Senior officials in the Trump administration met on June 26 to consider pushing legislation that would ban tech companies from using forms of encryption that renders information unaccessible to law enforcement. This is not a good idea.
This is according to experts such as Dr. Andrea Limbago, Chief Social Scientist at Virtru and an award-winning cybersecurity expert who worked closely with the Department of Defense. She says that this push raises a number of security concerns. Banning end-to-end encryption would put people’s personal data at risk, lead to larger and more frequent data breaches at companies, and hurt global security, as more countries would likely follow the US’s lead and do away with encryption in their own countries.
The ban on encryption was the subject of a National Security Council meeting which included top officials from key security agencies, according to Politico. While of course the proposal could go nowhere, these particular meetings have rarely been held under the tenure of National Security Adviser John Bolton. That suggests the policy is being taken particularly seriously.
The debate is over whether to push Congress to outlaw end-to-end encryption. Used by companies like Apple, WhatsApp, and others, end-to-end encryption means only the sender and recipient can read messages exchanged, not the companies hosting the conversation, or law enforcement. It’s also used to secure a variety of other kinds of information.
Authorities have butted heads with companies such as Apple in the past over terrorism investigations where they’ve struggled to access encrypted information. But while law enforcement’s frustration in these situations is completely understandable, the pros of end-to-end encryption vastly outweigh the cons.
What impact would banning end-to-end encryption have on people?
End-to-end encryption, and other measures such as two factor authentication, do a fairly good job of keeping our information secure while requesting very little of us, notes Limbago. We could use things like VPNs and password managers to further increase our security, but those require individuals to proactively seek them out, and any amount of friction generally decreases the likelihood we will use a certain product. End-to-end encryption, by contrast, protects our information by working silently in the background. We don’t have to deal with it.
“End-to-end encryption and two factor authentication solve over 90% of the vulnerabilities that an individual may encounter,” Limbago tells Inverse.
The end result of banning it means that your data would be much easier to access, whether by a third party adversary, the software companies themselves, or the government, whether that be the United States’ government or China’s.
It would also harm the public interest, making whistleblowers less likely or less comfortable sharing important information with journalists and the public. It would also impact workplace communications, many of which are carried out through our phones, and specifically messaging services. Those chats would be more easily accessible, if someone wanted to get them.
Finally, it would also start a race-to-the-bottom as other countries adopt the privacy-weakening standards.
Banning end-to-end encryption would set companies up to be breached
There have already been a lot of data breaches, whether than be Equifax, Marriott, or Yahoo, just to name a few. Their frequency has been numbing, but there’s no doubting that breaches would be far more frequent, and far more severe, without encryption, according to Limbago.
“What’s going to happen is we’re going to keep getting more, bigger, and more frequent data breaches and compromises because of the lack of encryption,” Limbago tells Inverse.
These sorts of breaches don’t just expose proprietary company information, but also information about millions of users, meaning that your data is at risk too. The value of your health data in particular would make a juicy target for hackers. Employers might want to begin taking health care data into consideration when thinking about hiring you. Insurance companies obviously want the data to be able to adjust rates better than their competitors. All this data would be vastly more accessible without end-to-end encryption.
Why is a ban being considered now?
Bans are becoming more attractive to lawmakers as larger companies like Facebook, and its billions of users, gravitate toward end-to-end encryption as the default. Limbago says that their chief consideration is the sheer volume of encrypted messages that will soon be sent. But the view is short-sighted, she explains, because beyond the domestic implications, rolling back end-to-end encryption would hurt the U.S. from a global security perspective.
“We’re symbol for a lot of countries around the world for human rights and civil liberties, and doing away with encryption would give all these other governments basically free rein to say, ‘oh yeah, we’re going to away with encryption as well for security,” Limbago says.
In countries with authoritarian regimes, this provides obvious concerns when it comes to tracking activists, journalists, and others, but it also means if the United States has to store data in other countries, governments there would have access to that as well. These concerns are already starting to become reality, with Australia rolling back certain kinds of encryption in the name of security.
“Weakening encryption doesn’t just weaken it for security forces, but for anyone to let them gain access to so many kinds of data,” Limbago says. “End-to-end encryption should be a fundamental right that people should have to protect their own privacy.”
To prevent data vulnerabilities and sharing further data online, be sure to use a VPN, secure email client, and YubiKeys. And if Congress actually takes up this measure, be sure to call your representative.