Encryption: the Swiss cheese security dilemma

2 Sep 16

The safety/privacy balance is a hard one to strike – allowing governments to access encrypted data risks leaving security systems with as many holes as a Swiss cheese

The recent high profile spat between the FBI and Apple over accessing the contents of a terrorist’s iPhone is just part of a continuing debate about encryption. The broad issue is that governments want to access encrypted documents and devices to protect us from crime and terror, while companies like WhatsApp are beefing up encryption to help keep our conversations, transactions and messages private.

Encryption is often in the news but is poorly understood. It underpins the digital economy, and a basic knowledge of encryption is becoming essential in our professional and private lives. It’s complex and appears boring, but we cannot ignore it.

Let’s start by dispelling some myths. Myth 1: if I encrypt something, nobody else can read it unless I give them the key. Wrong: if somebody really wants to read your document, they can probably unlock it. The encryption only slows them down; the stronger the encryption, the more time and money it takes to break it. For a hacker or a government agency, it is a relatively simple cost versus benefit equation.

Myth 2: I need as much encryption as possible and I need it to be as strong as possible. No, not really – encryption slows things down. It takes time and computing power to encrypt and decrypt; the stronger the encryption, the longer this takes. It may be only a tiny fraction of a second but millions of transactions can make it a significant barrier to fast, user-friendly services.

Whenever a company is hacked, as with TalkTalk last year, the first question is always “was the data encrypted?” This is not that simple to answer. Security arrangements often vary, depending on whether the data is “at rest” (being stored or waiting to be accessed) or “in transit” (being used to answer a question or complete a transaction), which is when the encryption slowdown really kicks in.

This brings us back to the balance between privacy and safety. The Apple/FBI case centred on whether Apple could or should unlock a dead terrorist’s iPhone. “Brute force” computing would not work here because the number of times a PIN can be guessed is limited. To many, it seems reasonable that law enforcement agencies should, with safeguards, be able to access data to prevent terrorism. For a company like Apple, however, this is problematic. If it creates a backdoor to its devices, this will almost certainly be identified and exploited by the bad guys, which fundamentally undermines the privacy and certainty provided to customers.

The added complication is that the US would want a backdoor that only it could exploit. The UK, France, China, Russia and other countries would also want their own backdoors. You would then have a security system like a Swiss cheese.

We are told that the next generation of technology – quantum computing – will be so powerful that even the most sophisticated encryption will be quickly unlocked. Some claim quantum algorithms to create even stronger security systems are being developed. Most likely, it will be like cracking the Enigma codes; it will be decades before agencies’ true power is revealed – and we discover they already have a quantum computer hidden in a basement.

  • John Thornton
    John Thornton

    John Thornton is the Director of e-ssential Resources and an independent adviser on business transformation, financial management and innovation.

Did you enjoy this article?