Encryption – What is it good for?
When we write a message or record a voice message, we usually have a recipient in mind. When we send the message, we choose the contact or contacts we want to send the information to and that’s the end of it. We assume that those people and nobody else will receive and read that particular message. But is that really the case? How can we be sure?
If a message is not encrypted, a motivated individual can do quite a few things without going to a lot of effort. They can
- listen in on the conversation and use the information exchanged for their own gain
- insert themselves into the communications channel to read and change the original message before it reaches the intended recipient
All of this can take place unnoticed and the consequences can range from bank payments going to the wrong account to identity theft. While the material damages can be major, we should also not underestimate the negative effect it has on a society when people are no longer sure of their privacy in their everyday conversations with friends and family.
Backdoors and Ghost Protocols
There is currently a very important conversation going on, which could imperil the privacy of electronic conversations. Law enforcement professionals would like to have the ability to follow online exchanges – ideally without the people who are having the conversations knowing it. One way to achieve this is to create backdoors that allow access to the system. In theory, only good actors will use the backdoor. In practice, we can be sure that a backdoor can be found by whoever puts in the work to do so. A backdoor is not safe from bad actors. It’s a bit like thinning the wall of a rubber balloon before blowing it up: it will hold in the air for a while, but at some point, it will give way with a bang.
Another potential solution are so-called ghost protocols. They require communication service providers to provide law enforcement with access to the conversations of the people using their service. Like a ghost hovering unseen in the room, the law enforcement personnel is witness to everything that is being exchanged without the people exchanging the messages being aware. There are three main issues here. Firstly, irrespective of whether the ghost in the room is part of law enforcement or not, the conversation is no longer private. Secondly, the people engaging in the conversation do not know that someone else is listening in. Thirdly, a ghost protocol is just another variant of a backdoor. And – as mentioned above – backdoors are simply weaknesses that can be exploited by bad actors.
Privacy Through End-To-End Encryption
This is where end-to-end encryption comes in. It ensures that only you and those people who are intentionally included in the conversation can read the messages that are being exchanged. This is done by scrambling the message in a way that it can only be read by those who have the right encryption key to unscramble it. For everyone else, for example the communication service provider, the messages remain scrambled. This means that if someone tried to
- listen in on the conversation, they would only see the scrambled, encrypted data, rendering it useless
- insert themselves into the communications channel to read and change the original message, they would not be able to do so without the encryption key
To help you protect yourself and your data, here’s a summary of the Internet Society’s recommendations:
- Use end-to-end encrypted messaging apps such as WhatsApp, Signal, Threema, and Telegram.
- Use end-to-end encrypted e-mail clients with OpenPGP, pEp or S/MIME.
- Turn on encryption on your devices or services, if available.
- Use strong passwords or passphrases
- Keep up with updates. The update could be fixing a vulnerability and making you safer.
- Turn on two-factor log-in (2FA).This makes it even harder to access your data.
- Turn on erase-data options, if available. This will erase your data after a certain number of failed login attempts.
For more in-depth information and further reading, here’s the link to the Internet Society’s dedicated page: Protect Encryption, Protect Yourself
Or you can look at the slides from the 7at7 workshop on Basic Computer Protection organised by ISOC Switzerland in collaboration with Digitale Gesellschaft on May 7th 2020: Basic Computer Protection
Or read about the economic impact of cybercrime in the following report: The Economic Impact of Cybercrime
This article is based on information available on the Internet Society website: https://www.internetsociety.org/issues/encryption. The article was written in connection with the ISOC training programme 2020: https://www.internetsociety.org/chapters/2020-training-program.