If you follow tech news, you must have come across news articles about how the government and the big tech companies are butting heads over matters like privacy, encryption, and data. Last year, Facebook paid billions of dollars in damages for violating consumers’ privacy rights. This made me wonder how secure our communications over iMessage, WhatsApp, and Facebook messenger actually are, and can a company use it for targeted ads, or can a hacker gain access to them? We have all seen the messages on our WhatsApp chat windows that our chat is protected by end-to-end encryption but does this privacy of our messages comes at a price? Can it be used by anti-social elements to harm our society? While both the tech companies and the government agree on the benefits of encryption, they have very different perspectives on who should be able to use that encryption and for what. Let us dig a little deeper into this.
How does Encryption work?
In a nutshell, here is how the end-to-end encryption on WhatsApp works:
1. When a user opens WhatsApp for the first time, one public and one private key are generated. This encryption process happens on your phone.
2. The private key remains with the user on the phone whereas the public key is transmitted over the server to the receiver.
3. The public key encrypts the sender’s message on the phone before sending it to the server.
4. Only the receiver’s private key can unlock the message. No third-party including WhatsApp can decrypt and read the message.
You can verify the encryption on your phone by clicking on your contacts name and then tapping on “Encryption” and either scan the QR code or visually compare the 60-digit number and if they match, your chats are encrypted.
Seems pretty simple and convenient, right? Why should someone else have access to my personal chats? Before we go any further, let me refresh your memory on what happened a few years ago that really got the whole encryption debate wide open.
San Bernardino Shootings
On December 2nd, 2015, two terrorists open-fired in the city of San Bernardino, California, killing 14 innocent people. During the investigation, the FBI obtained one of the terrorist’s iPhone but couldn’t access it through the passcode. So, they sought help from Apple to unlock it but Apple couldn’t help as they couldn’t access the encrypted data on the phone. Apple received a lot of backlash from the media and public for not being able to help the federal agencies gain intel through the messages on the phone and the whole debacle sparked a debate about whether the government should get access to these messages or should it be encrypted.
On Feb 16, 2016, assistance ordered by a federal judge would overhaul the system that disables the phone after 10 unsuccessful attempts. Apple’s CEO, Tim Cook called the order “Chilling” and in a message to its customers, Apple wrote “We oppose this order, which has implications far beyond the legal case at hand. This moment calls for public discussion and we want our customers and people around the country to understand what is at stake.”
Government Access to Encrypted Data
William Barr, the attorney general of the USA, detailed in one of his addresses how the protection provided by the encryption also protects criminals and terrorists and how the federal agencies such as the CIA and FBI can prevent terrorist attacks and prosecute a lot of criminals if they can gain “Lawful Access” to the encrypted messages.
Can incidents like the San Bernardino shootings be avoided if the government has access to the encrypted data? Perhaps, and this could lead to saving thousands of lives but is it worth it?
Protecting Privacy with End-to-End Encryption
When Facebook declared its dedication to end-to-end encryption on WhatsApp and Facebook messenger, it was opposed in an open letter by the US attorney general office. Over 100 organizations signed a letter to Facebook urging it to continue its pursuit of end-to-end encryption.
The companies advocating for protecting privacy through end-to-end encryption argue that encryption is required to protect our democracy. Without anonymity it is very difficult to exist online — in countries like Saudi Arabia, your sexual orientation, your identity may get you in trouble if your identity doesn’t comply with the religious beliefs in the country. Encryption is required for the online and physical safety of such people. Encryption is also protecting the human rights activists and the people living in countries with dictators and places where free speech is suppressed. So, in essence, keeping all these communication mediums encrypted is also saving thousands of lives.
Putting what is called a backdoor in the operating systems of these apps will make these systems more susceptible to being hacked by someone with an intent to hurt you. To develop the technical capabilities for federal agencies to access a device as required will mean creating system vulnerabilities that can be taken advantage of by hackers.
I think all our rights come with trade-offs and privacy is no different. I believe that while encryption may make communication easier for criminals, it will also save the lives of thousands of people who are living in a country where basic human rights are suppressed, and giving the government the right to access these encrypted messages will lose more lives than it would save. The criminals and terrorists will still find a way to communicate securely through a new medium where law enforcement currently doesn’t exist. Unfortunately, there is no way to provide government access to these messages without compromising the security of the underlying system, and weakening the encryption is not the solution.
The government and big technology companies need to come together and lay out all the options on the table and work towards the possible solution to this. In a world where hacking is becoming more commonplace than ever, we cannot afford to further weaken the security of our data. In fact, we need the exact opposite. Instances like the recent Solarwinds hacks into several US government databases are a good indication that there needs to be more research and investment to further strengthen the security of our data centers.