End-to-end encryption isn't enough security for 'real people'

 

Connecting state and local government leaders

Computer scientists must improve security where we are most vulnerable -- on our own devices.

The Conversation

This article was first posted on The Conversation.

Government officials continue to seek technology companies’ help fighting terrorism and crime. But the most commonly proposed solution would severely limit regular people’s ability to communicate securely online. And it ignores the fact that governments have other ways to keep an electronic eye on targets of investigations.

In June, government intelligence officials from the Five Eyes Alliance nations held a meeting in Ottawa, Canada, to talk about how to convince tech companies to “thwart the encryption of terrorist messaging.” In July, Australian Prime Minister Malcolm Turnbull called on technology companies to voluntarily ban all systems that totally encrypt messages in transit from sender to recipient, an approach known as “end-to-end encryption.” British Home Secretary Amber Rudd made global headlines with her July 31 newspaper opinion piece arguing that “real people” don’t need end-to-end encryption.

These claims completely ignore the one billion real people who already use secure messaging apps like Signal and WhatsApp. And it leaves no room for people who may decide they want that security in the future. Yet some technology companies look like they might be considering removing end-to-end encryption – and others installed backdoors for government access years ago. It’s been two decades since the Clipper chip was in the news, but now a revival of the government-business-consumer “crypto-wars” of the 1990s threatens.

One thing is very clear to computer scientists like me: We real people should work on improving security where we are most vulnerable -- on our own devices.

Endpoints are the weakest link

For the moment at least, we do have good, easy-to-use solutions for secure communication between computers, including end-to-end encryption of our messages. End-to-end encryption means that a message is encrypted by the sender and decrypted by the recipient, and no third party is able to decrypt the message.

End-to-end is important, but security experts have warned for years that the most vulnerable place for your data is not during transit from place to place, but rather when it’s stored or displayed at one end or the other -- on a screen, on a disk, in memory or on some device in the cloud.

As the WikiLeaks release of CIA hacking tools highlighted, if someone can gain control of a device, they can read the messages without needing to decrypt them. And compromising endpoints -- both smartphones and personal computers -- is getting easier all the time.

Why are we most vulnerable at the endpoint? Because we don’t like to be inconvenienced and because adding more protection makes our devices harder to use, the same way putting multiple locks on a door makes it harder to get in, for both the homeowner and the burglar. Inventing new ways to protect our digital endpoints without reducing their usefulness is very challenging, but some new technologies just over the horizon might help.

Next-generation solutions

Suppose a criminal organization or bad government, EvilRegime, wants to spy on you and everyone you communicate with. To protect yourself, you’ve installed an end-to-end encryption tool, such as Signal, for messaging. This makes eavesdropping -- even with a court’s permission -- that much more difficult for EvilRegime.

But what if EvilRegime tricks you into installing spyware on your device? For example, they could swap out a legitimate upgrade of your favorite game, “ClashBirds,” with a compromised version. Or, EvilRegime could use a malware “network investigative technique” as a backdoor into your machine. With control of your endpoint, EvilRegime can read your messages as you type them, even before they are encrypted.

To guard against either type of EvilRegime’s trickery, we need to improve our endpoint security game in a few key ways, making sure that:

  • EvilRegime isn’t masquerading as the company that makes “ClashBirds” when we install our software.
  • No one has tampered with our “ClashBirds” app before or after installation.
  • The app doesn’t have any backdoors or security holes that could be exploited by EvilRegime after we install it.

In addition, it would be ideal if users could control their apps’ security themselves, rather than having to rely on app store security provided by yet another vulnerable corporation.

Computer security experts are excited about the idea that blockchain technology might be able to help us secure our own endpoints. Blockchain, the technology that underpins Bitcoin and other cryptocurrencies, creates a verifiable, unchangeable public record of information.

What this means for endpoint security is that computer scientists might be able to create blockchain-based tools to help us verify the origin of our apps. We could also use blockchains to confirm our data haven’t been tampered with and to ensure our privacy. And as long as the source code for these programs is also free for us to inspect -- as Signal is today -- the security community will be able to verify that there are no secret backdoors.

As with any new technology, there is an enormous amount of hype and misinformation around blockchain and what it can do. It will take time to sift through all these ideas and develop secure tools that are easy to use. In the meantime, we all need to continue to use end-to-end encryption apps whenever possible. We should also stay vigilant about password hygiene and about what apps we install on our machines. Finally, we must demand that real people always have access to the best security mechanisms available, so we can decide for ourselves how and when to resist surveillance.

NEXT STORY: 7 security projects worth watching

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.