Banning encryption: why is it a poor idea?
Last year, leaks from the Council of the European Union revealed that the European Union was (again) considering banning encryption. More recently, the Belgian government planned to enact an oppressive surveillance law. It wanted to force systems operators using end-to-end encryption to “disable” a particular user’s encryption upon request from the authorities. Fifty organizations and cybersecurity experts, including Mailfence, managed to defeat this bill. Is banning encryption the way to go? Here’s our expert opinion.
What is encryption?
Encryption is a technique used to protect data. It aims to prevent the information exchanged from being intercepted by third parties. The authors of the exchanges thus preserve the confidentiality of their conversations thanks to end-to-end encryption.
Encryption scrambles messages using Mathematical functions (an algorithm) and components (a key). This mathematical component or key can take several forms. For instance, a word or a sentence, or coding in a binary format (the most commonly used method today). There is a distinction between symmetric encryption, where the same keyword helps to encrypt and decrypt a message, and asymmetric encryption, where two keys serve, one (called the public key) to encrypt the message, and the second (the private key) to decrypt it.
How widespread is encryption?
Secrets have probably always existed, and the need to “encode” sensitive information is ancient. Long before antiquity, people used more or less elaborate encryption methods to hide information related to military operations.
The most famous example is the Enigma machine, used by the Nazis to encrypt their radio communications. Vaguely resembling a typewriter, it was capable of producing complex coding. Typing in a letter triggered the lighting of a light bulb designating the replacement letter to be used. But it also moved rotors, meaning that typing in the next letter did not follow the same coding system. Several years and the cooperation of several intelligence agencies were necessary for cracking it.
Encryption became a necessity in 2013, after the revelations of whistleblower Edward Snowden. Indeed, he revealed the extent of the global surveillance of the “Five Eyes” network.
These revelations shocked the public and had profound implications. People became suddenly aware of some countries’ mass spying practices. At the same time, the growth of cyber threats has strengthened the need to protect users’ data against hacking attacks.
Major Internet firms have gradually embraced end-to-end encryption to protect their users’ data and provide greater security.
However, after the wave of terrorist attacks in 2015 and 2016, the inability of government agencies to decipher some messages generated frustration among investigators.
They claim that encryption can be used by terrorists to conceal their communications in the operational setting of their misdeeds. Many politicians have therefore advocated a ban on encryption. They argued that removing encryption would strip terrorists, criminals, and other dangerous offenders such as paedophiles of a tool of choice to conceal their agenda.
Should we ban encryption?
Encryption is mathematical, it is impossible to ban it
Modern data encryption is based on techniques borrowed from mathematics. Even if they are sophisticated techniques, they are still techniques that follow logical laws, rather than the product of a true invention. Encryption algorithms are usually not patented (except very few), they don’t belong to anyone, and anyone can implement them.
As a consequence, banning encryption is a futile idea, just as banning another mathematical principle would be. We can’t ban Einstein’s law of relativity, for example.
And of course, terrorists, whose primary goal is not to comply with the law, would probably not hesitate to defy this ban. Just as they illegally obtain weapons, they would illegally use encryption. They don’t even need existing messaging services: they can decide to encode their messages themselves, using algorithms.
In the end, such a ban would only have disadvantages. It would not make the task of terrorists any harder, while massively exposing the data of law-abiding citizens to the greed of hackers.
Encryption is no more helpful to terrorism than pressure cookers
Moreover, terrorists do not always use encryption. This was revealed by analyses of the cell phones of terrorists killed or arrested during the raids carried out in France and Belgium.
These analyses have shown that they communicated by coded phrases, or in little-known dialects, and even with improbable devices (PlayStation…)., but did no use encryption.
Banning encryption would not have prevented terrorists from carrying out these attacks. Just as banning the sale of assault rifles in shops did not prevent terrorists from obtaining those weapons.
And if so, should we also ban the release of YouTube videos, a channel that also served the terrorists to recruit new members? Should we ban the sale of pressure cookers, used to make explosive devices? What about the sale of any other service or item of ordinary life that played a role in these attacks?
Banning encryption would be a terrible idea
Banning encryption would undermine online commerce
The record of our entire life history is increasingly registered online. We depend more and more on Internet and create large amounts of online data. In recent years, data leaks have become one of the biggest cybersecurity threats.
This is why encryption techniques have become commonplace on the Internet. Nowadays, most websites have adopted the HTTPS (HyperText Transfer Protocol Secure) protocol. When you fill out an order form from a secure website with this protocol, you can be sure that your data remain private.
This is especially important to protect login and payment information from identity theft and data theft. Without encryption, a would-be hacker can easily impersonate you to make purchases in your name or worse, empty your bank account, for example.
In addition, the need for encryption has increased with the widespread use of mobile devices. Nowadays, people want to be able to connect to Internet wherever they are, even in unsecured public places. Connecting to sites with encryption reduces the risk of hacking on these networks.
So banning encryption is tantamount to removing that protection, and would jeopardize the tremendous global economic growth that has come with the rise of the Internet. In other words, it’s just not realistic. On the contrary, we need to improve the security of our online data to help our economy grow.
Banning encryption would undermine democracy
More generally, maintaining the privacy of our communications is a fundamental right. Just as we have the right to have a private conversation with anyone face-to-face, we should have the right to enjoy the same privacy for our online communications.
Encryption is also necessary to maintain the confidentiality essential to lawyers, doctors, journalists, the military and all businesses exposed to serious competition. It also allows us to express ourselves freely with our loved ones without having to fear anyone questioning our words.
To give up this right is to give up online privacy. It means accepting to make public a condition that you suffer from, and that you and your doctor were until now the only ones to know about. It would allow a third party, often unknown to you, to know your sexual orientation or fantasies, or the details of an important contract you have just signed with a client.
In several authoritarian countries, the very same Internet technologies that helped dissidents spread their message for more democracy, might as well silence or arrest those same dissidents if there was no encryption.
Banning encryption would actually help hackers and terrorists
These days, geopolitical conflicts are also settled online. Some major powers do not hesitate to exploit the digital vulnerabilities of their enemies.
In some countries, governments maintain hacker brigades to crack the accounts of citizens of opposing nations. Recently, the FBI claimed that nearly 50 percent of U.S. citizens had already fallen victim to data theft assumed to be carried out by state-sponsored APT.
The servers of companies that fail to secure their email have also become the target of choice for hackers hoping to extort a ransom. Some of these companies never recover from these attacks that put them out of business.
These hacks are a new form of terrorism. So, ironically, rather than preventing terrorism, a ban on encryption would tend to reinforce it. Indeed, there would be an explosion of such threats.
Creating a backdoor will never work
Recognizing that the confidentiality of communications is essential, some governments are proposing not to ban encryption. Instead, they are proposing to force Internet companies to create a “backdoor”. This would enable law enforcement agencies to access the data exchanged by certain people suspected of engaging in terrorist or criminal activities (paedophiles, in particular).
Unfortunately, this is technically impractical. It is impossible to remove the protection offered by encryption just for the benefit of government authorities. Such a “backdoor” would facilitate the work of the police, but also the hacker’s work. It would simply be impossible for law enforcement agencies to maintain secrecy about such a sesame. The power and opportunities for easy enrichment that it would confer on its bearer would be such that sooner or later the master key used by law enforcement agencies would fall into the wrong hands.
It would therefore be all activities on Internet that would be made vulnerable by this weakening of global encryption.
Just as researcher and venture capitalist Benedict Evans said about the proposal to create a backdoor in the encryption systems of online services,
“Asking tech companies to create ‘secure encryption that the police can read’ is like asking General Motors to invent gasoline that doesn’t burn. You can ask, sure. But you can’t have it.”
Other tools such as digital signatures can complete encryption in terms of security and privacy.
At Mailfence, we believe that protecting your privacy is a fundamental right. Online privacy is one of our core values, and it has been instrumental in the design of our private and secure email suite.
We have never created backdoors or hidden access for governments, and we never will. Our users are the only ones who can read their emails. That’s why many journalists and dissidents choose our services for sensitive communications.
Is your privacy one of your concerns? Sign up for a free Mailfence account now. Our email suite integrates tools like contact management, calendars, document management, group management, meeting scheduler and even a chat. Most of all, you’ll immediately regain control of your online privacy.
Follow us on twitter/reddit and keep yourself posted at all times.
– Mailfence Team
Patrick is the co-founder of Mailfence. He’s been a serial entrepreneur and startup investor since 1994 and launched several pioneering internet companies such as Allmansland, IP Netvertising or Express.be. He is a strong believer and advocate of encryption and privacy. You can follow @pdeschutter on Twitter and LinkedIn.