I was inspired to talk about our data breach problem today due to a recent article. As I’m sure many of you are aware, there have been and continue to be many data breaches from various companies. They hardly ever get covered by mainstream media unless they’re huge, because honestly it would be absolutely exhausting to hear about nearly every day. In fact, so far this year as of writing this, there have been 203 data breaches made public exposing over 6 million records. Considering we’ve only had 181 days this year so far, that’s an average of 1.12 breaches a day. Let that sink in for a moment and consider how many of those 203 breaches you’ve heard about.
So, the question becomes “what is the solution and do we have one?” I believe we do have a solution, but it’s one that many of the big players are not a fan of. Obviously, companies and government aren’t able to keep our data safe. Securing their systems isn’t working to protect our data. Encryption seems to be the obvious solution to our data breach problem. Specifically end to end encryption would solve this issue, assuming it is implemented correctly. Think about it, if companies can not stop hackers from getting the data they have, then let’s make the data unusable to the hackers. Encryption would cause the data to be basically useless and would require years of processing power to crack, possibly a lifetime or more at current processing abilities.
I specified that end-to-end encryption would be preferable, because that means the data is encrypted on our devices and can’t be decrypted by the company/provider we’re using. That also means that the data would be useless to the company we give it to. This is where the big players come to hate that idea. Google, Facebook, Twitter, etc all depend on the data we give them and monetize that data as much as they can. So, getting a bunch of useless data they can’t view is something they wouldn’t want. The same is true for government and law enforcement, to an extent.
The government takes the stance of not being able to access possible evidence on devices due to encryption. While I understand that frustration and protecting criminals isn’t something I want to do, I believe encryption is a good thing for protecting citizens. We shouldn’t have to be vulnerable to spying and hacking, just to make criminals vulnerable to evidence gathering. I wise man once said “Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety.”
Of course, the alternative solution to end-to-end encryption is just simply encrypting the data on the servers. In this situation the company would have the encryption key and be able to decrypt the data at will. This isn’t ideal because it means the encryption key might also be stolen during a data breach. If that’s the case, then the data might as well have not been encrypted at all. The downside to end-to-end encryption is account recovery though. If you were to forget your password and/or lose your encryption key, you wouldn’t be able to recover your account. At least not in any meaningful way. All your previous data would be unrecoverable. So end-to-end encryption brings with it new problems, but mostly problems with users forgetting their password/login. You should be using a password manager already to prevent that, so I think that’s a valid trade off. Protect my data from being stolen and misused, but if I forget my login then I also lose the account.
This brings me to the inspiration of this blog post. Recently the Trump administration had a meeting to discuss encryption. The government running the land of the free, is discussing the possibility of removing our ability to secure our data and protect ourselves. They want to ask congress to make end-to-end encryption illegal. Again I state, that the citizens shouldn’t have to be vulnerable just to make sure the criminals are vulnerable. Guess what criminals don’t care about… breaking the law. So what happens when end-to-end encryption becomes illegal? The citizens are left vulnerable and the criminals break the law by using end-to-end encryption to protect themselves. We would essentially make the law abiding people in this country more vulnerable, while the smart criminals laugh at the law and protect themselves.
So why would the government even be considering this? There are a couple reasons I believe.
- End-to-end encryption basically makes it impossible to perform mass surveillance. This would require the government to actually identify and target criminals & terrorists if they wanted to spy on them. Would that be such a bad thing?
- It can hinder a criminal investigation. If law enforcement isn’t able to access a criminals device, they might not have access to some of the evidence to use in prosecuting the individual. At the same time, there have been multiple cases dropped when the defense asked for information on the devices used to gather data and how they work. Simply because law enforcement doesn’t want to reveal their methods or have signed non-disclosure agreements with the private companies that developed the tools. So then, if they’d rather let a criminal go free than reveal what they’re doing, is it really that big of a deal if they can’t access some of the information on a device?
So in conclusion, I think we have to ask ourselves “Would we rather be protected and possibly protect criminals as an unfortunate side effect, or would we rather be vulnerable and let the worst of the criminals protect themselves?” What do you think?
Links from article for convenience:
203 data breaches made public exposing over 6 million records
Trump administration had a meeting to discuss encryption
Bryan's Blog 