In IDG’s CIO magazine (17 July 2018): Wickr, Linux Australia, Twilio sign open letter against govt’s encryption crackdown ‘mistake’. Not just those few, though, 76 companies and organisations signed that letter.
Learning Lessons
Encryption is critical to the whole “online thing” working, both for individuals as well as companies. Let’s look back at history:
- In most countries’ postal legislation, there’s a law against the Post Office opening letters and packages.
- Similarly, a bit later, telephone lines couldn’t get tapped unless there’s a very specific court order.
This was not just a nice gesture or convenience. It was critical for
- trusting these new communication systems and their facilitating companies, and
- enabling people to communicate at greater distances and do business that way, or arrange other matters.
Those things don’t work if there are third parties looking or listening in, and it really doesn’t matter who or what the third party is. Today’s online environment is really not that different.
Various governments have tried to nobble encryption at various points over the past few decades: from trying to ban encryption outright, to requiring super keys in escrow, to exploiting (and possibly creating) weaknesses in encryption mechanisms. The latter in particular is very damaging, because it’s so arrogant: the whole premise becomes that “your people” are the only bright ones that can figure out and exploit the weakness. Such presumptions are always wrong, even if there is no public proof. A business or criminal organisation who figures it out can make good use of it for their own purposes, provided they keep quiet about it. And companies are, ironically, must better than governments at keeping secrets.
Best Practice
Apps and web sites, and facilitating infrastructures, should live by the following basic rules:
- First and foremost, get people on staff or externally who really understand encryption and privacy. Yes, geeks.
- Use proper and current encryption and signature mechanisms, without shortcuts. A good algorithm incorrectly utilised is not secure.
- Only ask for and store data you really need, nothing else.
- Be selective with collecting metadata (including logging, third party site plugins, advertising, etc). It can easily be a privacy intrusion and also have security consequences.
- Only retain data as per your actual needs (and legal requirements), no longer.
- When acting as an intermediary, design for end-to-end encryption with servers merely passing on the encrypted data.
Most of these aspects interact. For example: if you just pass on encrypted data, but meanwhile collect and store an excess of metadata, you’re not actually delivering a secure environment. On the other hand, by not having data, or keys, or metadata, you’ll be neither a target for criminals, nor have anything to hand over to a government.
See also our earlier post on Keeping Data Secure.
But what about criminals?
Would you, when following these guidelines, enable criminals? Hardly. The proper technology is available anyway, and criminal elements who are not technically capable can hire that knowledge and skill to assist them. Fact is, some smart people “go to the dark side” (for reasons of money, ego, or whatever else). You don’t have to presume that your service or app is the one thing that enables these people. It’s just not. Which is another reason why these government “initiatives” are folly: they’ll fail at their intended objective, while at the same time impairing and limiting general use of essential security mechanisms. Governments themselves could do much better by hiring and listening to people who understand these matters.