The encryption debate is at a dead end

(Image credit: Image Credit: Tumisu / Pixabay)

This week marked the 11th annual Data Privacy Day initiative and TechRadar Pro is helping to improve data protection awareness with a series of articles exploring data privacy and how it impacts consumers and the businesses they interact with on a daily basis.

Digital privacy debates continue to grow larger and more urgent. Governments worldwide strive to give people more power over their personal data, from the GDPR in Europe, to the Californian CCPA, and new data protection laws in Brazil.

These laws have caused confusion about different governments’ stance on encryption. The US government demanded access to Facebook’s encrypted Messenger last year for example, raising questions on whether they want these solutions to be more secure. Creating access through a ’backdoor’ into the messenger would provide a means for companies and governments to bypass encryption, but others could exploit this built-in weakness.

This runs contrary to the technologies companies are using to secure their sensitive data in light of legislation for data protection. One of the main tools being used to secure data in transit is end-to-end encryption (E2EE). Collaboration tools based on E2EE are replacing email in some companies, beside increased productivity, it removes many issues with internal and external communication, such as, emails sent to the wrong address, while keeping it truly secure, even from the ones that operate the service.

Many governments say they can build a backdoor into an E2EE system, and as long as only they have the keys it will be secure. But this ignores the ‘nuts and bolts’ of the system. E2EE is a technology used to fully secure data from being accessed without the right permissions. Creating any weakness in this opens a window for hackers to exploit.   

Security and conflicting legislation

Legislation alone cannot keep companies safe. Even with GDPR in effect across the EU, 1,750 breaches were reported in the UK in June 2018, up from 400 in April, a month before GDPR was implemented. 

This new GDPR legislation, like the CCPA in the US, was put in place to incentivise organisations to better protect personal details of staff and customers, force them to look for better processes and convince them to look for more secure tools for communication. Of these challenges, E2EE offers the best solution, utilizing privacy by design to protect communications and valuable data.

This creates an impasse. If legislation is passed mandating companies to create ways for government to access E2EE data, this ‘backdoor’ will expose the same sensitive business communications of any company that they want to protect. Government mandated backdoors combined with data protection legislation is like demanding a shopkeeper to protect their goods whilst removing the locks and alarm system. Businesses, but also governmental institutions will be the real losers, who will have to face damage caused by data breaches, revenue loss, reputation damage, fines and likely human lives in most drastic cases.  

Looking forward

This standoff on end-to-end encryption will continue until governments take steps to provide clarity, and support E2EE. They could also choose to restrict it further, but we have seen disastrous effects on local security industries when encryption is restricted. At the start of the online era, France had notoriously tight control over encryption to the detriment of online services that needed to be secure. This damaged the French security industry with knock-on effects for any online business for years. 

Small and innovative companies can’t afford any delays in getting a product to market. They may be forced to skip over countries with strict encryption control. This results in stagnation, less choice, and weaker protection for people and businesses across countries. International companies will just seek alternative solutions bypassing the local market entirely and local businesses will suffer.  

It is in the best interest of the technology industry to continue campaigning for strong end-to-end encryption. We must protect the public and businesses from all threats, but weakening strong encryption is not the solution.

Alan Duric, Co-Founder and CTO/COO at Wire

Alan Duric

Alan Duric, CTO/COO at Wire.