This article has been written by Aarushi Chopra, who has opted for a Test Prep Course for Cracking Certified Information Privacy Manager (CIPM) Exam at Skill Arbitrage, and has been edited by Shashwat Kaushik.
Encryption and cryptography
Encryption refers to the scrambling of data so that only authorised parties can decipher it. Technically speaking, it is the process of changing plaintext (readable by humans) into ciphertext (incomprehensible text). It changes readable data to make it seem random. So only those who know the correct password can decode it and further view the data. This way, data is concealed from those for whom it is not intended, even from those who are able to see such encrypted data. Therefore, being protected with a simple tool and a password, it takes years to crack encryption.
The purpose of encryption, in addition to maintaining the confidentiality of data, is that it can further authenticate the data’s origin, ensure the data hasn’t changed since it was sent or been tampered with, and stop the senders from disputing that such an encrypted message was sent by them.
On the other hand, information security is the primary goal of cryptography. Cryptography can therefore be said to be the study of using mathematics to encrypt and decrypt data. Its key objective is to offer straightforward methods for employing encryption and similar techniques to secure and safeguard data and communications. With the help of cryptography, you can store and send sensitive data in a way that only the intended recipient can read over public networks like the Internet.
Why encryption/ cryptography shouldn’t be regulated
Trust is one of the biggest factors affecting the internet. Without trust, the internet wouldn’t be a safe place. Accordingly, when it comes to encryption, an important foundational element in promoting trust online is robust and trustworthy encryption. It safeguards billions of people using the Internet from the day-to-day threats constantly posed to their accounts, financial system, delicate infrastructure, and oppressive governments. As a result, we are all less secure without encryption.
In 2016, Apple received a court order from a federal magistrate judge in California sought by the Federal Bureau of Investigation (FBI) to unlock a phone that belonged to one of the San Bernardino shooters. The mobile device in dispute was encrypted, and because Apple is unable to gain access to the encrypted data contained within the device, the FBI requested a court order. This court order required Apple to develop a special operating system capable of disabling the device’s key security features. Apple opposed the order as unlawful and unconstitutional and further argued that handing over this technology’s keys would mean incorporating a vulnerability into it that could be used by future malicious actors.
A tense standoff between the tech industry and law enforcement developed as a result of the San Bernardino Case. According to law enforcement officials, the encryption used by companies like Apple makes it more difficult for them to solve crimes and thwart terrorist attacks. Tech companies, on the other hand, have retaliated, claiming that encryption is essential for safeguarding user data from hackers.
There is no question that encryption creates difficult investigative problems for law enforcement. However, such a solution as creating backdoors or key recovery systems would create a risky precedent for users’ privacy and fundamental rights, defeating the entire purpose of encryption.
Such backdoors or key recovery systems will rather create chaos than help law enforcement agencies because criminals could then easily either install alternative software or modify the encryption software to disable the key-recovery features. Additionally, key recovery would turn out to be very expensive. The cost of building, staffing, and upkeep of the key-recovery centres would also need to be covered.
Consequently, a backdoor used by law enforcement to track criminal communications also allows criminals to track any communications through that same backdoor. This is because a tool created for weakening encryption for one purpose further weakens it for all purposes. In this regard, millions of personal, business, and government secrets would all of a sudden be exposed to cybercrime.
International scenario
Moreover, nations like the UK and Australia have already introduced laws that force businesses to add backdoors to their encryption.
UK Online Safety Bill of 2021
The UK published the Draft Online Safety Bill in May 2021. According to the Bill, service providers have a responsibility on their platforms to police illegal and harmful content, and those who do not comply would face fines and other penalties. E2EE (End-to-End Encryption) service providers would have to disable or otherwise weaken their encryption if they wanted to adhere to this duty of care. By doing this, service providers would be allowed to monitor user messages without going against the implied duty of care. According to the Joint Committee’s report published on December 14, 2021, E2EE should be incorporated into risk assessments and profiles, advising providers to further identify and mitigate these risks.
Australia Assistance and Access Act of 2018
The Australian government passed the Assistance and Access Act in 2018 that enables law enforcement to compel companies to turn up customer data even if it’s encrypted. Companies will be obligated to develop methods to enable law enforcement to access user data if they lack the ability to intercept encrypted traffic.
However, there are countries like the US that are still analysing the upsides and downsides of regulating encryption. This can be seen by the two US committee reports over the years –
American Cryptographic Policy
Congress requested the National Research Council to investigate the American Cryptographic Policy in 1993. The Council then assembled a 16-person committee. After two years’ worth of work, its 1996 report provided the following:
- Overall, the benefits of wider adoption of cryptography outweigh the costs.
- No law should prohibit the creation, distribution, or utilisation of encryption in the United States.
- Export restrictions on cryptography should be gradually loosened but not abandoned.
The conclusion of the committee members came to be that a ban on unregulated encryption would be “largely unenforceable.”
The Encryption Working Group
On December 20, 2016, the Energy and Commerce and Judiciary Committees of the U.S. House of Representatives jointly released a report on encryption titled “The Encryption Working Group (EWG),” in which they highlighted four key observations concerning encryption:
- It is against the national interest to take any action that weakens encryption.
- The availability of encryption technology is growing and is widespread throughout the world.
- There is no one-size-fits-all solution to the encryption challenge due to the diversity of technologies, stakeholders, and other factors that produce distinctive challenges with regard to encryption and the “going dark” phenomenon.
- Congress needs to encourage collaboration between tech firms and law enforcement.
While several governments have already passed legislation imposing hefty fines for improperly handling consumer data, new legislation is also being passed to weaken encryption, as seen above. Absurdly, the solution, i.e., encryption, is being opposed by the same authorities who are also demanding its use. And due to these two opposing desires, it is creating an impossible duality.
In addition, since many of the perpetrators interact with allies in different jurisdictions, encryption solutions would have to be available globally. This would therefore make it possible for any government in the world to spy on any other individual. Naturally, anyone utilising secure encryption would stand out in a world where all commercial encryption allows government backdoor access, making it easier for governments to even detect dissidents alongside such cybercriminals.
Likewise, it only takes one dishonest person (whether a government official, whistleblower, or frustrated worker) to disclose the software decryption keys to exploit these backdoors, which would have a disastrous effect on cybersecurity as a whole. A cybercriminal organisation could, without surprise, buy off the appropriate authorities to issue a set of decryption orders. For instance, when the WannaCry ransomware attack occurred, it affected computers globally. This attack was made possible by the NSA’s disclosure of an exploit for several Windows operating system versions.
Notably, malicious actors would continue to adapt to this shifting security ecosystem just like they always have, even if governments were able to permanently degrade encryption and legally forbid the use of non-backdoored encryption globally.
All things considered, governments are striving to eliminate safe encryption because doing so is a straightforward, morally just thing that makes the duties of law enforcement simple. However, in reality, it is based on ignorance and failure to understand just how adaptable cybercriminals are and that removing secure encryption would only offer a minor setback to them. They also fail to understand that weakening encryption eventually helps cybercriminals while further harming free speech, democracy, and the general public.
Conclusion
As a solution, law enforcement should invest in R&D into cutting-edge encryption systems that would permit secure access to law enforcement while still providing the same level of security that makes encryption so alluring, rather than imposing restrictions on the tech companies and demanding that certain kinds of encryption be weakened, banned, or have backdoors.
Accordingly, encryption can serve as a key frontline defence against cyberattacks within the government. To put it another way, encryption should be considered both a crucial tool for national security that can shield our political institutions and critical infrastructure from external attacks and a crucial tool for consumer protection to safeguard digital transactions and free speech. All in all, democracy depends on citizens being able to express their ideas freely without being concerned about being monitored or facing punishment.
Thus, it would be a setback for democracy if legislation globally decided to restrict the right to use encryption or cryptography.
References
- https://www.politico.eu/article/regulated-encryption-solution/
- https://epic.org/documents/apple-v-fbi-2/
- https://www.apple.com/customer-letter/ https://archive.epic.org/amicus/crypto/apple/In-re-Apple-AWA-Order.pdf
- https://archive.epic.org/amicus/crypto/apple/In-re-Apple-Motion-to-Vacate.pdf
- https://web.archive.org/web/20170201191430/http://energycommerce.house.gov/sites/republicans.energycommerce.house.gov/files/documents/114/analysis/20161219EWGFINALReport_0.pdf
- https://www.gov.uk/government/publications/draft-online-safety-bill
- https://www.legislation.gov.au/Details/C2018A00148
Students of Lawsikho courses regularly produce writing assignments and work on practical exercises as a part of their coursework and develop themselves in real-life practical skills.
LawSikho has created a telegram group for exchanging legal knowledge, referrals, and various opportunities. You can click on this link and join:
Follow us on Instagram and subscribe to our YouTube channel for more amazing legal content.