Government vs. the Evolution of Encryption

| Dan Kruger
Dan Kruger
Dan Kruger

On March 11, President Barack Obama said that smartphones can’t be allowed to be “black boxes,” inaccessible to the government.  It is apparent that the government does not understand the evolution of encryption.

The computing and telecom revolution has been marked by a shift from centrally controlled communication and computing managed by large companies to distributed communication and computing managed by businesses and organizations. However, encryption has lagged behind.  Large-scale encryption is still centrally managed.  Cryptographic locks and keys are issued and managed by huge third party hardware, software, and service providers like Apple, Microsoft, Google, and Verizon.

Large-scale, third party centrally-managed encryption is unwieldy and limited in scope. Some of your data can be encrypted during some processes, some of the time. Because of that, the application of encryption is rare. Less than 0.1% of digital data is encrypted, largely because digital data is distributed by copying.  When you send somebody an email or share a file, your software makes a copy and sends the copy.  Copies proliferate like crazy and end up who knows where. Third party, centrally-managed encryption can only work on the copies the central authority knows about, and that’s few of the total copies.

Third party central authorities are selective about what parts of your data they encrypt and how long it stays encrypted. They generate substantial revenue from selling access to your data, some of which they encrypt against outsiders but decrypt for themselves.  You end up with little protection and lose rights attendant to your own data. If you doubt that, just read your service agreements.  You’ll be shocked.

I’m not throwing stones at Apple, Microsoft, Google, Verizon, or their competitors.  I’m glad they offer the limited encryption services they can.  That doesn’t keep me from recognizing that their ability to encrypt my data is sharply limited and that they sell access to my data.

The real problem is that the pressure the FBI was applying to Apple can be applied to any third party encryption central authority.  Any central authority that issues and control the locks and keys can be hacked, or backdoored, or socially engineered, and lose control of the data they were encrypting for their customers.

A new approach to encryption, distributed encryption, helps solve the third party central authority problem and is now being deployed in commercial software. Why the long wait?  Because distributed encryption requires a lot of processing capability, and common processors became powerful enough in just the last few years.  

Distributed encryption delivers ubiquitous (everywhere, all the time) encryption without any central authority.  Data is stored, copied, moved, and shared without ever being decrypted. Every individual digital object (office files, pictures, movies, texts, etc.) is encrypted, each with a different key.  Distributed encryption software makes what used to be complex — managing cryptographic locks and keys — automatic. Individuals and organizations own and manage their own keys and have direct and real control of access to their data

Distributed encryption makes third party, central authority backdoors useless.  What is the value of going through a back door to grab a bunch of data you cannot decipher?  Distributed encryption ultimately leads to most data being encrypted by default.  In a relatively short time, it is likely that most data, not a tiny percentage, will be encrypted, with no central authority that can be forced or fooled into providing access.

Ironically, the radical increase in distributed encryption is largely being driven by the U.S. government. Ever more stringent regulatory requirements for protecting data, particularly in finance, health care, and defense can only be met by using software that incorporates distributed encryption.

Attempting to regulate distributed encryption in a world with billions of computers and millions of software applications is a fool’s errand.

Given the controversy over the tiny amount of data that is now encrypted, what is going to happen when encryption becomes the norm? How will distributed encryption effect our Constitutional rights?  Our national security?  Distributed encryption enhances both.

Distributed encryption helps assure the 1st Amendment right to peaceably assemble in the digital world, free from mass surveillance.  

Distributed encryption is 2nd Amendment armament for the digital world.  It is personal protection against digital invasion.  I’ve never had to use a firearm to protect my physical self or property.  I use distributed encryption to protect my digital “self” and property every day.

Distributed encryption enables us to assure our digital 4th Amendment rights by forcing digital evidence collection back to due process and investigative procedures we can see and understand.

Distributed encryption is the strongest assurance that we can assert our 5th Amendment rights, if what would incriminate us is in our digital data.

The first description of distributed encryption I know of was written by a former Chief Technical Officer of the CIA over 15 years ago.  He predicted that distributed encryption would spread very quickly once it became available. He also warned that when distributed encryption began appearing, U.S. intelligence and law enforcement were going to have to go back into the human intelligence business. We are going to need spies and informants again. A lot of them.

Distributed encryption will provide an enormous economic good for the United States.  Estimated commercial losses to the U.S. economy from breaches and data theft is at least $500 billion annually.  Leaks and losses from governments cost lives and undermine national security.

Distributed encryption is a nightmare for totalitarian governments.  It can give their citizens truly private communications. Pushing software that uses distributed encryption into totalitarian countries may be one of the most powerful national security actions the U.S. can take.  Totalitarian governments forced to deal with increasing domestic unrest have less time and resources to attack the United States.

Will bad guys, foreign and domestic, use distributed encryption to do bad things?  Yes.  Do the benefits outweigh the costs for our citizens, businesses, and government?  Absolutely.  To quote Antonin Scalia: “There is nothing new in the realization that the Constitution sometimes insulates the criminality of a few in order to protect the privacy of us all.” 

The Author is Dan Kruger

Dan Kruger is the EVP and Chief Architect of Absio Corporation, a cybersecurity software company specializing in secure communications. Prior to running and selling two previous software companies, Dan spent 15 years as a management consultant leading corporate turnarounds. 

Learn more about The Cipher Brief's Network here.

CLICK TO ADD YOUR POINT OF VIEW

Share your point of view

Your comment will be posted pending moderator approval. No ad hominem attacks will be posted. Your email address will not be published. Required fields are marked *