there are highly complex forms of encryption that use advanced mathematics to make ciphers which are practically unbreakable. Even quantum encryption looms on the horizon. Talking about quantum anything makes my brain hurt so I won’t go into that. But here’s an example of a relatively simple cipher:
Qzmt bjjy, tjp xmvxfzy v Xvznvm xdkczm!
Can you crack the code? Let me know in the comments what you think the code says. Even with pen and paper, you can crack this code fairly quickly. For a computer, it would be much easier and faster. This form of encryption would not be enough to thwart law enforcement. But current cryptography, often based on asymmetric keys is computationally infeasible. That means that with modern computer standards, it would take so long to decrypt the message that by the time you can read it, it won’t matter any more. Only the intended recipient, who holds the correct key, can decrypt the message in a reasonable amount of time.
For encrypted email, I use GnuPG. This piece of software enables people to encrypt a message using my public key, send it to me and I decrypt it using my private key. You can find my public key here. As long as I take good care of my private key, no one else will be able to decipher the message. For a more detailed look at how this works, check out this page on Wikipedia.
We depend on encryption
Encryption is everywhere these days and we depend on it for almost everything we do. The padlock in your browser? That is telling you that your connection to this site is secured by encryption. The key you enter to connect to your home WiFi? That is part of the encryption to secure your connection. When you connect to your work VPN to do your job remotely? Encryption again.
Online banking, internet shopping, working from home, chatting with friends, online dating, ordering an Uber, all those things are made secure by encryption. If it weren’t for encryption, our economy would shrink and go back to being mainly offline. Encryption provides security and the security provides trust. If we could no longer trust our encryption, well…would we still feel safe to do all the things online we do today?
Why the war on encryption is a bad thing
On the 11th of May 2021, the Dutch public prosecutor’s office published their report over 2020. In it, they comment that encryption was never intended as a shield to protect criminals. They support initiatives that explore technical means to enable law enforcement to gain access to encrypted information of criminals. Similar noises are coming from the European Commission where concerns about child pornography are used justify such initiatives. Europol is also joining in, saying that encryption upsets the “balance between privacy and security“, whatever that means.
And why not, you may think. Isn’t it a good idea to combat terrorism, criminal activity and child porn? Yes, that is a good idea but that’s not the issue at stake. In the same report where the Dutch public prosecutor complains about how encryption makes their life difficult, they also boast being able to penetrate Encrochat, a secure chat service that served as a marketplace for criminals. They also mention being able to read millions of messages on SKY ECC, another encrypted messaging service. Clearly, encryption wasn’t such an insurmountable issue in those cases.
Only bad options
If law enforcement or counter terrorism units have problems with encryption there are only a few ways they might hope to tackle this. As far as I see it, there are three options open to them and they are all bad options.
- Weakening encryption standards
By weakening encryption standards, encryption becomes less infeasible to crack. Perhaps instead of 300 or 400 years, they would then only take 3 or 4 weeks to crack.
- Enabling a master key
Governments could force tech companies, internet service providers, banks and other institutions to implement a master key in their encryption, a key that would allow all encrypted messages to be decrypted by law enforcement. Certain safeguards could be implemented, like requiring a court order, to prevent abuse of this kind of power.
- Ban on encryption
The use of encryption for some or all forms of communication could simply be banned. This would essentially take us back some 20 years, to pre-Snowden days.
As I mentioned above, these are all bad options.
You can’t selectively weaken encryption
If you weaken encryption for some people, you weaken it for all people. If law enforcement agencies can more easily crack encryption, so can everyone else. Cyber-criminals would be able to eavesdrop on all kinds of electronic connections, the VPN to work would no longer be very secure and breaking into the neighbour’s WiFi would be easy as well. We would be opening up our digital infrastructure to a myriad of attacks that encryption now prevents. This seems like a very bad idea indeed. With weak encryption, everyone would be endangered.
Keys become lost
Technically, it would be possible to create a master key for all kinds of encrypted services. Think of it like a skeleton key to open all the doors in a building. However, if the EU would decide to enforce such measures, what would stop criminals from using services not based in the EU and so would be outside of EU jurisdiction? Or better yet, what would prevent someone from setting up their own encrypted service or certificate authority somewhere?
Actually, not much at all. Setting up such an infrastructure is very doable and would enable those operating outside of the law to use strong encryption without the master key being in the hands of law enforcement. Ironically, that would mean that the criminals would enjoy safe, unbreakable encryption but everyone else wouldn’t! How’s that for upsetting the balance between privacy and security?
Even worse, keys can and do become compromised. When it does, everything that was encrypted with the compromised key can be decrypted with very little effort by anyone. Imagine the master key to the encryption of entire nation falling into the hands of an enemy. Is that a scenario you’d feel comfortable with?
If encryption becomes illegal, only criminals will have encryption
By outlawing encryption from use, not much will be accomplished to fight crime, child pornography or terrorism. Because if encryption becomes illegal, only criminals will have encryption. They already operate outside of the law so using illegal encryption won’t be much of an issue for them. They’re not going to care about such a ban. However, the rest of the population will be back under mass surveillance, like before the Snowden revelations. Since we depend on encryption, this doesn’t even seem like a reasonable option anyway. Imagine the economic consequences alone if encryption were to become outlawed. Would you go online shopping if your connection to your bank or credit card company was no longer protected by encryption?
A flawed argument
The argument put forth by the Dutch public prosecutor is flawed. Yes, encryption was never intended to shield criminals but that’s not an argument against the use of encryption. Hammers were never intended to hit on thumbs but it still happens from time to time. Cars weren’t intended to run over people either but it happens. Just like a hammer or a car, encryption is a tool. People will use it for good things and for bad things but it’s not the tool that is to blame. Encryption is the best tool we have to keep our private information private in our hyper-connected world. Tampering with it in any way, will put millions of people at risk but it won’t prevent criminals from communicating in secret. Strong, computationally infeasible encryption should be available to anyone.
What do you think? Should everyone be able to use strong encryption or should encryption be regulated? Let me know in the comments!