Governments around the world are engaged in a legitimate quest to intercept the encrypted communications of suspected criminals and terrorists. When doing so, they need to be able to decrypt this data. That’s achievable when the encryption technology used is below governments’ own “high-grade” encryption standards. However, these agencies face a conundrum when the encryption used is high-grade – akin to the technologies they use themselves.
This all comes down to one simple fact. Not all encryption solutions offer the same degree of protection. Government agencies already have the tools and skills necessary to break “low-grade” encryption. However, when it comes to “high-grade” encryption, it’s another story all together.
Firms wishing to sell their encryption solutions into the government and defence sectors have long been required to meet rigorous testing and security standards’ validation. Solutions that meet these standards are recognised as high-grade – best-in-class – and are frequently adopted by commercial organisations because they offer the most secure data protection.
Of course, as with all freely available tools and technologies, you cannot limit access just to the “good guys”. Those actors with malicious intent are also able to benefit from secure communications and data transfer.
Those encryption technologies that offer greater protection are what the FBI referred to as “unbreakable” – a debate that began back in the 1990s and has seen a renewed emphasis in recent months. There is more than a hint or irony involved, as this high-grade encryption was first developed for government and defence use.
Why unbreakable? Simply put, the encryption keys themselves are encrypted and can only be accessed by the owner of the data. Also, the algorithms are highly complex, and the encryption technology typically includes other prevention features, such as periodic changes to the keys.
In practical terms, unbreakable means that with the computing power available today, hacking these systems would take longer than the useful life of the data they protect.
Ultimately, there is no point in introducing a law that is unenforceable. Like the government agencies themselves, the vendors do not have access to the encrypted keys.
There are broader, economic and ethical components to the argument too. Asking firms to compromise the security of a technology that is predicated upon its ability to protect data is likely to impact on both their brand reputation and trust.
Recent attempts in the US and EU to mandate encryption product “back doors”, forcing vendors to compromise their technologies, were fundamentally flawed and so died a natural death.
Trust is an essential component of any security proposition. Attempts to enforce backdoors or mandate decryption assistance will naturally erode this trust. That which keeps 99% of us safe will have been compromised by a focus on the 1% being targeted. It’s not only impractical, but potentially damaging to an essential industry.
More about encryption here