Get posts like this one in your inbox by signing up for our newsletter.
Yet again, there is at least talk in the United States government of a ban on end-to-end encryption. The premise for such a ban is that certain forms of encryption make it impossible for the FBI, NSA, and other government agencies to do their job properly, as they can’t see the encrypted data even if they obtain a valid search warrant. While that is a problem, it is a much smaller problem than than what banning certain forms of encryption would cause.
Encryption Is Static
The obvious solution would be to somehow let the government have access to encrypted information, but in a way that wouldn’t otherwise weaken the encryption. However, this simply isn’t possible. Once information is encrypted, it can’t be decrypted without the proper key. Or at least, data encrypted with an unbroken and secure cipher cannot be decrypted without having the proper key. Some vulnerabilities have been found in older ciphers that make them more susceptible to attacks, but those aren’t (or at least shouldn’t be) used anymore. There isn’t a way for just the government to be able to crack encryption because encryption isn’t like a computer program.
Once information is encrypted, the key doesn’t change, and it can’t magically know whether an attacker is the government with a search warrant or any other hacker on earth. In other words, it’s just like any other lock; it doesn’t know who’s trying to open it, only if the key is correct or not. Making it so the government can crack encryption makes it so anyone can crack encryption, and there’s currently no good way around that shortcoming. The entire point of encryption is to ensure confidentiality is never broken. Building on the lock analogy, there can be multiple encryption keys for a piece of data. But, the more keys there are, the less secure the lock becomes.
End to End Encryption
The particular form of encryption in question is end-to-end encryption, often used in messaging apps(e.g. iMessage App). This form of encryption ensures no unauthorized entity, including the company hosting the messaging service, can see the message being sent.The only people capable of reading the message in it’s non-encrypted form are the sender and receiver of a message. Luckily, modern end-to-end encryption works completely in the background without the user ever needing to know how it works. But, knowing how it works can’t hurt.
The simplest way to send an end to end encrypted message is by using an asymmetric cipher, like RSA. There are two keys generated on each device: a private key and a public key. The public key can only be used to encrypt data, while the private key can only decrypt data encrypted with the public key (or the other way around; data encrypted with the private key can be decrypted with the public key).
Since the public key can only be used to encrypt messages, it can be safely uploaded anywhere on the internet. Should a person want to securely send a message to someone, they simply retrieve the public key, and use that to encrypt the message. The message is then sent over the internet in its encrypted form until it reaches the recipient. The recipient, being the only person on earth with their private key, can then decrypt and read the message. At no point is any sensitive information sent over the internet, and even if a hacker captures all data going in and out of both devices, the message is safe. And that is where the problem is: no one on earth except the recipient can decrypt the message (including the government). The sender knows what was sent because they have a copy of the message before it was encrypted in the first place.
Encryption Isn’t Only For Terrorists
Terrorists do use end-to-end encryption to hide their intent from government agencies, and that’s a very unfortunate side effect. However, it is also a useful tool for journalists reporting from within authoritarian regimes, and potentially the general public in a government where opposition to the ruler can get you killed. Even for the average user, it’s nice to know that your messages aren’t in the hands of a company which can potentially sell them to anyone who’s willing to pay enough.
What about other forms of encryption?
As end-to-end encryption isn’t the only form of encryption out there, you may be wondering why there isn’t as much of a problem with other forms of encryption. Well, end-to-end encryption is the only encryption scheme in which only the sender and recipient know the encrypted information. In nearly all other encryption methods, the server facilitating the communication stores the data in a way it can decrypt.
For example, imagine a “normal”, non end-to-end encrypted chat app such as Google Hangouts. When you send a message, it gets encrypted between you and the server, where it is then decrypted. The recipient then establishes a secure connection to that server, and gets the message. Although the server’s hard drive (or SSD) may be encrypted, Google knows the key to it. That means that not only can Google access it for their own use, but they can also hand it over to the government if necessary. However, as it’s stored in a way Google can decrypt, it also means someone who hacks into their servers can decrypt.
There Currently Is No Solution
Banning encryption will cause problems, leaving it as it is will cause problems, and a measure in between will also result in problems. There is a legitimate purpose for the government being able to access encrypted data, but there is also a legitimate purpose for hiding information from all entities (e.g. journalists in authoritarian regimes), including the government. As more and more information gets encrypted with ever stronger methods, a time may come when encryption must be regulated. But, I don’t think that time has come just yet.