Is privacy the price we must pay for safety?

By Laura Haight
Originally published as The Digital Maven in Upstate Business Journal on Nov. 27, 2015

Encryption. Should we or shouldn’t we? Privacy. Yes or no?

With the backdrop of carnage in Paris, politicians, law enforcement and intelligence agencies have been kicking each other with a wave of knee-jerk reactions and proposals.

It’s unseemly to me when law enforcement officials complain that the criminals don’t play fair because they try to hide their criminal intent. But that is the argument being made when we talk about the dangers of encrypted email, texts and other communications.

Security analysts, white-hat hackers and others have long been arguing that criminals, hackers, cybercrime rings, and state-sponsored actors were smarter, more organized and more dedicated than we are. The fact that terrorists have figured out that using encrypted texts is a good idea is just one more brick in that wall.

In fact, there’s no hard evidence that the Paris terrorists did use encryption -- or at least not exclusively -- and some current reports indicate that investigators found unencrypted maps, plans and texts on cell phones.

Still that won’t stop the overheated cries for more control and access by law enforcement, even as the NSA “transitions” from it’s illegal massive collection of data from US citizens phone records.

The FBI and NSA want backdoor access to technology providers’ hardware and software. Apple, Google and Facebook have vigorously resisted this and last spring urged President Obama to resist efforts to require US technology companies to utilize only encryption technologies with an available backdoor for law enforcement access. Apple’s mobile operating systems iOS 8 and greater have no such access - even under subpoena, Apple would be unable to access a user’s email or texts.

Backdoor systems create inherently insecure environments that can be exploited by cybercriminals, hackers and even terrorists.

The big question about encryption is not the hand-wringing concern that terrorists use it, but the question of why more of us don’t.

Every day, sensitive information is exchanged between your employees, your clients, your partners, and your customers. Adding a disclaimer at the bottom of your email does little to protect information ranging from credit card numbers to banking information, proprietary business plans, competition analysis, investor data and more from being compromised.

The answer is encryption. The key to encryption is that both you and your receiver have to be on the same page. In public key encryption, two keys are used - the key used to encrypt the message that is known to the creator and the private key used to decrypt the message that is known to the receiver. That end-to-end encryption is very secure.

Because encryption itself can seem daunting for small businesses to implement, many service providers have done the heavy lifting for you.

Mobile apps like Telegram, WhatsApp and Signal support encrypted messaging and, for Signal users, secure phone calls.

For desktop users, there are browser plugins for users of webmail to encrypt selected messages and more advanced tools that layer over your mail application of choice. A good look at a few versions can be found here.

If you use cloud-based file storage services like Dropbox, ask three questions to determine how secure your documents are: how are my files protected when they are “at rest”, how are they protected in transit and does the service provider have access to your files? Dropbox, for example, uses 256-bit AES encryption (that’s good) to protect files on their servers. When you share a file with someone - either through an http link or in-app sharing with another Dropbox user, TLS encryption is used (also good). But while the company’s policy is not to access user accounts, it admits that a handful of people have that capability to “comply with legal requirements” like subpeonas.

We should expect to hear more about the evils of encryption in the weeks and months to come. Most tech analysts see this as a distraction and a red herring. We should have more security, not less. We should seek out and lock down the cracks that syndicates and state-supported cybercriminals can use to get into our communication systems, not open them up even further.