Privacy vs. Encryption
January 28 is Data Privacy Day (DPD), an annual international effort to promote data privacy awareness and education. This year’s DPD events, sponsored by the National Cyber Security Alliance (NCSA), focus around the theme, A New Era in Privacy. Learn more at NCSA. In this blog, Zscaler CISO Bil Harmer discusses how the expanded use of encryption has been great for privacy, but efforts to create a “backdoor” for governments and law enforcement could have dire consequences.
The amount of encrypted traffic online has grown exponentially. This growth has occurred in the wake of the Snowden revelations, as well as the continuous stream of stories about corporate data leaks and hacks. As a response to these events, there has been a massive trend toward internet properties having encryption by default. Zscaler has seen this trend firsthand: we’re already at a point where about 70 percent of the internet traffic that Zscaler handles is encrypted.
Now, no one, least of all those of us at Zscaler, would argue that encryption isn’t beneficial. But we should acknowledge that this move towards default encryption is a major change, and while it’s a great thing for privacy, it’s a real challenge for enterprise and governmental security.
Traditionally, encryption was only used for very specific documents or particularly sensitive pages, like those with logins, to secure passwords. But Snowden really did upend this paradigm, as enterprises and individuals everywhere realized that the U.S. government was actively monitoring their online activity.
The realization of this fact has led to our current situation, in which those working in security within the government are now butting heads with tech giants like Apple and Google, who are trying to meet the demands of their customers by expanding encryption and making their data more private. While older encryption systems like the Data Encryption Standard (DES) can be broken relatively easily, it’s now become possible for any business to use incredibly strong encryption like the Advanced Encryption Standard (AES). Governments worldwide are now recognizing they can’t break these encryption products easily—if at all.
During the FBI’s investigation of a mass shooting in San Bernardino a few years ago, Apple garnered headlines by refusing to write and sign code that would allow the FBI to open up the suspect’s device for governmental review. While the FBI eventually said they found a way into his device without Apple’s assistance, numerous officials made public claims that encryption could be weakened in a way that would only benefit the security agencies trying to protect the public.
Unfortunately, this just isn’t true. Once security and encryption are weakened, they’re weakened for everybody and there’s no way to prevent the proverbial bad guys from going through the same doors as the good guys. And we’ve even seen that the NSA itself was hacked, which shows that no one is invulnerable to an attack.
Be Careful What You Wish For
Additionally, creating such a backdoor begs the question of just who the “good guys” are. The U.S.’s international allies are relatively stable but selecting which foreign countries would be able to access this backdoor and which wouldn’t is likely to lead to a convoluted mess that could strain relations.
Thus, if government security agencies were seeking my advice, based on my experience, I’d tell them to be careful what they wish for. Enterprise cybersecurity and opening up backdoors to encryption isn’t like securing a house with a lock to which there’s just one key. Rather, it’s like losing that key and having no idea how many copies of it are floating out there.
If companies open up their encryption systems to the U.S. government, they’ll have a hard time arguing that they can’t or shouldn’t do the same for the governments of the other countries they do business in. In many cases, this would be counter to the interests of the security of the U.S. and the very protections the security agencies are trying to enact.
Of course, the U.S. government could play the ultimate hand, forbidding businesses from operating in a country if it doesn’t make such backdoors and data available. But the ramifications of such a policy wouldn’t just fall on individual companies. It would profoundly affect the economy as a whole.
Allowing governments to force backdoors for encryption is a Pandora’s Box that I think is way too complicated to pursue. It’s in the best interests of both the government and enterprises to allow privacy and encryption protections to stay in place.
- - - - - - - - - - - - - - - - - - - - - - - - - - - -
Bil Harmer is Zscaler CISO, Americas