Earlier in 2016, after the U.S. Federal Bureau of Investigation (FBI) engaged in a legal battle with Apple over the unlocking of a particular iPhone device, little they knew it would reignite and escalate the old debate between security and privacy to unprecedented levels. On one hand, security advocates claim that one of the main roles of the government is to protect and secure the general welfare of its citizens, even at the expense of their privacy. Privacy advocates, on the other hand, sustain that the privacy of people and their personal information comes first as it is a fundamental right, even engraved in the fourth amendment of the Constitution – which forbids any “unreasonable search and seizure” of “persons, houses, papers, and effects”. However, with new developments in encryption technology, one of the strongest encryption standards ever, Advanced Encryption Standard (AES), and new advances in computer security, can the gap between security and privacy ever be bridged?
The need to use encryption for preserving message confidentiality has existed even since revolutionary times. In 1776, Benjamin Franklin started using ciphers, most notably the Dumas cipher to encode and exchange correspondence with his peers. This guaranteed that even if the letters were intercepted, confidentiality would still be preserved. Therefore, it can be argued that in the minds of the Founding Fathers, using encryption was not only a means to preserve privacy, but also a matter of national security.
Later on during World War II, the first specific-purpose digital computer, the Colossus, would be designed by the British to help break encrypted messages exchanged by the Nazis – the messages were encoded using German designed ENIGMA machines, which resembled mechanical typewriters. For the Allies, intercepting and codebreaking these messages were key to gain valuable intelligence from the Nazis, which would prove crucial in their eventual defeat. The bottom line of these stories is that encryption technologies have been used throughout history to preserve the confidentiality of the information exchanged and the privacy of the parties involved. It also shows how security can be perceived differently depending on which side uses the encryption technology and for what motives.
One of the spotlights during the RSA 2016 Conference, which CENTRI attended, was again the FBI vs. Apple case. The panel, composed of renowned security experts and cryptographers, agreed on several points, the main one revolving around one major theme: it is not about Apple facilitating access to one particular iPhone device, or setting a backdoor for the government to use, if necessary. It is about letting the front door open for future government actions that could potentially threaten our privacy and limit our freedoms further. Today is about iPhone access to encrypted data. What about tomorrow?
Moxie Marlinspike, pseudonym for the founder of Open Whisper Systems, who creates secure messaging apps, had this to say, “The problem with the FBI request is its breathtaking scope. It empowers the bureau to ask anyone, related or not, to cooperate with any request no matter how unreasonable or inappropriate it is.” Indeed, supplying the government with the tools required to decrypt and access our personal information at their discretion not only is an open invitation to coerce our privacy, but it also will grant them a blank check to decide what constitutes “reasonable” when justifying “search and seizure” of that private information. “The question is: where do you draw the line?” asked Adi Shamir, computer science professor at the Weizmann Institute of Science. If that line oversteps and controls the technology that companies create and people use, not only it would risk people’s freedoms, but also the public’s trust in those technologies. “You can’t advance technology without trust,” said Brad Smith, chief legal officer for Microsoft, during the panel. “The world is going to trust technology only if the law can catch up.”
Now, besides using stronger encryption and more robust authentication methods, are there other measures that can be put in place to better protect our private information while also helping the government and the powers that be continue to keep us safe? Yes, indeed.
First, not only choosing “which” encryption scheme and cipher mode to use is critical, but also choosing “where” the encryption will be applied is of pivotal importance. Most of the data breaches that compromise customer information typically occurs when data is at rest, that is, when the information sits dormant in some database or disk storage. This means that encryption schemes that only secure data while in transit will be ineffective against data breaches once the security perimeters are broken. Therefore, sensitive data to be held in secondary storage must also be encrypted at rest.
Second, systems must be designed with a minimalistic approach in mind – include only what is necessary for proper operation without compromising privacy or performance. For instance, if you don’t need to manipulate SSNs in your application, why including them in your database (like federal, state, and private corporations used to do) just to have unique identifiers? Not only does it put sensitive data at risk, but in case of a data breach, you will have to answer how your customers’ SSNs ended up on a public website! Database normalization is also a must – avoid redundant fields that not only might break data integrity, but also expose sensitive data that should not repeat in different tables in the first place.
Thirdly, and finally, we as users and holders of our own private information must exercise caution and common sense when providing that sensitive and personal data to someone else. This also includes people who don’t own but still are in the position to manage our own private information.
In summary, data encryption is a mature, evolved, core technology that has proven over the years to be resilient and effective in guaranteeing confidentiality and privacy. It has also been historically used by governments and regimes alike to help keep their people and communities safe. However, like most technologies, encryption has the potential of being misused and abused. Security will be perceived differently depending on which side enforces it versus who attempts to break it. Therefore, it can be argued that encryption can only bridge the gap between privacy and security if each of their respective supporters use it openly and transparently with reason, good ethics, and a sense of purpose. It is not about encryption itself, but how it is being used. The government must still be able to protect its people, just like the people should still be able to exercise their rights and freedoms, and privacy is one of them. A flexible data protection platform that can meet the needs of both sides like CENTRI is an ideal answer to the problem.
Thanks for reading,
Luis Paris, Chief Scientist
About the Author Luis Paris is the Chief Scientist at CENTRI. Luis oversees CENTRIs research and focuses on the company’s core technologies, with an emphasis on how it can be applied to emerging markets like machine-to-machine (M2M) and the Internet of Things. He has an exhaustive history focused on teaching, learning and innovating with the goal of making the connected experience smarter, faster and more efficient. Connect with Luis on LinkedIn.