Stop demonizing encryption
The security industry has more than its fair share of buzzwords and gimmicks. End-to-end encryption is not one of them.
The recent discovery of a vulnerability in WhatsApp has instigated discussions and spawned hot takes surrounding spyware and export controls, with some declaring that end-to-end encryption is ineffective. With this particular vulnerability, spyware created by the NSO Group could be uploaded onto a phone through a series of malicious data packets sent via VoIP calls. This enabled access to the content and data on a targeted phone. While this particular vulnerability may prompt concerns over WhatsApp’s overall security (a patch has since been released), it does not negate the value of end-to-end encryption. Furthermore, the current negativity toward encryption perpetuates misinformation and provides fodder for governments seeking to undermine security and privacy across the globe.
Yes, end-to-end encryption alone is not sufficient for complete security and privacy across every attack vector. However, it’s an effective safeguard and should remain a core component of any holistic security and privacy approach. End-to-end encryption is especially powerful in blocking man-in-the-middle attacks, where data in transit is intercepted by an unauthorized third-party. However, in cases such as the recent WhatsApp vulnerability, if a phone or application is compromised or appropriate credentials stolen, the data can become accessible.
In this regard, end-to-end encryption should be viewed as an essential tool in the defensive tool belt, but alone is not sufficient to protect data against every single mode of attack. Given the wide range of well-documented attack vectors targeting people, software, and hardware, different defensive tactics in conjunction are necessary. But for creating effective defenses against many of the most common data breaches, encryption is core to an effective defense. Given the persistence of unauthorized data leaks from misconfigured servers, external and insider threats, or third-party sharing, encryption can play a significant role in minimizing the broad impact of these breaches.
Importantly, an often overlooked benefit of encryption, in general, is how it can deter attackers and raise the costs of future attacks. While targeted attacks do occur, more common are opportunistic attacks that seek the easiest and most vulnerable targets. For opportunistic attacks, encryption renders data invaluable to attackers, who then seek more fruitful and easily accessible data. With targeted attacks, encryption still serves as a deterrent mechanism as it raises the resources required to compromise a target.
Additionally, the resources required to get around end-to-end encryption are often out of reach. In the case of zero-click exploits, they are extremely expensive. We’ve known for some time now that big checks are needed to get around this area: in 2015, the FBI paid somewhere between $900,000 and $1.3 million to break into an iPhone belonging to the San Bernardino shooter.
The willingness to expend these resources are not readily available, and most cannot devote the time or money to get around encryption. Instead, they may seek a seemingly easier path to accessing encrypted data, which in the case of national governments increasingly includes establishing policies requiring data access. For instance, Russia and Iran have both attempted to ban encrypted messaging app Telegram when the service refused to make the data accessible. India is exploring a similar strategy with WhatsApp: the country is currently debating legislation that would ostensibly require the removal of encryption for compliance. Additionally, Australia already passed legislation weakening encryption.
In contrast, because of the deterrent effect and the efficacy encryption provides, many data protection laws increasingly require encryption as one of several measures that demonstrates appropriate security. The most prominent of these, the European Union’s General Data Protection Regulation (GDPR), requires organizations to ensure a level of security appropriate to the risk, and includes encryption along with several other measures. In fact, a recent GDPR violation occurred when a German firm failed to encrypt their data, which resulted in 330,000 credentials being posted online. Italy issued its first GDPR fine to an organization that had several inadequate security measures, one of which was the use of weak cryptographic algorithms. As these examples demonstrate, encryption is viewed as one of the most effective ways an organization can take a broader, comprehensive approach to data protection.
Unfortunately, the GDPR seems to be the exception and not the norm when it comes to the current mood toward end-to-end encryption. Discussions that mock end-to-end encryption as a marketing gimmick fail to take into account the broad range of benefits it provides. These kinds of misguided conclusions are especially dangerous as policymakers debate encryption-weakening legislation, and it deters individuals from pursuing one of the most effective paths to data protection. There is no piece of technology that is infallible, but encryption remains integral for both security and privacy.
Andrea Little Limbago is a computational social scientist specializing in the intersection of digital technology, national security, and society. She is currently the chief social scientist at Virtru, where she researches and writes on the geopolitics of cybersecurity, global data protection trends, and usable security.