In a world as globalized as ours and with the pretense of bringing each other closer by disclosing more and more of our information, we tend to overlook the fact that we can see only what it’s meant for us to be seen, meaning by this that there are thousands of information and data kept hidden from us through different mechanisms, one of them being encryption. As other technologic developments, encryption inevitably brings with it both positive... and negative consequences: what happens when the data of a child predator, a terrorist, or a human trafficker is protected?
Cryptography, the practice and study of techniques for secure communication in the presence of adversarial behavior, consists of transforming, or rather encoding, information in a way that, ideally, only authorized parties can decode. Through such a process, the original representation of the information, known as ‘plaintext,’ is converted to an alternative form known as ‘ciphertext.’ The latter should appear as gibberish to the adversarial parties.
Encryption has become an indispensable part of modern life. As our digital footprints expand, so too does the imperative to safeguard our data. Consequently, encryption can be found almost everywhere from messaging apps like WhatsApp, Signal, Instagram, and iMessage to mention some, which encrypt traffic between app users so that the server cannot easily read it, to financial transactions with cards, to our emails and even to what is now the most common activity which is web browsing. The latter uses HTTPS (Hypertext Transfer Protocol Secure) which applies encryption to secure communication on the web. Even phone calls are encrypted to avoid the information relayed being used for other purposes.
In the current scenario, none could reasonably argue that there is nothing better than living in a world in which technology grants the security of our private information shielding it from misuse by thief parties. But what happens when the data of a child predator, a terrorist, or a human trafficker is protected? Encryption would implicitly enable their connected activities to grow without any form of control.
US actions
This is the argument that many governments, starting from the US, have been making since the 90s. This decade was known for having hosted the so-called famous ‘Crypto-Wars.’ They started with the failed attempt from the Clinton Administration, especially through the NSA (National Security Agency) to gain backdoor access to the encryption devices by trying to get phone manufacturers to adopt the ‘Clipper Chip,’ which essentially was a chipset that would allow the government to still monitor for illegal activities.
Despite its failure, the idea that the government should have access to encrypted communication lived on throughout the entire 90s. Many policymakers held onto the hope that it was possible to securely implement what they called ‘software key escrow’ to reserve access to phone calls, emails, and other communications and storage applications. Under key escrow schemes, a government-certified third party would keep a ‘key’ to every device. But, again, this proved to be unsuccessful.
The other fight that was being held at the same time was on the government’s ban on the export of encrypted products, classified in the US as munitions since the 1970s.
In 1991, a man named Phil Zimmermann released the so-called PGP (Pretty Good Privacy) model, giving regular people access to what was previously military-grade encryption, he was put under criminal investigation for illegal arms trafficking, but eventually, he was released when the ban on crypto exports was lifted off in 1999.
This was the result of a war carried on by a group of mathematicians and computer scientists, called the ‘cyberpunks,’ which advocated that PGP and encryption were protected by the freedom of speech contained in the First Amendment of the American Constitution and trampling it would mean to cut off the civil liberties of its citizens.
Despite the first Crypto Wars being won by the cyberpunks, the government has not relented in its attempt to gain backdoor access. A relatively recent development of this matter was the leakage in 2013 from a former NSA contractor Edward Snowden, of a series of secret NSA and GCHQ (NSA’s British counterpart) documents. The leakage confirmed that the NSA had been spending millions since the early 2000s on the Sigint Enabling Project, through which they sought partnerships with big tech companies to weaken encryption standards, and create backdoors, allowing access to citizens’ communications, such as buddy lists and inboxes.
Snowden’s leaks also disclosed that the NSA was collecting massive amounts of data, including 500,000 buddy lists and inboxes in one day, under the justification of countering terrorism threats post-9/11. However, we could counterargue that such a large number of terrorists doesn’t even exist in the world and certainly not communicating all on the same day. This was a form of mass surveillance from part of the government.
The government continued in his argument on the need to access private information for security matters by entering into a dispute with Apple’s CEO Tim Cook in 2016 when he refused to write an alternative firmware to unlock the phone of one of the San Bernardino attackers, Farouk, who allegedly had been using WhatsApp just before shooting 14 people. The FBI hadn’t been able to access the phone due to the iOS 9 feature that erased the phone after a certain number of password attempts. Apple did try to cooperate but refused to create a backdoor in the system under the justification that not only would it make it less secure and more vulnerable, but it would also open the door for future federal and state prosecutors, and other government and agencies, to seek orders compelling Apple to use the software to open the backdoor for tens of thousands of iPhones. Eventually, the government managed to access the device by paying $900,000 to Israeli mobile forensics firm Cellebrite, which managed to successfully bypass the iPhone 5C’s security features.
EU regulations
The fear of terrorism, and most recently of child abuse has led many countries in the world, not only the US, to promote policies that attempt to weaken encryption. In the EU, for example, dependent on the Child Sex Abuse Regulation, the Chat Control law is trying to be enforced. Under its provisions, messaging services would be required to use automated systems to hunt for content disseminating harmful materials and pass that evidence to the police. This would obviously undermine end-to-end encryption services.
On this matter, at the beginning of June 2024, the EU Innovation Hub for International Security published a report discussing how law enforcement should balance privacy rights with the need to intercept encrypted communications in criminal investigations.
According to the report, some EU Member States have recently amended national legislation to facilitate access to encrypted data, including extending search capabilities and improving targeted lawful access.
While the e-evidence package, adopted by the EU, has made strides in enhancing law enforcement access to electronic evidence, the report highlights significant challenges. These include the admissibility of evidence from encrypted communication channels and the complexities posed by emerging technologies like quantum computing, cryptocurrencies, and AI.
In light of these developments, the EU calls for further research and international collaboration to ensure that both privacy and lawful interception can coexist without compromising cybersecurity. The need for solutions that balance these concerns is critical, especially as encryption continues to evolve and play a central role in protecting the digital world.
Unforeseen consequences
In essence, backdoors, escrow keys, front doors, and all the other tools, whether they pertain to the efforts of foreign intelligence collection, counter-intelligence efforts, or the fight against terrorism and organized crime, in the end, rather than solving the problems they aim to address, they create unforeseen consequences and vulnerabilities.
They are giving access to governments and any other third party with technological knowledge to the private information of its citizens, and who knows how this could be used. The fight for encrypted data is none other than a fight done by those who understand the matter of maintaining our freedom of speech.
Furthermore, by weakening the system to momentarily solve through spying the problem of terrorism, to say one, you are removing the protection granted by unbreakable math of your own national system, which comprehends not only the private information of citizens but also those of the banks, the big industrial companies, the government. Spies and agencies from abroad can exploit it as they see fit because the system is now vulnerable.
To cite some examples, in 2020, a hacking group believed to have links to the Russian intelligence, S.V.R., hacked into various US State Departments including the Pentagon and the United Sates Treasury as well as nuclear labs. In 2009 a hacker from Miami hacked into 250 American financial institutions, stealing tens of millions of credit card details. Like these, there are many other cases.
The notion that encryption is harmful due to its potential to facilitate violence is, thus, counterintuitive. While violence may indeed emerge as a byproduct of the security encryption affords, this has historically been a recurring theme with every significant technological breakthrough. Just as the advent of the telephone introduced the possibility of being threatened by phone calls, or as the cessation of book censorship allowed for the publication of controversial works, encryption too carries with it both light and shadow.
Ultimately, this highlights a fundamental truth: every technological advancement inevitably brings with it both positive and negative consequences. It is in human nature to use technology for both good and ill, as we are imperfect beings. Yet, we must not lose sight of the tremendous benefits these innovations bring. In the case of encryption, it enables us to preserve a semblance of privacy in an increasingly digital world—an essential safeguard as our online existence becomes ever more central to our lives and survival.