iPhone 11 side

In a world in which many of us store our whole lives on our phones from our health data to our banking details to our immediate location, encryption takes on the all-important role of keeping this sensitive data out of malicious hands.

But, what is encryption, how does it differ from end-to-end encryption and why would law enforcement agencies try to fight something so crucial to preventing cybercrimes? 

We reached out to several security experts and the National Crime Agency to learn all about encryption and the controversies that surround it. 

What is encryption? 

Encryption is the act of converting data into code to ensure it remains hidden, whether that be the messages you send from your smartphone, your FaceTime calls, or your bank transactions. 

“Encryption uses a sophisticated mathematical formula to convert digital content into an unintelligible series of seemingly random numbers”, explained Kiteworks senior director Bob Ertl. 

“When done right, only the intended recipients have the so-called private key to mathematically unlock the content”. 

The most basic common form of encryption is called encryption-in-transit. 

When you use an encrypted service – such as messaging apps Telegram and Facebook Messenger – that app uses an algorithm to generate seemingly random lines of code out of plain text, preventing your message from being snooped on in transit. 

When your message gets to the company’s server, it gets decrypted, before being encrypted again to be sent out to the recipient. Essentially, your data is encrypted any time its on the move, preventing it from being intercepted by anyone out to snatch it.  

Why is end-to-end encryption better? 

End-to-end encryption is a more advanced form of encryption and is the version generally favoured by privacy experts. 

End-to-end encrypted messages are scrambled from the moment they leave your device to when they arrive on the recipient’s. This means that not even the company hosting the server can see sneak a peak at what you’ve sent. 

Some services – like Apple’s iMessage, Signal and WhatsApp – have end-to-end encryption applied by default. Others – included the aforementioned Telegram and Facebook Messenger – have “secret chat” features that allow you to start an end-to-end encrypted conversation, but not everyone will know that they need to activate this setting to take advantage of that additional layer of protection. 

That isn’t to say that end-to-end encryption is without its controversy, though. 

So, how important is encryption actually? 

According to Roger Grimes, a data-driven defence evangelist at KnowBe4, very. 

“Almost no important communications or transactions could be performed without it”, explained Grimes. 

“Our monetary system would not work, credit cards would not work, the Internet would not exist, and every email and phone call could be listened into by anyone else. The only privacy and confidentially you would have would be between people who spoke directly to each other in a closed-in room and what was written on paper and stored in a locked file cabinet”. 

Of course, encryption is just one method of achieving data protection, explained Trevor Morgan, a product manager at comforte AG. 

Companies will try to guard data by hiding it behind protected borders, controlling user, software application and resource access to it, or by modifying the data itself – which is where encryption comes it. However, many business will employ a combination of these methods to secure your data. 

“Data protection is important because all businesses thrive on data”, said Morgan. 

“So much of our enterprise data has sensitive information within it, including peoples’ (customers’) personal information, financial information, health information, and other valuable data. Threat actors (hackers) want this data to exploit its value, either to blackmail the organization, to compromise the data subjects (the people the data is about), or to build a better data understanding of a broader target. However, threat actors cannot do anything with this sensitive information if they cannot read and understand it. The way to make sure that they cannot do so is to apply data-centric security to sensitive data or data elements using encryption, format-preserving encryption, or tokenization”. 

Why law enforcement has taken issue with it (and Apple) 

Companies have made headlines over the years for ignoring requests from law enforcement to create backdoors to unlock devices or decrypt messages that have been seized in investigations. 

Apple, in particular, came under fire in 2020 for refusing to comply with an FBI request that would involve creating a tool to unlock the two iPhones that belonged to the gunman in the Pensacola Naval base shooting. The shooting, which took place in Florida, ended in four deaths including that of the gunman. 

Attorney General at the time William Barr claimed that Apple did not provide enough assistance in the month that followed the shooting. 

While Apple says it handed over “many gigabytes” of iCloud data to the FBI, the company refused to undermine its OS’ encryption by breaking through the password on the lock screen. 

This wasn’t the first time Apple had clashed with law enforcement. In 2015, the company faced similar demands from the FBI in the wake of the San Bernardino attack. It ultimately refused to help and the FBI was forced to turn to Israeli digital forensics firm Cellebrite to crack it. 

Rather than give in to these demands, Apple has doubled down on its privacy features over the years. 

With iOS 11, it introduced a feature that disabled USB communications one hour after the phone was last unlocked, forcing law enforcement agencies to work fast if they want to extract data from a seized phone. 

In 2021, the company launched a host of new security features, including Private Relay, which encrypts Safari traffic by sending any website requests through two separate relays, meaning that no one but you and the website can see what you’re up to. 

While features like these are great news for privacy advocates, it’s easy to see how criminals could take advantage of this level of encryption to slip past law enforcement. 

You might be wondering why Apple can’t just open a backdoor to help out specifically in serious criminal investigations. 

Ultimately, it comes down to the fact that opening this door for one person, means opening it for everybody. Doing so would create a huge flaw in the system, and there are countless groups and individuals – from hackers to corrupt government bodies – ready and waiting in the wings to exploit that vulnerability. 

As a company that has built its brand on privacy, that isn’t something Apple is willing to compromise on. 

“I have a team that works 24 hours a day, seven days a week, responding to exigent requests from law enforcement”, said senior director for global privacy Jane Horvath at CES 2020. “We have helped in solving many cases, preventing suicides. But, building a backdoor to encryption is not the way that we’re going to solve those other issues”. 

Of course, this hasn’t prevented politicians and law enforcement agencies in the US and the UK from highlighting the consequences of end-to-end encryption. 

We reached out to Rob Jones, director general at the NCA, who explained how encryption has become a hurdle for law enforcement in obtaining evidence for serious crimes and what this could mean as more commonplace apps, like Messenger and Instagram, are set to roll out end-to-end encryption by default. 

“Strong encryption protects users’ privacy and can provide many benefits, but any move to end to end encryption (E2EE) also needs to include measures which maintain the ability to protect children and identify images of abuse. A jump to E2EE without this capability risks  turning the lights out for law enforcement worldwide”, explained Jones. 

“The nub of the CyberTip regime, used by industry to report child sexual abuse, to the National Center for Missing and Exploited Children (NCMEC) in the US, is content and that allows a very fast dynamic law enforcement response because it enables us to develop suspicion, belief or in other jurisdictions, probable cause. 

“That content will go if the current privacy model lands in the way it’s been described. So all those tips are at risk – all of those tips. 

“The NCA and UK policing currently make over 500 arrests and safeguard more than 650 children every month as a direct result of industry reports of child sexual abuse material.

 “That will become much more challenging under E2EE.” 

You might like…

Is Signal safe? We asked security experts about the messaging app and your data

Is Signal safe? We asked security experts about the messaging app and your data

Hannah Davies
6 days ago

Best VPN 2021: Top 7 VPN options for security and streaming

Best VPN 2021: Top 7 VPN options for security and streaming

K.G. Orphanides
12 months ago

Best antivirus:  Top 5 picks to protect your computer

Best antivirus: Top 5 picks to protect your computer

K.G. Orphanides
2 years ago

While undermining its own privacy would be a questionable move for any company, for Apple it would look almost hypocritical as the company has built its brand on privacy over the years. Though, according to security expert Grimes, the situation might not be as cut and dry as it looks. 

“I think the bigger issue in this particular article/scenario is why is it so important that Apple not undermine their own phone’s inherent encryption, even if it means protecting the privacy of a murderous terrorist? That’s because to show that there are ways to beat the encryption…or even not try their best to prevent others from attacking the encryption, is essentially saying there really isn’t good encryption…and it makes everyone else suspect the quality of the encryption”, explained Grimes. 

“If the world thought that Apple’s encryption could be readily bypassed when desired, it would incentivize Apple’s customers to buy from other vendors who do value privacy more. It would be the death knell of Apple as a company. 

“Interestingly, there are many ways to bypass Apple’s encryption. Notice that law enforcement is no longer trying to get court orders to compel Apple to help them bypass the encryption. There are many ways to bypass the encryption and dozens of firms who will do it, for a price. You don’t even have to be a super genius to do it, if you’ve got time. All you have to do is wait until Apple announces some big vulnerability that bypasses all their phone’s defenses (this happens several times a year), and then utilize one that can be used remotely without having to do something on the phone. These happen at least once a year if not several times. Then exploit that vulnerability before the patch is applied. Easy peasy. 

“But if Apple is seen as actually helping people or organizations to bypass their encryption it would make a larger percentage of their customers go elsewhere”. 

Regardless of whether you choose to use an app with end-to-end encryption, such as Signal or WhatsApp, or one that requires you to opt in to the feature, like Telegram, there are some easy steps you can take to ensure your devices are protected from hackers and malware. 

These include installing antivirus software (our current favourite antivirus is Kaspersky Internet Security) and investing in a good VPN. Right now, Surfshark tops our best VPN list for its speedy performance and great value subscription offers.

You can get Surfshark from £1.82/$2.49/€2.07 per month (24 months).

The post What is encryption and why does law enforcement have a problem with it (and Apple)? appeared first on Trusted Reviews.

More on…www.trustedreviews.com

Share this post