Data encryption: Double-edge sword

Do you use Skype? Do you use Gmail? Do you use any of several other commonly employed data transfer, data storage, or communications systems on the Internet? If you do, your data are vulnerable to attack. You already know this. Companies are working to encrypt your data for greater safety, and you already know that, too. But encryption of data is a double-edged sword: The more secure your data, the greater the possibility that secure communications can be employed by terrorists, criminals and others whose activities are subject to government investigation and oversight. The problem begins and ends, as it so often does, with human behavior and human nature: We all want our data to be secure from intrusion, but we don't want the other guy to be able to hide his potential criminal activity from our government.

Bryan Betts, writing for Techworld, says that widespread use of encryption "could make organizations vulnerable to new risks and threats. ... Many organizations are encrypting their stored data to relieve concerns over data theft or loss – for example, U.S. mandatory disclosure laws on data breaches do not apply to encrypted data. However, experts from IBM Internet Security Systems, Juniper, nCipher and elsewhere said that data encryption also brings new risks, in particular via attacks – deliberate or accidental – on the key management infrastructure. ... Another risk is that over-zealous use of encryption will damage an organization's ability to legitimately share and use critical business data."

Rebecca Abrahams points out that some companies, such as Skype, have been encrypting communications for some time. "However, there are a myriad of problems surrounding the use of encryption," she writes, "especially in the case of public carriers like Skype, Google, Microsoft and others. And the issue is becoming a growing problem as cloud base storage systems and so-called secure email services claim to employ encryption to protect users."

The problem, as Abrahams explains it, is twofold: Any company's employees are a point of vulnerability, but attacks from outside are of equal concern. "Private companies cannot rely on the FBI, CIA or any other government agency for help in checking out employees. They need to use private companies to try and assist, but this is time consuming and expensive, and often the work is poor. Private commercial servers are quite understandably highly vulnerable to 'insider' attacks. … Servers can also be hacked from the outside through the Internet. Government servers experience hack attacks thousands of times every day on its servers. So do companies in the critical infrastructure, such as Defense and Aerospace firms and energy companies. And companies in the competitive space are often hit by cyber attacks to steal vital proprietary information. The matter is made infinitely worse if public providers such as Gmail and Skype, and many others, are used routinely by company employees."

There is no better example of the problems caused by a lack of encryption, and of data security overall, than the Ashley Madison hack. On the surface, the fact that a bunch of would-be adulterers got outed by hackers doesn't seem that important if you weren't directly involved. But the damage from the hack was far-reaching: At least two suicides have been linked to the dump of Ashley Madison's stolen account data online. The company lost its CEO over the breach, major questions were raised about whether the site was truly safeguarding user data as it claimed to be.

TRENDING: FBI agent undermines Pelosi's claim of insurrection 'incitement'

Clearly, Ashley Madison would have benefited from encryption, not to mention better overall database security. But if it had, and if the hack had not revealed the titanic scam at the heart of this particular "adultery" site (a scam in which men were enticed by algorithmic lures to keep paying money even though their prospects of meeting women were actually very slim), then Ashley Madison would simply be continuing to bilk its users today. Looked at from the right angle, it's possible for a company to be too secure.

Should we be worried that terrorists will use end-to-end encryption to safeguard their plots? If encryption becomes the rule rather than the exception across our Internet infrastructure, are we locking ourselves out from the very data on which our security personnel should be keeping an eye? Maybe ... and then again, maybe not.

A new report from the Berkman Center for Internet and Society (at the Harvard Law School) finds that our fears over encryption (and its facilitation of crime and terrorism) may be vastly overblown. As Larry Magid reports, "End-to-end encryption and other technological architectures for obscuring user data are unlikely to be adopted ubiquitously by companies, because the majority of businesses that provide communications services rely on access to user data for revenue streams and product functionality, including user data recovery should a password be forgotten." In other words, it works against the commercial interests of most companies to make their data completely secure.

Magid also summarizes nicely the fact that "software ecosystems tend to be fragmented." That's a fancy way of saying that many of the software systems in the world aren't compatible. Without a great deal more standardization than now exists in the world of software, the idea that we're going to lock out law enforcement from the vast majority of data floating around out there is far-fetched at best. The report even cites the Internet of Things (IoT). "Networked sensors and the Internet of Things are projected to grow substantially, and this has the potential to drastically change surveillance," writes Magid. "The still images, video, and audio captured by these devices may enable real-time intercept and recording with after-the-fact access. Thus an inability to monitor an encrypted channel could be mitigated by the ability to monitor from afar a person through a different channel."

Encryption, like any technological tool, is neither good nor evil. But like so much of technology, it is double edged: Data we secure is, well, secure. Such security can be used to protect your privacy as easily as it can a terrorist's plot. Time will tell whether this becomes the threat some security analysts believe it to be – and we'll all have to choose, as individuals and as a people, how much oversight we want our government to have.

Media wishing to interview Phil Elmore, please contact [email protected].