A growing chorus of law enforcement officials is calling for the weakening of commercial encryption software, or even the outright banning of encryption altogether. In remarks before Congress, FBI Director James Comey recently called for legislation requiring technology companies to weaken encryption software so that the FBI can perform surveillance on terror groups such as ISIS. It has been reported that some ISIS fighters have used WhatsApp to mask their communications because the app supports encryption of messages.
The head of the NSA and even UK Prime Minister David Cameron have also called for backdoors to be inserted into encryption algorithms. However, encryption experts such as Bruce Schneier and other have pointed out flaws in this thinking. Any backdoor inserted into encryption systems, they say, will weaken them and expose data to attacks by cyber criminals, hackers and foreign spies. Also, passing legislation to outlaw these tools in the U.S. or U.K. would not stop a terrorist group from using encryption software developed in Finland, for instance.
In a testy exchange between NSA Director Mike Rogers and Yahoo! CISO Alex Stamos at a recent security conference, the tech company CISO pointed out that its 1.3 billion users span the globe. If they were to build an encryption door into their products, which foreign governments would be provided access? While Rogers declined to specify how the government would gain access to the data (and even steered clear of referring to such a capability as a “backdoor”), many observers have noted that there would need to be a master key or vulnerability that the government could exploit to decrypt the data in approved instances.
Not everyone in government agrees with weakening encryption. Terrell McSweeny, commissioner of the Federal Trade Commission, recently published an op-ed citing numerous high-profile hacks of cars, credit cards stored by retailers and passwords stored by websites. These attacks, she wrote, undermine the confidence people have in these technologies and weakening encryption technology that protects against them could have a significant economic impact. She recommends websites and services protect customer data with end-to-end encryption and smartphone makers store data encrypted on their devices.
Consumers, she says, can protect their data in the event their computer is stolen by using full disk encryption. Many operating systems including Windows and Mac OS provide built-in tools to do this. Taking security a step further, consumers can set a firmware password that prevents a thief from resetting their computer’s password, or even reinstalling the operating system to resell the computer. FTC Chief Technologist Ashkan Soltani discovered the benefits of firmware passwords the hard way after his laptop was stolen and thieves scheduled an appointment at the Apple store for help decrypting the computer’s hard drive (leading to their arrest).
You may be wondering how to protect your or your company’s information online. Skyhigh Networks recently analyzed 14,000 cloud services and discovered that while a promising 81.8 percent of them encrypt data in transit, only 9.4 percent of them store data encrypted. That’s troubling because in the event of a breach of one of these services, hackers could gain access to a lot of sensitive customer information. Some big names in technology don’t store data encrypted, which may surprise you. I’ve summarized the top 10 list below:
Even after a massive breach last year in which 145 user passwords were compromised, eBay does not store its users’ data encrypted. Neither do Gmail or Hotmail, both popular email services that store a lot of sensitive information. Think about the sensitive files users send to each other in their email: tax documents, legal documents and embarrassing statements that could get them fired. Following McSweeny’s advice, consumers and businesses can protect themselves by choosing the 9.4 percent of apps that use strong cryptography to secure information both at rest and in transit, to thwart hackers, cyber criminals (and even spies).
Harold Byun is VP of product management at Skyhigh Networks. Prior to Skyhigh, he worked at MobileIron where he focused on mobile application delivery and security. Prior to MobileIron, he led the product management group at Zenprise (acquired by Citrix), where he launched their mobile DLP product and cloud offering to market. He also worked with the Vontu/Symantec DLP group and is the co-inventor on a patent filed for security risk visualization and scoring.