top of page

Encryption, the Internet and Devices: A Primer for Policy Makers

I. Defining Encryption and other Key Terms:


Encryption is the conversion of readable data into a form that can only be understood be read by those who know how to decode it. It can consist of a code that is as simple as scrambling letters in a routinized way or as complicated as sets of symbols and numbers that are dictated by algorithms. Examples of encryption go back to ancient Egypt, and carry forward through WWII (the German “Enigma” machines, for example) to the present day. Encryption in the electronic communication context is “decoded” only by those who have electronic “keys” to decode the communications.


A Server is a computer program or a storage unit that provides different types of functions for people’s contents. We commonly think of a server as a computer that physically stores electronic data. Servers can store data for individuals, for small businesses, or, in the case of the cloud, for millions of people who use email services such as Gmail, Yahoo!, or Microsoft email.


Metadata is data about data and would include things like to/from information in an email and date and time of a communication.


An algorithm, in the context of encryption, is a general set of mathematical rules for transforming regular text, or “plaintext,” into encrypted content.


A key is a specific set of instructions used to apply the algorithm to a data or information. The strength of the key defines the strength of the encryption.


An app is specific software that allows you to perform certain tasks. They are available both for desktops and mobile devices. Examples of popular apps include Facebook and LinkedIn, as well as messaging apps like those that come already on smartphones.


A device, as discussed below, can be both a mobile device (such as a phone or a tablet) and a desktop computer or laptop.


II. Different Types of Encryption/How Encryption Works


Encryption is not new. It has been available for personal computing on certain operating systems (including those produced by Apple and Microsoft) for many years, and before that, was generally available for both written and oral communication when such communication is over a wire.

End-to-end encryption works by having each party to a communication create a pair of keys, one of which they keep completely private, and one of which, called the “public key,” is shared. Messages between two people using an encrypted app or other can only be unlocked by the recipient’s unique private key. In practical terms, this means that the content of those transmissions can only be unlocked with access to the private key, which is protected on the communication device. Such data would include device-to-device messaging and app-to-app messaging. The Internet Service Provider (ISP), in general, cannot unlock that data.


Device encryption refers to the encryption of data on one’s own mobile device. It works by incorporating an encryption key into the security password on each person’s device (note that device encryption is available both for mobile and desktop devices). Device and end-to-end encryption work similarly, but technologically, they are separate functions. If you are utilizing device encryption on your smartphone, for example, either by default or by opting into it, this means that even the data that is sitting on your phone is fully encrypted while it is sitting there. That would include encryption of financial information, health information, or other sensitive information that a person stores locally on her phone and that isn’t backed up to a cloud or shared, as well as certain messages on messaging apps and device-to-device messages. It could also include emails that haven’t been sync’d with an email provider (such as Gmail or Yahoo!) and haven’t been backed up to a cloud.


Service-provider encryption occurs when a provider, such as a cloud storage provider, encrypts the data for the user. In this scenario, the provider holds the encryption key and the relevant and legal policy question is when that provider can be obliged to turn over that key to a third party.


III. The Value of Encryption


Encryption protects individual’s data and preserves the free flow of information. Encrypted products and services are widely available across the globe. Recently, experts identified 865 hardware or software products incorporating encryption from 55 different countries. This includes 546 encryption products from outside the US, representing two-thirds of the total number of encryption products.

Encryption Reduces Cybercrime:

Cybercrime costs the US $100 billion annually, and the global economy $445 billion each year. Encryption is one of the primary recommended tactics for reducing cybercrime. This is why its use has been recommended by the FBI, as well as network security experts.


Encryption Protects Users’ Sensitive Personal Data

Encryption helps keep consumer’s financial, health, educational, and other sensitive data safe from those who would use it to do harm. Credit and debit card fraud alone cost over $16 billion in 2014 and will exceed $35 billion in 2020. Encryption also helps to protect people’s data in the event of a data breach.


Encryption Protects and Fosters Free Expression

Encryption protects free expression around the world, especially in regimes where governments seek to punish people who speak out against violent leaders and repressive laws.

Reducing the efficacy of encryption in the U.S. will force users to keep their data on foreign platforms


IV. Encryption and Law Enforcement Access to Data

Encryption does not necessarily prevent law enforcement from pursuing investigations. Even if data is encrypted on a device, it may be available through other means. For instance, it may be available through valid legal process if it was backed up to the cloud or a cloud-type environment (such as a private company’s exchange servers, in the case of an employee’s emails). For these services, Internet companies or the owner of the server hold a key to unlocking this data, if it is encrypted at all. This is so that customers can, for example, restore their data if they lose it from their device. In the case of third-party apps, there is often a corresponding service that third-party apps provide, and data may be requested from them.

In addition, end-to-end encryption generally does not encrypt metadata, which continues to be available to law enforcement and the intelligence community when the metadata holders are presented with valid legal process.

Several commentators have recently observed that while encryption may make certain discrete pools of information difficult for law enforcement to access, in other areas, law enforcement has more access to data than ever before. Such data includes but is far from limited to social media, the camera and microphone technology provided by hundreds of objects as they become part of the Internet of things, and fitness and other wearables. Many new “wired” objects will have Internet Protocol (IP) addresses that would be accessible to law enforcement with valid legal process.

Recent Posts

See All

RGS Statement on EU-U.S. Date Privacy Framework

The Reform Government Surveillance (RGS) coalition today released a statement supporting President Biden’s Executive Order on Enhancing Safeguards for United States Signals Intelligence Activities, im

RGS Applauds House Passage of NDO Fairness Act

The Reform Government Surveillance coalition (RGS) applauds the bipartisan House passage of the NDO Fairness Act introduced by Representatives Jerry Nadler and Scott Fitzgerald. The NDO Fairness Act s

Comentários


Os comentários foram desativados.
bottom of page