I. Defining Encryption and
other Key Terms
Encryption is the
conversion of readable data into a form that can only be understood be read by
those who know how to decode it. It can consist of a code that is
as simple as scrambling letters in a routinized way or as complicated as sets
of symbols and numbers that are dictated by algorithms. Examples of encryption
go back to ancient Egypt, and carry forward through WWII (the German “Enigma”
machines, for example) to the present day. Encryption in the electronic
communication context is “decoded” only by those who have electronic “keys” to
decode the communications.
A Server
is a computer program or a storage unit that provides different types of
functions for people’s contents. We commonly think of a server as a
computer that physically stores electronic data. Servers can store data
for individuals, for small businesses, or, in the case of the cloud, for
millions of people who use email services such as Gmail, Yahoo!, or Microsoft
email.
Metadata is data
about data and would include things like to/from information in an email and
date and time of a communication.
An algorithm,
in the context of encryption, is a general set of mathematical rules for
transforming regular text, or “plaintext,” into encrypted content.
A key
is a specific set of instructions used to apply the algorithm to a data or
information. The strength of the key defines the strength of the
encryption.
An app is specific
software that allows you to perform certain tasks. They are available
both for desktops and mobile devices. Examples of popular apps include
Facebook and LinkedIn, as well as messaging apps like those that come already
on smartphones.
A device, as discussed
below, can be both a mobile device (such as a phone or a tablet) and a desktop
computer or laptop.
II. Different
Types of Encryption/How Encryption Works
Encryption is
not new. It has been available for personal computing on certain
operating systems (including those produced by Apple and Microsoft) for many
years, and before that, was generally available for both written and oral
communication when such communication is over a wire.
End-to-end
encryption works by having each party to a communication create a pair
of keys, one of which they keep completely private, and one of which, called
the “public key,” is shared. Messages between two people using an encrypted app
or other can only be unlocked by the recipient’s unique private key. In
practical terms, this means that the content of those transmissions can only be
unlocked with access to the private key, which is protected on the
communication device. Such data would include device-to-device messaging and
app-to-app messaging. The Internet Service Provider (ISP), in general, cannot
unlock that data.
Device
encryption refers to the encryption of data on one’s own
mobile device. It works by incorporating an encryption key into the security
password on each person’s device (note that device encryption is available both
for mobile and desktop devices). Device and end-to-end encryption work
similarly, but technologically, they are separate functions. If you are
utilizing device encryption on your smartphone, for example, either by default
or by opting into it, this means that even the data that is sitting on your
phone is fully encrypted while it is sitting there. That would include
encryption of financial information, health information, or other sensitive information
that a person stores locally on her phone and that isn’t backed up to a cloud
or shared, as well as certain messages on messaging apps and device-to-device
messages. It could also include emails that haven’t been sync’d with an email
provider (such as Gmail or Yahoo!) and haven’t been backed up to a cloud.
Service-provider
encryption occurs when a provider, such as a cloud storage
provider, encrypts the data for the user. In this scenario, the provider
holds the encryption key and the relevant and legal policy question is when
that provider can be obliged to turn over that key to a third party.
III. The
Value of Encryption
Encryption protects
individual’s data and preserves the free flow of information. Encrypted
products and services are widely available across the globe. Recently, experts identified 865 hardware or
software products incorporating encryption from 55 different countries. This
includes 546 encryption products from outside the US, representing two-thirds
of the total number of encryption products.
Encryption Reduces Cybercrime
–
Cybercrime costs the US
$100 billion annually, and the global economy $445 billion each
year. Encryption is one of the primary recommended tactics for reducing
cybercrime. This is why its use has been recommended by the FBI, as well as network security experts.
Encryption Protects Users’ Sensitive Personal
Data
–
Encryption helps keep consumer’s financial,
health, educational, and other sensitive data safe from those who would use it
to do harm. Credit and debit card fraud alone cost over
$16 billion in 2014 and will exceed $35 billion in 2020. Encryption also
helps to protect people’s data in the event of a data breach.
Encryption Protects and Fosters Free Expression
–
Encryption protects free expression around the
world, especially in regimes where governments seek to punish people who speak
out against violent leaders and repressive laws.
–
Reducing the efficacy of encryption in the U.S.
will force users to keep their data on foreign platforms
IV.
Encryption and Law Enforcement Access to Data
–
Encryption does not necessarily prevent law enforcement
from pursuing investigations. Even if data is encrypted on a device, it
may be available through other means. For instance, it may be available
through valid legal process if it was backed up to the cloud or a cloud-type
environment (such as a private company’s exchange servers, in the case of an
employee’s emails). For these services, Internet companies or the owner of the
server hold a key to unlocking this data, if it is encrypted at all. This is so
that customers can, for example, restore their data if they lose it from their
device. In the case of third-party apps, there is often a corresponding
service that third-party apps provide, and data may be requested from them.
–
In addition, end-to-end encryption generally does
not encrypt metadata, which continues to be available to law enforcement and
the intelligence community when the metadata holders are presented with valid
legal process.
–
Several commentators have recently observed that while encryption
may make certain discrete pools of information difficult for law enforcement to
access, in other areas, law enforcement has more access to data than ever
before. Such data includes but is far from limited to social media, the
camera and microphone technology provided by hundreds of objects as they become
part of the Internet of things, and fitness and other wearables. Many new
“wired” objects will have Internet Protocol (IP) addresses that would be
accessible to law enforcement with valid legal process.
