Encrypt everything

Published

We techies already knew, or rather suspected, there is widespread and tenacious call and data surveillance. Thousands of documents disclosed by Edward Snowden confirmed our hunches, giving names to the actual programs, describing the details and showing its extent, beyond what we could have imagined. Now we know. There are social, political and legal ramifications for this knowledge. This is already happening. Concerns by EU countries, by U.S. citizens and by privacy advocates including Electronic Frontier Foundation (EFF) and American Civil Liberties Union (ACLU) have been expressed. There are lawsuits. For example, the ACLU filed one against several branches of the U.S. government including the National Security Agency, the Department of Defense and the Department of Justice after Snowden documents revealed a secret order for the indiscriminate capturing of call metadata from Verizon Business Services.

U.S. intelligence officials downplayed privacy concerns, saying that not the content of the calls but only metadata is being collected, archived and searched. Metadata refers to the data about the data, including who is making the call or sending the email to whom and when, rather than the content of the actual call or email. Many do not agree that monitoring and collecting metadata is acceptable. The ACLU, EFF, and several U.S. professors signed a declaration that the law protects metadata as well. The lack of trust in our communication backbone, the one that connects us and provides access channels to our work, to our friends and families, to our banks, to our insurance companies and to our healthcare providers is far too serious to ignore. This is one step beyond privacy. The lack of trust in the network will keep people away from it. This will break the Internet as we know it.

How do you bring trust and privacy to the Internet in a permanent way?

Yes, there is a technological answer: encrypt everything.

Encryption is a mathematical transformation that makes a message illegible to everyone except the intended recipient.

With the help of encryption technology, two parties may communicate over a public channel such as the Internet without worrying about others seeing the content of the message.

While the history of encryption and secret codes is as old as writing itself, the 20th century brought us the most important developments, such as unbreakable encryption methods and the ability to have multiple parties encrypt and send a message to a single recipient to be decrypted and read.

Therefore, email or instant messages between two people may be encrypted to bring privacy. Furthermore, phone calls and video conferencing feeds may also be encrypted.

The technology exists and is used in some contexts but is not ubiquitous and definitely not the default. For example, encryption is offered for e-commerce via the https protocol to allow us to securely communicate with our favorite shopping websites. The real purpose is to protect our financial information, mainly credit card numbers together with one's name, address and other related data. This technology has been available since the mid-1990s and it is the sine quo non of e-commerce infrastructure. If it were not available, there could not have been a single credit card transaction over the Internet. So why not take the encryption technology of ecommerce and apply it to all communication? Why has this not happened yet? It did not happen because the technology world was too lazy to offer encryption and because there was no consumer demand for it. Expectedly, encryption technology brings another layer of complexity, costing more time to connect and communicate, as well as more energy. Our ever-so-efficient communication backbone is very sensitive to additional fiddling. Without real demand, encryption just will not happen.

The question: Is there a demand for encryption now? I sense, yes, there is. Big technology companies such as Google already started responding to consumer demand. As you also read in Daily Sabah last week, Google now encrypts all data between the user's computer and its servers via the https protocol.

This will keep all email content away from unauthorized third parties. However, the traffic information, or who is talking to whom, may still be available. This brings us to the discussion in the beginning of this article: metadata. The https protocol does not have a readily available feature to hide the identity of the communicating parties. To create an Internet infrastructure that provides complete privacy including metadata, there is more work to do. Technological solutions do exist, but they have not been implemented yet. Their realization and deployment will depend on whether consumers insist on complete privacy. Time will tell how this will turn out.

Share on Facebook Share on Twitter