The Encryption Debate: another point of view

We’ve all seen it plastered on the national news these last two years. The encryption debate between tech companies and civilians wanting to keep their data private is being weighed against the government’s desire to gain access to anything and everything they can in the hunt to stop terrorists.  Anyone besides me ever notice it’s always “terrorists,” not just criminals? Anyway, the thought occurred to me late last night to look at the argument another way and see what I’d feel about it. It’s not a hard decision for me, personally. I’m firmly ensconced on the side of a person’s right to privacy over some government’s desire to monitor its citizens. Still, maybe it’s worth trying to have the conversation another way. Let’s take the technology out of it and consider the idea as it would relate to the rights of privacy of the individual.

The government argues that the kinds of data being hidden behind encryption provides important clues they need to stop terrorists. The data able to be retrieved from a cell phone or tablet, or encrypted text messaging, can be viewed in very simple terms, and I think I can probably give you an inclusive list. Let’s see:

  • Where they have been (using the GPS tracking)
  • When they were there, when they communicated, etc. (using time stamps from apps)
  • What they’ve read online (using browser/app histories)
  • Who they’ve talked to (using messenger/email contact lists)
  • How they’ve communicated (analyzing what apps they use to talk to other people)
  • The contents of any textual conversations/emails (reading the message history)
  • What files they might have downloaded, saved, or deleted. (using information within the device)

I didn’t intend it this way, but the list above shows you can literally tell Who, What, When and Where some suspect was doing something. The only thing you can’t definitively tell is the “why” of it all. We assume the why factor is able to be extrapolated from the other four to provide a complete picture of the terror suspect’s life.

Let’s just assume for a moment that for some reason there was a large group of terrorists out there that were planning on committing a crime sometime in the immediate future. Let’s also assume they are the type that are smart enough to simply drop their phones in a vat of acid and dissolve them before committing the final criminal act. Or maybe they never used cell phones at all. Or maybe they collectively threw them off a bridge the day before they planned to do the act.

Would this encryption debate be an issue if that were the case? Let’s just say there was no technology involved on behalf of the criminals in general. What would the government’s excuse be then?

Let me be clear about my feelings on the matter. I believe there are some bad people out there that simply need to be killed before they kill someone else. I also believe our men and women in law enforcement deserve to be safe and as well armed as they can be. That does NOT mean they should have the ability to trample over the rights of the people they chose to take a job protecting, whether they be a local beat cop, a town mayor, a cyber-investigator, a federal officer, or a politician controlling any of the above.

Where:
If there wasn’t a cell phone, and the government argues they need the ability to know where every criminal has been, the only way to do that is to require everyone to wear a GPS tracker that personally identifies them. We’d also have to GPS track every car on the highway and make it illegal to drive a car without a tracker. Then we’d have to make it illegal to leave home without your tracker on your person. That’s really the only way to know where any particular person was after all, and you won’t know who the bad guy is until he’s already committed an act, so we’d need to monitor everyone so we had those records to look back through.  Make sense? Hell no it doesn’t make sense! That’s a ludicrous request and we’d never stand for it.

What:
In order to know what we’re doing, we’d have to all walk around with some kind of personal journal where we describe our day in annoying detail. Went with my wife to get milk at corner market at 9:25 AM. Saw postman deliver mail next door at 11:58 AM. Ordered Domino’s large pan pizza with extra pepperoni and light sauce, two cokes, and a side of cinnabons at 7:35 PM, paid with debit card ending in 6666.

We’d further have to be sure we tracked this stuff on some kind of paper that can’t be destroyed later using ink that would last 50 years outside in the rain. Then we’d need to turn in our logbooks every month to some government office so they could be analyzed for patterns. Would you agree to live your life this way?

Who/When/Why:
Imagine what kind of privacy we would need to give up in order to let the government have the tools they say they need to perform their jobs if we didn’t have cell phones. We would have to install cameras in our homes and businesses so we could be monitored twenty-four hours a day. That’s what our cell phones do. They track our movements. You don’t think so? You’d be wrong. Google knows right now from my cell phone activity that my wife and I are in the same room, my mother is 4.2 miles away, my brother is currently parked in a Walmart parking lot 122 miles away in Henderson, NC. I can see all that myself from simply glancing at my phone’s screen.

We’d have to freely allow tracking and inspection of everything we ever purchased in any store, a copy of those receipts and the contents of the packages. We’d have accept the government reading every page of every piece of mail we receive, whether it’s a love letter from a girlfriend, a coupon mailer, or a private business letter between you and a company you do business with.  There’s a place where that kind of thing happens. It’s called prison.

Stop the insanity:
We, the people, human beings in general, have a right to expect privacy in our lives. Just because we purchase a device that we agree allows us to take pictures doesn’t mean the government has a right to see those pictures.  Let me clarify the distinction. If you were charged with a crime and you were carrying a DSLR camera with you around your neck, I would personally agree that the contents of that particular film cassette or memory stick might be relevant to your investigation. I might even agree that it’s crucial to you proving what you need to prove in a court of law. However, would those of you out there say it’s OK if instead the government said “we need access to every picture the suspect has ever taken, on any camera he’s ever used, whether it was his or not, and every photo he’s ever looked at in a book, on the web, regardless of who else is in the picture, what they were doing, or how long ago it was.” Because that’s what they’re asking for…

If you gain access to my phone, you don’t just get my camera roll and the 32 pictures I took this week. You get access to my Dropbox cloud account with every photo I’ve ever taken in the last ten years stored there. You also get access to my Google Photos account with unlimited backup – which the last time I checked had somewhere around 40,000 photos in it from the time my daughter was born 21 years ago until the picture I took of my dog this morning. Personally, I think that kind of information should come with an expectation of privacy.

If you were suspected of a crime, wouldn’t you think it a broad overreach of the government’s powers to expect to be able to interview every person you’ve ever spoken to in any format?

//—Tinfoil Hat Moment—//

Let’s be honest a moment and consider the realities of what the government (or any other entity) would do with that huge a dataset. Let’s say they wanted to prove I was going to blow up a school. I wasn’t, but let’s say they thought I was. They can only hold me for x hours without arresting me for something but don’t have enough to put me away for the crime. Ok. If we analyze my GPS log we can determine that at some point I broke the law. Can you imagine if every time you ever might have accidentally rolled through a stop sign, or crossed the speed limit, you were cited for? My GPS records show that kind of information. A speeding ticket is crap, yeah I agree. But if they were able to simply arrest me for 187 times I exceeded the speed limit by 5 miles per hour or more, and the 43 times I rolled through a stop sign at 11 pm on an empty road… that’s enough to run me broke and probably snatch my driver’s license, invalidate my insurance, and leave me with a lot of fees to deal with I couldn’t pay. Meanwhile, they could find enough mundane crap to stick me in a cell for a month while they prosecuted me for all these “other crimes.”

My point is that everyone has some kind of thing that could be perceived as a crime if you give someone enough time to look and provide just the right scene for the information to be displayed. Ever seen a pop-up ad for  teenage porn? You know the kind I mean – something with a topless girl, hopefully at least 18,  doing something indecent? If you’ve ever even SEEN one of those on your computer you are technically in violation of federal laws unless you can prove it wasn’t a minor. Yeah, it’s stupid and we’ve all seen it, but if you want to argue what someone can and can’t do – these are real examples.

I wrote an article about six years ago about the darknet and the risks children are exposed to online and why parents should be vigilant. Simply gathering the material to write that article technically breaks about a dozen laws. Thankfully, the FBI has never read that article or if they did they obviously realized that viewing the material was in the course of journalistic research. But, if the news article came out, you’d never see that part. You’d see “Albemarle Man arrested for child-porn and trying to buy tractor-trailers full of heroin online” instead.
//—END Tinfoil Hat Moment—//

Reasonable Encryption:

I heard a good example the other day that provides the best analogy to the encryption debate. The government wants “reasonable encryption.” The tech market, and people like me, just shake their heads and laugh and say “No, you idiot. That’s not possible.” That’s because it’s not.

Encryption is an on-off switch, not a dimmer switch you can adjust. Either you are encrypted or you are not. There is absolutely zero middle ground. This isn’t an argumentative viewpoint. It’s a simple fact. Security, yes, that’s adjustable, dimmable if you will. Encryption isn’t.

Example: Reasonable Protection/Security

Reasonable Security/Protection

I run an IT firm where we help clients setup reasonable protection on their computers to protect against all kinds of things. We can adjust the level of protection to provide what their industry needs, or to adjust for what they can afford. The point it, we can adjust it to a reasonable level for you.  You need protection, right? Great!  (Notice I’m not saying encryption?) Let’s add antivirus. That protects against most viruses. Let’s turn on Windows AntiMalware. That’s free and provides another layer of built-in defense against normal threats. That’s all reasonable.

Now you need more but you have to balance the costs. We can backup your ENTIRE network! Woohoo! That’s going to be $5,000 a month. You can’t afford that? Ok, how about we come up with something reasonable then? Maybe we backup your accounting computer, and your application server, and we just try to protect the front-desk computers as well as we can with some tools that balance cost and effectiveness?  That would cost you around $150 a month. That’s makes more sense to most people… because it’s reasonable!

HIPAA laws prevent us from offering reasonable protection in the medical field. You are required to provide absolute protection or else your office and my company could both be sued! You want protection on your front desk computers but the main doctor doesn’t want to have to enter two passwords every time he tries to unlock his personal computer in his office? Too bad. We have to do all of it, or none of it. You can’t have special permission because you’re the owner. HIPAA doesn’t allow that.

Financial institutions are the same way. They are required to meet certain level of protection. It’s not “reasonable” protection, it’s absolute protection. It’s yes, or it’s no. You don’t get to choose how much you follow the law as it relates to financial records security. You have to have audit trails, etc. It’s not optional.

If you want to examine some examples of “reasonable” encryption, look at Yahoo. They spent millions of dollars setting up their network. Were they “secure?” Absolutely, to a point. Were they encrypted? Nope!
“We take our customer’s satisfaction very seriously.. what? We just got hacked and 3 billion records got exposed and sold on the internet? Oops!”

THAT was “reasonable encryption.” Actually it wasn’t encryption at all, but that’s what the government seems to understand encryption is. That was security.. and it failed.

The Hyatt was in the news this week. They certainly didn’t just hire any old computer geek to setup their security. They hired professional firms to protect their data. They were “reasonably” encrypted. Two days ago they were in the news for exposing credit card data at 41 hotels in 11 countries. Do you call that “reasonable” encryption? Their data isn’t encrypted. It’s secured, it’s protected, but its NOT encrypted.

They approached encryption the same way that Yahoo did. (and yes, I’m drastically  oversimplifying here for the sake of the normal reader out there. You security geeks don’t get your panties in a wad.) Yahoo and Hyatt could have spent 15 billion dollars and developed the most awesome hackproof system in the world. Why didn’t they? They didn’t do that because that kind of price tag isn’t “reasonable.” They can’t afford to make the jump to 100% bullet-proof security. Few companies can. I’ll let you in on a secret… absolutely none of you out there have bullet-proof security at your companies. You have whatever platform your bosses think is reasonable given the cost for the level of protection they are getting.

All of these companies, Yahoo, Hyatt, Equifax, your boss, my customers, they all have reasonable security, or at least should. They spend a reasonable amount of time and money to purchase a system that will keep most threats at bay. Your average 15 year old kid isn’t going to sneak his way in to your financial records and steal your banking data. Now, suppose China or Russia decided it really really wanted to see your financials. Are you protected against that? Probably not. You’re reasonably protected against most threats.

All these attempts are similar to the dimmer switch analogy above. Picture your security as the dimmer on a light bulb. You turn the knob up for more security, but you probably can’t afford to turn it wide open. You’ve probably got it set around 60% because that’s what you can afford to do. Truthfully most companies have it set at around 10% on their work networks, yet have their personal iPhones locked down like Fort Knox (but that’s another blog post altogether.)

Example: Encryption

Encryption: On or Off

Now, let’s say you want to talk about encryption, not security. That’ a normal light switch. Flip the switch and you are encrypted. Flip the switch the other way and you’re not protected. It’s like a deadbolt on your door at home. Either it’s locked and no one can get it, or it’s unlocked and everyone can get it.

The government’s idea is to make that lock with a key hole on the outside that they can use. The problem with that is that the government has just about the poorest-paid hackers on the planet. Google pays their in-house Starbucks baristas more than the NSA pays their top hackers. Facebook probably gives out more Christmas bonus money to their security guys that the entire salary of the nations top paid government cyber-warriors. The federal government is NEVER going to have the top team of security professionals because they can’t “reasonably” afford it. (See what I did there?)

Forget the foreign powers and other agencies that would demand access for a minute. If we add a keyhole to encryption in our deadbolt, anyone that knows how to pick locks can break in. It becomes like the security and antivirus market. It would only be as good as the best hacker that wrote it, until a better hacker came along to break it.

Encryption is either ON or OFF. Try to hold a light switch somewhere in the middle.. somewhere between on and off. You can’t get it to simply turn the lights on at 50% no matter how hard you try because that’s not how light switches work. Try to turn your deadbolt to where it’s almost locked, but not really, then open the door. Either you can open the door all the way, or you can’t open it at all. You can’t set your deadbolt to a position that only allows you to open the door halfway because that’s not what deadbolts do. That’s exactly how encryption works. On or off.

The debate we are facing as a nation and a culture is whether or not we should have the right to have deadbolts that keep people out of our house.  Let’s say you have a million dollars in gold bars in your closet. Would you purchase a lock that only a few certain kinds of people could open, or would you purchase a lock that ONLY YOU can open? And should you have the right to make that decision in the first place?

The US government is woefully under-trained in the basics of security and encryption, so much that they fail to understand a simple analogy that most of you probably do by now. And yet they want the keys to every single person’s devices in the world with the promise that “Oh, we’ll protect the keys to your lock. Trust us.”

No thanks.


Leave a Comment

Spam Prevention * Time limit is exhausted. Please reload CAPTCHA.