Is crypto the enemy?

They say that if you live long enough you#39;ll see history repeating itself. Certainly, that#39;s true when it comes to fashion, music and even computer gaming with the trend towards retro games. And we#39;re starting to see a a battle being fought again over encryption with British and US political leaders making overtures about banning or limiting the use of an important element of information security.

Encryption wasn#39;t always legal
In the early 1990s, the NSA treated strong encryption as a weapon and banned its export from the United States, treating it as a form of illegal arms dealing.

Then, a software developer at the University of California in Berkeley developed a program called quot;Snufflequot;. Despite the benign name, the US government wanted to stop the developer, Bernstein, from presenting the source code until he#39;d submitted his ideas about cryptography to the government for review, registering as an arms dealer, and obtaining a license from the government to publish his ideas.

After a four year legal battle, the Ninth Circuit Court of Appeals ruled that software source code was protected by the First Amendment (the right to free speech) and regulations preventing its publication were unconstitutional.

And so opened the floodgates with encryption software now an important tool used to secure data from the eyes of those who shouldnrsquo;t have access.

Importantly, although cryptography remains a very technical and complex piece of security technology, it#39;s implementation is extremely simple with open source software libraries now offering it as a standard tool for developers. Data storage and applications services such as AWS and Azure enable it either by default or as a simple checkbox to be ticked.

In the age of terrorism

For almost 20 years, security experts have been able to legally use strong encryption to protect data at rest and in transit. But overtures made by British Prime Minister David Cameron, with support from US President Barack Obama, are threatening the availability of this critical piece of security infrastructure.

Cameron has been quoted as saying quot;In our country, do we want to allow a means of communication between people whichhellip;we cannot read?rdquo; Let#39;s think about that statement. In the UK, the government is preparing to revive legislation that will allow them to access any communication or data they want. One assumes that there will be some checks and balances in place such as warrants and provision of legal authority.

Such a move will affect communications at every level. While much of the media has been focussed on the use of encryption in messaging applications such as WhatsApp, Snapchat and iMessage - the impacts can be far broader.

Certainly, Cameron#39;s intent is to prevent terrorists and criminal networks from using encrypted communications as a means of planning and executing attacks.

Most of the arguments supporting a block on the widespread use of cryptography focus on what one writer calls the quot;Four Horsemen of the Infocalypse (software pirates, organised crime, child pornographers, and terrorists)quot;.

But the reality is far more nuanced than that.

Donrsquo;t blame the tech

All technology can be used nefariously. But technology can also be used to counter those very things that Cameron is seeking to fight. In many parts of the world, access to encrypted communications are critical tools. In countries where people are oppressed and under threat, encrypted communications can save lives.

President Obama sided with Cameron, saying after a meeting of the two leaders quot;If we find evidence of a terrorist plothellip; and despite having a phone number, despite having a social media address or email address, we canrsquo;t penetrate that, thatrsquo;s a problemrdquo;.

One of the key selling points of the most recent updates to iOS and Android is that strong encryption is built into the devices. From a user perspective, this is a significant benefit as even if the phone manufacturer is asked to decrypt the device they canrsquo;t, as they donrsquo;t hold the encryption key. As Apple says in its iPhone marketing collateral quot;Apple doesnrsquo;t scan your communications, and we wouldnrsquo;t be able to comply with a wiretap order even if we wanted toquot;.

Of course, governments could mandate that any encryption scheme that is developed must have a quot;back doorquot; that can be provided if a company is subpoenaed to give access to encrypted data.

It#39;s unlikely that such a scheme would garner the support of the technology community, individuals or corporations who rely on encryption. Weakening one of the key pieces of personal and corporate data security is unlikely to be an acceptable solution.

Making changes to laws around encryption, particularly in the United States where the Bernstein vs US Department of Justice case made it clear that blocking encryption was unconstitutional, would seem to be a difficult road for a government to take.

Local moves

In Australia, there haven#39;t been any specific moves to block or limit the use of encryption. It has, however, been mentioned in parliamentary committees, such as the Parliamentary Joint Committee on Intelligence and Security - 29/01/2015 as an issue.

The Counter-Terrorism Legislation Amendment (Foreign Fighters) Bill 2014 allows quot;the AFP the opportunity to identify and decipher any encryption techniques a suspect may be using to protect electronic communicationsquot;.

It#39;s reasonable to say that governments around the world are being challenged to intercept and comprehend messages sent through encrypted services. And, at one level, it#39;s easy to understand why banning, limiting or nobbling the use of encryption seems like a reasonable measure.

The trouble is, encryption is used in positive ways that every individual relies on. Business transactions, personal and corporate data, private communications between individuals - all these depend on encryption.

If David Cameron is successful and is able to pass laws in the UK that either ban or tightly license the use of encryption, the problem will be that it will still be available everywhere else. For a ban on encryption to work it would require the cooperation of the entire international community.

It would mean that people developing systems and applications that rely on encryption would unilaterally agree to stop using strong encryption. It#39;s hard to see how a law in the UK will stop the developers of Snapchat from encrypting communications in that application.

Even blocking access to applications that use encryption is likely to be a fool#39;s errand. It#39;s almost impossible to stop people from accessing content and information across the Internet.

Such a ban would substantially affect the use of VPNs and other secure communications systems relied on by individuals and corporations.

When the law changed in the United States in 1995 it effectively uncorked the bottle and released the genie. Encryption is everywhere.

Governments have rarely been able to block technology effectively. While China and North Korea have been successful at blocking and limiting Internet access the Internet remains a relatively open and free international communications network.

It#39;s not unreasonable for governments to support law enforcement agencies by limiting access to weapons and other attack tools. But the risks that limiting or banning the use of encryption, even it were possible, in certain applications are significant.

This article is brought to you by Enex TestLab, content directors for CSO Australia.

Upcoming IT Security Events

March 3rd, March 5th, March 9th 2015

Join CSO for the day@#csoperspectives and hear from @kimzetter @LeviathanSec and Peter Gutmann

3 International Keynote speakers, 36 Key IT Security Industry Speaker, 21 Exhibitors, Security Analysts and many more..Register today

Dont miss one of the biggest IT Security events in ANZ (registration is free, but seats are limited)

Book signing for all registered attendees on the day, and prize giveaways.

Copyright © 2015 IDG Communications, Inc.

The 10 most powerful cybersecurity companies