Strong Encryption is Forever (2020 Jun)

by Barry A. Liebling

Secure encryption makes my life better. I use it every day for a variety of tasks. With the exception of situations where I buy something with cash, most of my financial actions rely on encryption technology. I have strong passwords for my online credit card management, my banking, my modest investments, and my home Wi-Fi router. I recognize that there are criminals who are eager to steal from people who let down their guard, and I attempt to be prudent by using the encryption tools that are available.

And speaking of criminals, there are government officials who complain that it is exceedingly difficult to apprehend and prosecute culprits – especially when the perpetrators conceal their activity by using strong encryption. Large technology companies offer their customers – which includes both good and bad people – powerful encryption services that are so secure that the companies themselves cannot break the code.

There was a famous case several years ago where law enforcement officials recovered the iPhone of a murdering terrorist in San Bernardino California and asked Apple to recover the contents of the device. The company declined the request, pointed out that it would have to invent a new way to decrypt the phone, and argued that doing so would make its own customers less secure. In this case Apple made the right decision.

Government demands for methods of breaking strong encryption have not gone away. Recently a number of Republicans introduced legislation – which may or may not come to pass – that would require technology companies to assist law enforcement agencies in defeating encryption in consumer devices and applications. The purported idea behind the legislation is that once a legal warrant is issued, the tech company would help the cops get into the suspect’s files (whether in a physical device or in the cloud). Advocates calling for the legislation are adamant that they have no intention of compromising the security of data that belong to law abiding citizens. They are only after criminals and terrorists. and also

Step back and consider the implications of the proposed law. How could the technology companies comply if it goes into effect? The only way would be to deliberately reduce the strength of their encryption methods and create a back-door to consumer data. If they were previously successful in producing hack-proof security they would have to take a step backwards so they could break the code on their own devices and applications. That would be the end of a safe place for law-abiding citizens to store their data.

Proponents of the new legislation recognize this implication (really an insurmountable flaw). So they are offering a prize to the person or institution that develops a method of retrieving the data of suspected criminals while guaranteeing the privacy of regular citizens. Good luck. Notice that once a method is devised for decrypting data it is impossible to keep that method secret. Word will get out to anyone who is interested on how to crack the security code.

And that is not the end of the story. There is no shortage of people who are experts at developing strong, hack-proof, impossible-to-untangle, encryption schemes. If the back-door law goes into effect and technology companies cooperate there will be a huge demand for new encryption products that can be used on consumer devices and services. Many people will be happy to spend money on products that will repair the back-door flaws in conventional consumer products (less secure because of government policies). The state action that restricts the behavior of the largest technology companies will be ineffective at stopping the development of numerous products that will come from independent third-party operators.

Consider the net effect if the proposed law is enacted. Large technology companies will no longer provide a high level of safety and privacy to their customers, but anyone who wants strong encryption will be able to buy it from smaller independent businesses. Of course, the new encryption services will be available to both good and bad people. Government officials who are currently frustrated with their inability to obtain data from bad actors will continue to be disappointed.

All of this scenario thinking is obvious. I leave it to the reader to speculate whether the proponents of the back-door legislation have discussed this among themselves. Once a general method of creating hack-proof code is discovered there is no going back. Strong encryption is forever.

*** See other entries at in “Monthly Columns.” ***

Comments are closed.