Skip to main content

Advertisement

Advertisement

Breaking unbreakable encryption apps

As tensions cool somewhat between Apple and the United States government over the unlocking of an iPhone used by terror suspect Syed Farook, a parallel but bigger fight is set to heat up worldwide over unbreakable commercial encryption apps.

As tensions cool somewhat between Apple and the United States government over the unlocking of an iPhone used by terror suspect Syed Farook, a parallel but bigger fight is set to heat up worldwide over unbreakable commercial encryption apps.

The Apple–Justice Department saga entails access to content stored in iPhones whereas the fight over unbreakable commercial encryption apps involves unscrambling encrypted content sent by every mobile and computing device.

Commercial encryption apps are off-the-shelf cryptographic applications that encipher digital contents, rendering them unreadable even if intercepted during transmission.

By encoding every transmission with a unique “key” — typically, a very large number — commercial encryption apps ensure that only the person(s) holding the specific key can decipher the encrypted message.

At the moment, iMessage, WhatsApp and Telegram are some examples of commercial messaging apps that feature encryption technology.

In earlier versions of the technology, major tech companies such as Facebook, Google and Apple held on to the keys (in their servers), thus allowing them to unscramble customers’ encrypted messages if asked to do so by the government.

But in the latest version of the technology — known as end-to-end encryption — the keys are kept by customers themselves. As the keys are stored in the endpoint computer or mobile device (and not in the tech companies’ servers), tech companies are no longer able to unscramble customers’ encrypted messages even if they wanted to.

End-to-end encryption evolved out of a need to counter cyber intrusions and data breaches. Business considerations played a part, too, since tech companies that offer the most secure app will gain a sizeable chunk of the market.

Unfortunately, as commercial encryption apps became more secure, criminals and militants have also caught on to their usefulness — undermining the very reasons that underpinned end-to-end encryption in the first place.

Soon after the Paris attack last November, senior US intelligence and law-enforcement officials singled out commercial encryption apps and called for them to be reined in.

Arguing that commercial encryption apps were hampering the US’ ability to disrupt terror attacks, these officials wanted major tech companies to build “back doors” or hidden flaws into their encryption apps to enable the US government to monitor the encrypted messages of terror suspects.

To be sure, calls for back doors in commercial encryption apps had been heard before but petered out after it became clear that the notion of a backdoor exploitable by the US government alone is but a chimera; indeed, cyber-criminals and hostile foreign governments can exploit these built-in flaws just as well.

Civil libertarians also argued against the plan. Their objection is expected, considering past violations by errant US intelligence agencies during the Cold War, when ordinary Americans were subjected to unlawful searches of their first-class mail and telephone calls.

More recent revelations by former American intelligence contractor Edward Snowden of the US government’s warrantless surveillance programme also buttressed their opposition.

STRIKING A BALANCE BETWEEN SECURITY AND PRIVACY

What should not be lost in this debate is that there is growing evidence Islamic State (IS) militants who attacked Paris last year planned their assault on the French capital with the aid of commercial encryption apps.

Furthermore, IS operatives are known to take advantage of these apps for secure communication and to reach out to potential recruits around the world.

Driving this point home, Malaysian authorities earlier this year arrested three of its own citizens who were thought to have been recruited by IS through Telegram.

It is also worth mentioning that IS operatives claimed responsibility for the recent Jakarta attack using the same messaging app.

Terrorists are not the only ones to exploit commercial encryption apps; increasingly, cyber-criminals, organised crime, drug dealers and even child predators are using commercial encryption apps to mask their illegal activities.

Besides making it more difficult to monitor suspects, commercial encryption apps have also made it harder for law-enforcement agencies to collect evidence against them.

If anything, the situation now with unbreakable commercial encryption apps is akin to the police not being able to enter a house to collect evidence even with court authorisation.

The US government is not the only one struggling with the problem. The British, Canadian, Russian, French, Belgian and Chinese governments are equally gobsmacked. So what can governments do — apart from calling for back doors?

Technological advancement occurs at such a brisk pace that it sometimes blinds us to the fact that earlier inventions already held the solution to an existing problem.

Indeed, by reverting to the previous encryption technology, in which the keys are retained by the tech companies, governments can again monitor encrypted messages, if needed.

As in the past, tech companies will act as a check against illegal government surveillance by scrutinising government requests for unscrambled messages.

The most obvious advantage is that governments will right away regain the ability to monitor suspected militants’ encrypted messages.

But what is less obvious is that reverting to the previous encryption technology will also serve to push them offline.

In the same way Osama bin Laden promptly stopped using his Inmarsat satellite phone when the Al Qaeda leader learnt that it was being monitored by US intelligence, the idea here will likewise push militants offline, as the digital realm is no longer a safe haven from which to promote violence.

With criminals and militants using commercial encryption apps to sidestep police investigations, tech companies have a moral responsibility to ensure that the unbreakable encryption technology they developed does not compromise the public’s interest and safety.

Crucially, reverting to previous encryption technology will not cause a jump in cyber intrusions and data breaches.

If governments could not break into the previous encryption technology, then the majority of hackers would not be able to either.

There are risks to privacy, of course. But our readiness today to share personal information online in exchange for greater convenience and accessibility is also indicative of our changing attitude towards absolute privacy.

The popularity of cloud storage and social media websites really speaks to this shift in mindset.

And as militants and criminals of all stripes continue to exploit commercial encryption apps, reverting to the previous encryption technology does offer a tenuous middle ground between privacy and security.

ABOUT THE AUTHOR:

Dr Tan Teck Boon is a research fellow at the S. Rajaratnam School of International Studies (RSIS) at Nanyang Technological University. His research covers the policy implications of science and technology.

Read more of the latest in

Advertisement

Advertisement

Stay in the know. Anytime. Anywhere.

Subscribe to get daily news updates, insights and must reads delivered straight to your inbox.

By clicking subscribe, I agree for my personal data to be used to send me TODAY newsletters, promotional offers and for research and analysis.