The Snowden revelations showed the world just how insecure our data actually is. Ever since, encryption has been increasingly in the public discussion. Confirmation that the government is intercepting and storing vast amounts of individuals' data has meant greater interest in developing and using encryption tools. The topic, usually the domain of mathematics researchers, IT professionals, and political activists, is increasingly reported and discussed in major news outlets. Along with this conversation has been action; businesses, governments, and individuals alike have been taking a keen interest in developing and deploying encryption solutions.
Google has encrypted their data center links and is pushing for wider use of HTTPS to secure connections between servers and Web browsers. Apple has made the encryption and security of the iPhone a selling point, and both Apple's iOS and Google's Android platform now have robust encryption where the user, not the vendor, holds the keys to their data. The Electronic Frontier Foundation (EFF) is facilitating secure Web sites with the Let's Encrypt project, and there are any number of other projects, applications, and services providing (or at least advertising) secure communication and storage. The IT community seems to be slowly moving to the point where data security and encryption is the default, rather than the exception.
But of course, not everyone welcomes this trend toward improved security or sees it as a benefit. Law enforcement and intelligence agencies are close to a panic, judging by the hyperbole that's been coming from the FBI, CIA, and similar agencies. They’ve even brought up the “Think of the children!” defense, a plea for an emotional, knee-jerk response that always seems to be the last ditch effort for those who can’t — or won’t — debate a policy with facts and evidence. The chief of detectives for the Chicago Police Department, John J. Escalante, recently went so far as to say, “Apple will become the phone of choice for the pedophile. The average pedophile at this point is probably thinking, I’ve got to get an Apple phone.”
In addition to over the top rhetoric about "going dark" and the vague, unsubstantiated threat of criminals having free reign thanks to secure communication, law enforcement has been pushing for legal restrictions on secure communication. One of the latest efforts has been to urge Congress to mandate weakened encryption. FBI Director James Comey, NSA Director Mike Rogers, and others in law enforcement and intelligence have called for back doors in encryption software, and have predicted dire consequences if government officials aren’t able to access protected data. They assure us they this access will only be used legally, with proper oversight, with complete respect for the privacy and civil rights of users, and without damaging security.
However, let’s not forget that these same agencies that are demanding magical golden keys and back doors that only the “good guys” can walk through have demonstrably and repeatedly shown that they cannot be relied upon to keep their word. They’ve lied to the US Congress. Repeatedly. Their programs and the legal justifications behind them, now that they are no longer hidden from the courts, seem to be illegal.
Of course, even if claims of oversight and respect for privacy could be believed, there is one fundamental flaw -- the kind of access they request is impossible. An encryption scheme is either secure, or it isn't; there's no middle ground, no way to design or implement a system that can give law enforcement the access they want while at the same time ensuring the privacy and security of users. Stanford lawyer and computer scientist Jonathan Mayer has masterfully laid out precisely why this idea is completely infeasible in a recent essay, "You Can't Backdoor a Platform" -- an essay that should be required reading for anyone who thinks there is a way to circumvent security for some, but not others.
Unfortunately, those people are all too plentiful, and many are in positions of influence and authority. Senator Mitch McConnell, for example, doesn't see the import of these issues; apparently, illegal, bulk collection of data doesn’t meet the Senator’s definition of “running rogue”. The Washington Post Op-Ed page similarly called for a “compromise” on smartphone encryption, apparently not comprehending that this is technologically impossible. Thankfully, some lawmakers and other officials do see the danger and understand the limits of technology. At a recent hearing, Rep. Ted Lieu and others fired back and FBI and Department of Justice officials, with Rep. Lieu offering some blunt advice: “Just follow the damn Constitution!”
There is no magic algorithm that can tell the bad actors from the good; the network sees the attack, not the motivation. The NSA's QUANTUM attack is similar to China's Great Cannon. Any back door created for some will be found and exploited by others -- the evil bit is an April Fool’s joke. The best we can do is to build, deploy, and use systems that encrypt our data and keep that data protected from any attacker.
To that end, there are several things you can do right now:
- Use the passcode feature on your smartphone, as well as any other security features it offers.
- Install and use HTTPS Everywhere on your browser.
- Use encryption features on your personal computers -- BitLocker, FileVault, etc.
- Follow the guidelines collected at the EFF's Surveillance Self-Defense project.
- Install and use PGP, or its open source implementation, GPG. Mac users are well served with GPGTools.
- Review your organization's security policies to make sure that data is encrypted both in transit and at rest.
- If you run a Web site, ensure you have certificates and are creating SSL/TLS connections; the EFF's Let's Encrypt project should make that both simple and free later this year.
- If you are a software developer, use Sodium. It is a well-crafted, well-tested crypto library, and has bindings for dozens of different languages. The documentation and examples are excellent, and a good book on its crypto implementation and how to use it in your own applications can be found at GitBook.
Digital security is an ongoing, complex, multifaceted problem, and there is no one single solution -- but ubiquitous data encryption is a big step in the right direction.