Cyberattacks and data breaches impacted hundreds of millions of people in 2017. A critical defense we have against these attacks is strong encryption.
Encryption makes it more likely that only the intended recipient (or keyholder) can see the information it protects: it keeps thieves away when you shop online, protects your health records and private messages from prying eyes and lets you casually browse the Web securely.
This mathematical method of scrambling and unscrambling data is the core of a healthy, secure digital world.
But not everyone agrees that encryption should be ubiquitous. Some governments and law enforcement agencies are concerned that encryption makes it too difficult to catch criminals and fight terrorism. The fear is that encryption enables criminals to “go dark” online.
This has led to calls for regulation that would allow authorities to decipher and read encrypted messages. Some would require makers to provide “backdoors” to devices and apps, which could be used by officials to decrypt information. Others would expand permissions for invasive hacking by governments to gain access to encrypted information by exploiting security vulnerabilities – often without a process to inform a company of these vulnerabilities.
China, Hungary, Russia, Thailand, the United Kingdom and Vietnam have all recently passed or implemented laws that could require companies or individuals to break encryption (or otherwise provide access) when requested to do so. Last year, Australia urged the intelligence-sharing “Five Eyes” nations, the United Kingdom, United States, Canada, Australia and New Zealand, to adopt approaches that would permit the breaking or undermining of secure systems.
These laws may be intended to protect citizens, but any move to weaken encryption makes everyone more vulnerable. If governments don’t disclose vulnerabilities they’ve found to companies, they can’t be fixed. And they will not only be used by law enforcement. They will be found and exploited by people who want to do harm.
Instead of breaking or weakening encryption, we should be strengthening it. Consumers should be encrypting their devices, and companies and developers should create and design with security and privacy in mind, ensuring frequent auditing to fix bugs and close vulnerabilities. Computer scientists and security experts agree, we need encryption to keep us safe in our everyday digital lives, and no one benefits from undermining it.
Encryption in the U.S.: Crypto Colloquium Outcomes Report, Access Now, 2018
The State of Crypto Law: 2016 in Review, EFF, 2017
Don’t Panic: Making Progress on the Going Dark Debate, Berkman Klein Center for Internet & Society, 2016
Keys Under Doormats, Decentralized Information Group, MIT, 2015