Salvador Dali once commented, “what is important is to spread confusion.” Perhaps this accounts for the recent messaging behind data security. While a battle wages between Silicon Valley and Washington, D.C. (and beyond) over digital security, users’ most personal information is being put at risk.
Today, the Director of the FBI James Comey told users that if digital security measures are too rigorous — too “secure,” if you will — it will compromise their personal safety and their national security. The speech is the latest in a line of statements expounding on the dangers of robust security, and declaring the need for direct U.S. government access to all digital data. The Washington Post’s editorial board has endorsed this approach, calling for a “golden key” for government. The golden key would purportedly unlock communications only for government (though researchers disproved this theory over twenty years ago), while protecting users from malicious hackers or other agents. Without this back door access, says the government, criminals may (literally) get away with murder.
As this message spreads, users are also seeing first-hand what havoc improper digital security can wreak on their own lives. Leading companies like Apple and Snapchat were recently compromised in ways that allowed third parties to access highly personal user information and photos. These third parties used vulnerabilities to reveal to the world the most intimate moments of users. Actress Jennifer Lawrence referred to the leaking of her own personal photos as a “sex crime.”
A case study: Apple
These two messages — the government needs to break encryption to keep you secure, yet we need strong encryption to maintain digital security — are not reconcilable. Perhaps it is best to examine this mess through the lens of a single company that has been at the center of both discussions — Apple. After all, it was in the immediate wake of (though not necessarily in response to) the unauthorized access to and release of photos from Apple’s iCloud service that Apple announced that it would increase the security of its mobile devices by encrypting the physical drives.
Notably, as one researcher has already reported, Apple’s increase in security is less of a breakthrough and more the fix of a security flaw that likely should have never existed in the first place. However, that has not stopped law enforcement from crying wolf about the change – making a series of grandiose claims about all of the criminal actions that increased security will allow. What these comments fail to admit is that there are still several options available for law enforcement to gain access to necessary data (here, Freedom of the Press Foundation’s Executive Director, Trevor Timm, details a few).
While the alarmism is undoubtedly overblown, there are several significant benefits to users provided by Apple’s increased security, namely increased data security and control for users over their own information because Apple will no longer have direct access to that data (at least not for data stored exclusively on the device). Additionally, there is an intangible benefit to Apple’s decision: it will encourage and incentivize other companies to protect user data. When a security flaw or vulnerability exists, the user should always prefer that a company take quick and definitive steps to fix it, rather than let it linger for the potential future benefit of law enforcement.
The iCloud hack was likely conducted by individuals who exploited a vulnerability in a single element of Apple’s security suite (namely, the “Find my iPhone” feature). The vulnerability which allowed the hackers to force their way into accounts and extract the photos, was patched only hours after the attack was revealed. Imagine the reaction if police had asked for that hole to remain open? Indeed, the outcry would have been deafening. Any purposeful hole in user security should be treated with the same contempt. Most users will never commit a crime, but they very well could be subject to a data breach. Robust security is the only method to keep your information out of the hands of actors who would cause you harm.
A fool’s bargain
Despite the Washington Post’s portrayal, the concept of a golden key is far from novel. For example, in the Crypto Wars, starting in the early 1990s, the U.S. intelligence community fought to maintain a “back door” into all electronic communications – falsely asserting that there was a way to maintain its own access while protecting users. As previously stated, prominent technologists were vocally, and nearly uniformly, opposed to the proposal; the back door, they explained, could be compromised and provide open access to malicious actors (not to mention misused and abused by officials in government).
The personal risks we face by improper data security are much more significant and pressing than our intimate photos, videos, and chat logs, though this risk should not be overlooked. Access to our personal lives is one of the key elements that the notion of privacy is meant to protect, and data security is the lock by which that access should be controlled. But data security also keeps safe a range of other personal information. For example, in the past year Target, Home Depot, and Neimen Marcus all revealed sensitive consumer financial information due to vulnerabilities in credit processing systems.
More troubling, surveillance agencies are using security holes to get to personal information in order to prosecute and persecute journalists, activists, and dissidents. China, Turkey, and Vietnam have all arrested users for their public online activities, while governments around the world are employing tools to spy on user email and communications. In the U.K., GCHQ is tapping into webcams to record and store the feeds, and the U.S. National Security Agency took advantage of weak points in corporate infrastructure to intercept emails and other communications at their most vulnerable point, as they transited the corporate backbone from data center to data center.
Digging ourselves out
Notably, increasing digital security and reining in unauthorized access to data does not necessarily shut down legitimate access to data for law enforcement or national security purposes. There are several different approaches that may be taken for officials to appropriately compel necessary information. What data security will do is protect users and their financial, legal, and professional interests from unlawful or unauthorized third-party or government access. User confusion is not a shield for bad policy or bad security. We cannot allow inaccurate, alarmist arguments to win out over time-proven data security practices.