Law enforcement officials continue to lobby against encryption, saying it makes catching criminals and preventing terrorism more difficult. But they’re getting the ‘privacy vs. security’ debate fundamentally wrong. Here’s why.
Four years ago, the Pew Research Center, a US think tank, asked hundreds of cybersecurity experts to weigh in on a simple question: “By 2025, will a major cyber-attack have caused widespread harm to a nation’s security and capacity to defend itself and its people?” A majority of the respondents said yes.
“Cyber attacks will become a pillar of warfare and terrorism,” said one tech executive.
“Current threats include economic transactions, power grid, and air traffic control,” said a NASA researcher who now runs a space robotics firm. “This will expand to include others such as self-driving cars, unmanned aerial vehicles, and building infrastructure.”
“Cyberwar just plain makes sense,” said a former general counsel for the NSA.
In the few years since that report came out, we have witnessed Britain’s National Health Service (NHS) crippled by stolen NSA ransomware, the US power grid infiltrated by Russia, and hundreds of millions of digital records exposed to hackers. In other words, the experts’ predictions are right on track.
Yet at the same time, governments around the world are pushing to weaken the very encryption that can help to keep our personal records, our infrastructure, and our democratic institutions safe from bad actors. Most recently, the Australian government has waged a campaign to promote encryption backdoors, which would weaken the right to privacy and make us all less safe.
State security officials are sending two conflicting messages: On one hand, encryption (i.e. privacy) is dangerous; on the other, cybersecurity is the battlefield of the 21stcentury.
In fact, privacy and security go hand in hand. The widespread use of strong encryption both guarantees individuals’ right to privacy while hardening society against waves of data breaches and cyber-attacks.
Why governments don’t like encryption
For example, Australia’s Assistance and Access Bill would require tech companies to build vulnerabilities into their security systems that could be exploited by law enforcement. If the law passes, it could also be used by US agencies thanks to the Five Eyes intelligence-sharing agreement, even though American legislators have so far refused to mandate encryption backdoors.
Proponents of these kinds of laws say encrypted services, like WhatsApp or ProtonMail, allow criminals to plan and carry out attacks beyond the reach of police.
Privacy vs. security is a false dichotomy
First of all, there is very little evidence that government surveillance prevents terrorism. For instance, in 2013, the White House reviewed the NSA’s mass phone surveillance program and determined it was “not essential to preventing attacks.” Police foiled most attacks the old-fashioned way: through informants and tips.
More importantly, it is impossible to create a backdoor that only the police can use. Last year’s WannaCry ransomware attack, which hit over 300,000 computers in over 150 countries (including the UK’s National Health Services) is the perfect cautionary tale. The attack relied on a vulnerability in outdated versions of Microsoft Windows that was first discovered by the NSA. Instead of disclosing the discovery to Microsoft so it could be patched, the NSA kept it secret to be used as a future backdoor into computer systems. However, the NSA was itself hacked, and the exploit was stolen, weaponized, and ultimately unleashed on the public.
The WannaCry example shows how tools intended for “the good guys” can easily fall into the wrong hands. In the age of cyber-attacks, there is a more responsible way forward.
Privacy tools make us all safer
In the age of self-driving cars, it isn’t difficult to imagine a future cyber-attack that puts lives at risk. Although no one is known to have died as a result of the WannaCry attack, an attack targeting hospitals could have life and death consequences. So could an attack against aviation systems or a nuclear power plant. The only way to prevent these kinds of attacks is stronger cybersecurity.
Cybersecurity means many things, from enforcing good operational security within organizations to keeping software up to date with the latest security patches. Individual cybersecurity requires strong passwords and strong encryption. Every major data breach has involved unencrypted data pilfered from corporate or government servers, exposing people’s personal and financial information. In many cases, the use of end-to-end and zero-access encryption, like the kind used at ProtonMail, would have drastically mitigated the damage caused by these attacks.
Privacy and security are not in opposition, despite what some politicians and law enforcement officials would have you believe. Rather, they are two sides of the same coin. A digital system that is built in a secure way is also necessarily private. By promoting cybersecurity, rather than weakening it, we can support both the right to privacy and public safety.
The ProtonMail Team
You can get a free secure email account from ProtonMail here.
We also provide a free VPN service to protect your privacy.