TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

The Privacy Advisor | Encryption's essential, but how do we push it forward? Related reading: The war on encryption’s newest front? Capitol Hill

rss_feed

By practice, security and privacy must work together to technically achieve the protection of sensitive data. A conflict arises between the two when the definition narrows to such examples to viewing "information privacy" as the practice of ensuring that data use is limited to a chosen, identified, and authorized format, and "security" is seen in the context of state or state-sponsored actor surveillance activities intended to uncover intentionally hidden communication. The tool most used to meet the needs of modern day privacy and security both? Encryption.

Is the situation impossible to meet all needs for governments, corporations and individuals? Not if we can step back and keep a rational view on the topic. Encryption is important to protecting privacy in the digital age. The trends in corporate responsibility appear to be positive, as seen in a report published by the Accenture Institute in January 2016. According to a survey of 600 global business professionals, 90 percent claim that “digital stewardship is the most important principle” as far as building and keeping a positive reputation and managing sensitive data. In order to survive the current contentious, complicated and ever-changing environment, the Accenture Institute report recommends to companies that they adhere to five principles. The principles include:

Digital stewardship: protecting the data that they have and making this a differentiator.

Digital transparency: being completely open with how the data collected is used.

Digital empowerment: let consumers of their services have better control of their own data.

Digital equity: giving benefits to consumers in exchange for their data.

Digital inclusion: “using personal data to multiply positive societal outcomes.”

If companies could take this standpoint and truly execute on data protection standards, then the government might relax its constant push for such rigorous enforcement.

Some have said that perhaps the solution is not to regulate how encryption is used and/or managed, but rather in investing in time and resources to stay ahead of the actors who would find ways around the regulated software (e.g. use a tool that is hosted outside the US with less restrictive encryption laws).

Others (like Verizon’s general counsel Craig Silliman) suggest that partnering globally amongst governments to help counter transnational threats will help. Silliman stated: "I think we live in a world where we need to talk a little more openly and say: 'If you have transnational threats, transnational networks, national security organisations are going to work together, and that's going to be known and recognised publicly.' And let's talk then about what are the legal regimes to effectuate that they actually work together, not by reaching into each other's jurisdiction from one country to another."

In other efforts, closing down access to cryptocurrencies like Bitcoin may help make access to funding for terrorist efforts much more difficult. The key to trading in cryptocurrencies is that it can be done anonymously, which in turn makes it very easy to hide money transfers.

An old-fashioned approach, apparently already used by the NSA, uses other techniques to understand how people intersect. For example, looking at email patterns can tell a great deal about how you as an individual interact with others and how often. This type of information can be gleaned from computer application logs without ever reading the content of emails. Much like the email patterns, using metadata (data about data) that tools leave traces of as they are being used is another way to combat whichever encryption technique is employed. Furthermore, if you can follow this metadata to its original source before it is encrypted; oftentimes you can break into the source itself and read the decrypted information.

In 2013, Richard Clarke, former national coordinator for security, infrastructure protection and counter-terrorism for the U.S., and a group of industry experts were tasked by President Barack Obama to report out on intelligence and communications technologies. Their observations included the following:

"Encryption is an essential basis for trust on the Internet; without such trust, valuable communications would not be possible. For the entire system to work, encryption software itself must be trustworthy. Users of encryption must be confident, and justifiably confident, that only those people they designate can decrypt their data.

Recommendation 29: We recommend that, regarding encryption, the U.S. government should:

(1) fully support and not undermine efforts to create encryption standards;

(2) not in any way subvert, undermine, weaken, or make vulnerable generally available commercial software; and

(3) increase the use of encryption and urge US companies to do so, in order to better protect data in transit, at rest, in the cloud, and in other storage."

An exciting development that might solve much of the “who owns the keys” discussion can be seen in, of all things, a patent. IBM holds a patent on what they call “homomorphic encryption,” which allows encrypted data to be processed without having to decrypt it first. The way HE works is, rather than applying a decryption key to data, one applyies straightforward math to read the underlying data. The program using this technology can use encrypted data to get done what is needed to process the data. The helpful part here that benefits privacy advocates is that the data using the encryption never has to be decrypted as it is processed and is not as open to implementation errors or attacks.

Truly revealing is that there are publicly known methods that can be used to try and extract the information that the FBI recently pursued from Apple. Three discussed are: using small fluctuations in power consumption and radio frequency as the phone is powered up and turned off (which helps to guess the passcode); resetting the counter on the phone so that the phone will allow for an unlimited number of attempts to test the passcode, and disassembling the chip where the encryption keys are stored so they can be read by a special microscope. All of these methods are not cheap and take time, but so does fighting Apple in court regarding the court order, plus, they are possible not just speculative. These options encourage future considerations for similar cases where the encryption product can stay safely intact while trying to gain key information via other methods.

Throughout history, the intersection of the law, privacy and security through technical means like encryption has been complex. There have been proposals, studies, suggested legislation, technical implementations, successes, failures and endless discussion, but no easy answer to meet all concerns. With all the analysis that has taken place, the common themes are:

1) Regulation of encryption alone is not the answer. Attempting to put legal measures in place has not proven easy or valuable in the past, and current export restrictions are showing the difficulty in monitoring compliance. However, what might be helpful is to pass a federal law that requires encryption be put into place at the corporate level to protect private data. This would eliminate the variety of state laws being passed and would provide teeth for the FTC who want to enforce good practices.

2) Centralized control of encryption keys is also not the answer as implementation of a feasible solution is a challenge for any one organization to attempt, not to mention that it makes them a large target. What may help with this issue is partnering with the general cryptography community to provide education to both corporations and auditors to ensure that the encryption employed is done so properly.

3) Global tensions cannot be relieved if the U.S. does not take meaningful actions to increase trust, which will continue to make doing business outside the U.S. for U.S. companies difficult. Partnering with other global law enforcement and maintaining or eliminating the export laws may help businesses sell tools as well as have law enforcement catch criminals worldwide.

The resources needed (e.g. industry experts, political supporters, and other government players) all seem to be eager to do something. Leadership is desperately needed to dig in and take charge of the process.

The most difficult part of solving this issue seems to be getting started. 

Comments

If you want to comment on this post, you need to login.