Your Guide to the Encryption Debate
This security technology could soon be back in the news. Here's what you need to know.
Encryption could soon become part of national debates over consumer issues ranging from data breaches to the safety of connected cars.
Not long ago, it was the sort of thing that only bankers, spies, and military leaders worried about. But, in today's digital world, encryption has become part of our everyday lives, protecting our ability to shop online, book flights, and hold private conversations.
According to Mozilla, the open-internet advocacy group that created the Firefox browser, 49.5 percent of global web traffic is now encrypted—an increase of more than 10 percent in one year.
While security experts applaud that progress, they'd like to see even more encryption, to cut down on data breaches, identity theft, and the sort of hacks that could perhaps threaten the nation's power plants.
But not everyone views encryption as a force for good. For law enforcement officials, it's also a tool that allows thieves and terrorists to escape detection.
With a new administration in the White House, one vocal about fighting crime and stamping out terrorism, the debate over encryption's merits may soon surface once again.
Encryption may be central to many everyday transactions, but the issues can be tough to follow. Here’s your cheat sheet.
What Is It?
Encryption scrambles information—as it moves over the internet or while it's stored on a device—rendering it useless to thieves. Only those with access to a secure key get to view the contents.
It’s like putting virtual walls around your digital life, says Bill Anderson, CEO of the security firm OptioLabs. Without those walls, you leave yourself open to snooping from criminals, digital marketers, and others.
“Your digital footprint is a big open space,” he says. “Just because people can’t see that space and how open it is, that doesn’t mean it isn’t there.”
Encryption burst into everyday conversation in February 2016, when Apple fought demands that the company help the FBI access information on a locked and encrypted iPhone. The device had been used by one of the attackers in the San Bernardino, Calif., shootings.
The agency eventually found another way to break into the phone, and the national conversation moved on. But encryption has only become more widespread since then—along with concerns over both terrorism and consumer privacy protections.
The new U.S. attorney general, Jeff Sessions, said during his confirmation hearings last month that it’s critical for investigators to have the tools to “overcome” encryption. Such statements worry security professionals charged with protecting everything from military databases to consumers’ financial and medical data.
How Is Encryption Used?
You see the signs of encryption whenever a little green lock pops up at the beginning of a web address, next to the characters "https://."
On retail sites, it assures consumers that their account numbers, passwords, and other sensitive data are being encrypted. Email providers, social media sites, and other websites use the lock to indicate that communications with them are protected.
ATMs and banking apps rely on encryption. And millions of people employ encrypted messaging services such as iMessage, WhatsApp, and Signal to protect their communications with family, friends, and other contacts.
Encryption is also used to create digital signatures that work like a secure identification. If your computer or phone gets a software update, a digital signature ensures that it’s coming from the manufacturer, and not some criminal enterprise.
The spread of encryption is good news for consumers, says Ajay Arora, CEO of the data security firm Vera. It shows that companies are protecting a wider array of online information. "We're entering new ground here," he says. "Encryption is no longer in the realm of geekdom or the government."
If I See the Little Lock, Is My Data Safe?
Sort of. It’s encrypted in transit, but not necessarily when it's sitting on corporate servers. While many companies do encrypt stored data, the practice is far from standard.
A survey of 1,700 IT managers conducted last year by the cybersecurity firm Sophos found that just 44 percent of organizations around the world are “making extensive use of encryption to secure their data.” In addition, 31 percent of those surveyed said they don’t always encrypt financial information and one-fourth admitted to not always encrypting customer payment details.
And, increasingly, consumers are generating streams of data that they may know nothing about. Connected “internet of things” products—which span everything from electronic locks to webcams, cars, and fitness devices—transmit lots of personal information across the web. Such data should be encrypted, Lance Cottrell, chief scientist at the cybersecurity firm Ntrepid, says. But often it’s not.
Finally, none of this helps if an attacker uses real user IDs and passwords to access consumer data. The breach of the U.S. Office of Personnel Management, which compromised the personal information of millions of government workers and private citizens, is thought to have originated with the theft of legitimate credentials.
Why Is There a Debate?
While few would dispute the benefits of encryption, some people argue that it’s dangerous, giving the bad guys of the world an invisible form of communication.
Many of the best-known examples involve smartphones—the San Bernardino incident was just one of these. In a widely reported case in Baton Rouge, La., police officials hoped that information stored on an iPhone owned by 29-year-old Brittney Mills, who was gunned down in her home in April 2015, could provide clues to who murdered her. In October 2016, the FBI said that it was trying to access another phone as it investigated stabbings in Minnesota. And in November, Manhattan District Attorney Cyrus Vance said that passwords and encryption were blocking access to 420 Apple devices involved in his office's criminal investigations.
Responding to such concerns, Senators Dianne Feinstein of California and Richard Burr of North Carolina introduced draft legislation last spring requiring tech companies to provide methods for investigators armed with search warrants to access encrypted data.
But that’s easier to mandate than to accomplish. Security researchers interviewed by Consumer Reports warn that such “back doors” into encrypted material would likely be exploited by criminals and enemy states.
Hackers find bugs in software all the time that allow them to access things they shouldn’t, Cottrell says. A back door would amount to a flaw in encryption, giving hackers “an amazing target,” while eroding consumer confidence in many products and services. “Pretty soon, most cars will be receiving updates over the internet,” he says. “Without encryption, would you trust that?”
Are 'Back Doors' Coming?
Proposals for encryption back doors have receded for now.
The Feinstein-Burr legislation failed to gain traction last year. And a December report by a bipartisan working group set up by the House Judiciary Committee concluded that encryption is too important to mess with.
“Congress should not weaken this vital technology because doing so works against the national interest,” the report stated. But it added that the law enforcement and intelligence communities have “legitimate concerns” about encryption that should be tackled in cooperation with the tech industry.
The new administration has not yet weighed in. However, then-candidate Donald Trump called for a boycott of Apple during the San Bernardino investigation last spring, and FBI Director James Comey has repeatedly warned that encryption is a tool that benefits criminals and terrorists.
Concerns about the future of encryption were a topic of conversation during the RSA cybersecurity conference held in San Francisco in mid-February. Ronald Rivest, an MIT professor and leading cryptographer, praised the Congressional report during a panel discussion, saying “its conclusions are in the right direction.”
However, he said, the attorney general’s statements about wanting methods to bypass data protections worried him. “Overcoming encryption, to me, means they want a back door.”