Encryption and Privacy Debates Highlight Serious Challenges for Both Consumers and Businesses

Thursday, March 24, 2016

Robert Grapes

7783bc8790e6328988ddfa4f92055e12

The court hearing in the central FBI vs. Apple encryption showdown has been delayed (and perhaps cancelled), so we may have to wait to see who wins. But the public policy debate over privacy is more inflamed than ever, and at least one fact seems indisputable: a lot is at stake.

There’s nothing quite like a high profile fight over the sanctity of our beloved smartphones to get consumers and companies alike to sit up straight and pay attention.

The debate comes down to national security versus individual privacy rights and corporate autonomy. Most technology and cyber security experts are certain that creating “back door” access for law enforcement that bypasses encryption would in effect create a “front door” for all sorts of bad guys, including authoritarian regimes like China and Russia that would demand the same access and likely use it to violate their citizens’ privacy and liberty. Government officials claim that they must have such access to defend against terrorists; about half of Americans polled currently buy their appeal to patriotism and fear of attack. 

Consumers might not be so okay with the idea of a government back door if they knew what their mobile devices, apps, and data collecting companies are capable of finding out about them—or if they knew more about Snowden and the NSA. Certainly one dramatic event—a massive breach or terrorist attack—could quickly swing the pendulum of public opinion to one extreme or another. The specter of widespread US spying through the NSA was enough to inspire the creation of tighter consumer privacy laws in Europe.

The FBI has argued that their request only applies to the San Bernardino terrorist’s iPhone. That’s a tough storyline to sell when the Justice Department is simultaneously fighting with WhatsApp in court, ordering that the Facebook-owned messaging app used by billions of people around the world provide “wiretap” access in a non-terrorism case. WhatsApp uses end-to-end encryption technology to protect its users private conversations, and argues it cannot comply with the order.

The Justice Department claims these cases aren’t about setting precedent, while privacy defenders like Tim Cook argue that granting access is like handing over a master key that can open millions of locks. Privacy and security advocates warn complying with government orders would void our strongest cyber defenses, embolden hackers and criminals, stifle competition and innovation, and do very little to stop terrorists, who will simply move on to encryption technology built elsewhere.

It’s clear that we are overdue for some thoughtful and careful legislation around privacy and data collection, but given the current political climate in the US, nobody is holding their breath. The current administration has been working on baseline consumer privacy legislation for years, with little progress. The FTC and FCC are still sorting out who enforces what, and are years behind addressing major data control concerns like cross-device tracking by marketing firms.

The uncertainties raised by the Apple and WhatsApp legal battles will give many companies cause to question their current and future approaches to encryption and consumer privacy. In the short term, this could prompt some critical internal conversations and reviews of privacy policies, and should light a fire under executives to make sure their company and product security strategies are in order. At the same time, companies that rely on encryption, consumer data collection, and public trust are nervously anticipating the fallout. At the very least, companies can expect a flurry of regulatory activity, a string of looming court decisions, and heightened concerns about data breaches.

As Tim Cook put it in his letter to customers, “The implications of the government’s demands are chilling.”

If Apple is somehow forced to build a backdoor through their encryption, the best data protection technology currently available will be weakened. Why would technology companies continue to spend R&D resources to build something the government will insist on breaking? As cryptography experts point out, foreign companies will be even more wary about working with encryption technology from the US.  And why would consumers continue to buy products they know the government can access? The digital economy is built on trust. Privacy is, therefore, a central economic issue. Breaking this trust could negatively affect American commerce (dampening mobile use, online shopping and banking, competitiveness in global markets) and hinder technology advancements (IoT, connected home, mHealth, and more).

Consumers, at least those who are paying attention, should be alarmed and looking for ways to gain greater control over their mobile devices and data, and demand more privacy protection and transparency from companies and government. It’s facile to think that potential identity theft is the biggest risk. Civil liberties, anonymity, personal safety, home security, children’s safety—all of it is at risk. As we allow ourselves to become ever more connected through wearables, mobile devices, IoT devices in our homes, security cameras, health trackers, and online bank accounts, we become exponentially more vulnerable to criminal attacks and government intrusion.

It’s worth mentioning that not all companies guard our privacy—Verizon was recently fined for its under-disclosed use of “supercookies” (originally set up as an opt-out feature). Several Android app developers were warned by the FTC against the undisclosed use of SilverPush, which turns on a device’s microphone to record background sounds, including TV shows, shopping locations, and conversations—highly valuable information that can be sold to marketers interested in hyper-targeting potential customers. The LA Times pointed out how far beyond smartphones we need to look when thinking about privacy and device security: connected homes are shockingly vulnerable. Whole search engines exist to provide online voyeurs access to unsecured video feeds from web cams and security systems in homes, schools, stores and public gathering places.

It’s no wonder we sometimes hide our heads in the proverbial sand—it’s overwhelming to consider the risks inherent to the vulnerabilities we know about, not to mention the ones we aren’t aware of and can’t control. From this vantage point, it’s hard to trust the government or commercial entities, and we certainly can’t wait for them to sort out laws, policies, and practices while we remain exposed. Besides, we love our smartphones and don’t want to stop playing games, sending texts, and posting to Facebook. It’s all too easy to let convenience win out over caution.

Fortunately, we at Graphite Software believe that there are actions that can be taken. First and foremost, educating ourselves and our families about data privacy and security goes a long way. Learn how to manage smartphone settings for optimal security. For example, don’t allow apps to turn on your microphone or camera. Turn off location services whenever possible. Android device users who haven’t enabled encryption (currently not enabled by default) should do so. Teach children and teens about good cyber hygiene, and monitor their posts, being sure to discuss the unintended consequences of sharing too much information online. Advocate for your own privacy (and your children’s) whenever possible, by lodging formal complaints about privacy violations, talking to teachers and administrators about privacy at school, and opting out of data collection whenever possible.

Finally, use technology to bring control closer. It’s your smartphone, so put it to work for you, not online data aggregators. Choose programs and devices that allow you to set boundaries between online accounts and activities. Setting up secure and hidden spaces allows you to keep banking activities isolated from everything else. Kid-friendly spaces can be completely blocked from other spaces on a device, and use of cameras, microphones, and certain apps can be prohibited in that space. Work and play spaces can be kept entirely separate, so that sensitive business information cannot be linked to gaming or shopping sites. The less sharing and collecting of data between apps and accounts, the more private your life and habits remain. When it is hard for cross-device trackers and data aggregators to integrate bits and pieces of your personal info, your profile remains incomplete and therefore less useful to identity thieves.

As the encryption and privacy debate unfolds, we can hope that good sense, balanced policy, and consumer-centric protections will prevail. But hope is not a security stance. Keep a tight hold on the reins, and hold those cards close to your chest. Don’t let your love of convenience and tech gadgets overwhelm your protective instincts.

Privacy is crucial asset for all of us—as individuals, businesses, and public organizations. Once abandoned, privacy and trust are not easily recaptured. Our personal and collective futures depend on how well we guard these treasures—right here, right now. 

7736
Cloud Security General Enterprise Security Policy Security Awareness
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.