Reclaiming our online privacy
Take a moment to reflect on your typical day.
You wake up, perhaps groggily fumbling for the phone beside your bed, thumbing through notifications and catching up on the news from last night. Maybe you then order a flat white from your favourite local café via an app, or video call a loved one overseas before settling into your emails for the day. It’s all so second nature, isn’t it?
However, have you ever paused to wonder about where all this data goes - all these digital breadcrumbs you’re scattering throughout your day? You see, in our hyper-connected world, data has become the new gold, and big tech companies have taken the mantle of modern gold miners.
Google knows your search habits, Facebook understands your social network, Amazon keeps tabs on your shopping tendencies, and your mobile phone provider? They track where you go. By using their services, we inadvertently create a digital persona that these tech giants have full access to. It’s a bit like leaving your diary open on the kitchen table for anyone to read, except this diary is continuously updated, and you can’t even see who’s having a peek.
While we might find the personalised ads and recommended products a touch creepy yet somewhat convenient, governments worldwide have also grown interested in these insights. The argument generally follows the lines of national security and the fight against crime and terrorism. However, the method proposed – the creation of ‘backdoor’ keys to end-to-end encryption – is sparking a heated debate.
The concept of government-created backdoors in end-to-end encryption applications raises multiple serious concerns. It is not merely a question of privacy but also one of security, freedom, and trust. Government agencies already have access to the logs stored by your internet service provider, this access although initially when provided was only for intelligence and national security, has widened to allow local police and local government to gain access. As is evident in many government committees questioning tech, those in government with the ability to make decisions often don’t understand the technology or the consequences. We need to try to find ways to help them understand.
How might it possibly work?
To understand why it is bad, first we need to look at ways governments might implement this, how it will be put into practice so that we can understand the risks that might be introduced. Let’s begin with Key Escrow, those of a certain age will relate to the early days of Ebay before paypal, when you wanted to purchase something of value and couldn’t be sure to trust the seller, the first example is similar….
Key Escrow: In a key escrow system, a copy of the encryption keys used to encrypt and decrypt data is stored with a “trusted third party”. This party, presumably under legal obligation to cooperate with law enforcement, would be able to provide the key to authorities when required. This would allow authorities to decrypt any data or communications encrypted with that key. In practice this will be extremly difficult for a 3rd party to manage on a per user account level.
Split-Key (Multi-Party) Systems: In this system, multiple parties each hold a piece of the encryption key. To decrypt the data, all (or a majority) of the key fragments must be combined. This could theoretically allow government access while minimising risk of abuse by requiring multiple independent parties to cooperate in order to use the backdoor. This could work in theory, continuing the existing practice of following legal process to obtain judicial oversight and limit access to just those accounts involved.
Software Backdoors: In this scenario, the software used for encryption itself contains a hidden method to bypass or disable the encryption. This could take many forms, from a special “master password” known only to the authorities, to a hidden functionality that, when activated, sends a copy of the
encryption key to the authorities. And this is, from what we can see, is what is being proposed, full access to all accounts at anytime without judicial oversight.
Why is this Bad?
Let’s explore some of the areas where I feel why all of this is a particularly bad approach to help you make your own conclusions.
Threat to Privacy: Firstly, it’s essential to understand that the fundamental purpose of end-to-end encryption is to protect the privacy of individuals. It guarantees that only the sender and recipient can access the information being transmitted. When you communicate with your online bank website, only you and your bank can see that data. Creating a backdoor essentially strips away this privacy, as it provides a third party (in this case, the government) the ability to monitor and record private communications, which is a direct threat to an individual’s right to privacy.
Security Vulnerabilities: In terms of security, introducing a backdoor is akin to constructing a house and purposefully leaving one window unlocked for authorised persons to access if needed. Unfortunately, this unlocked window does not discriminate between authorised and unauthorised access. The same backdoor created for government access can be exploited by malicious actors. History has repeatedly shown that what one person can design and secure, another can exploit and undermine.
Potential for Misuse: If a government has access to a backdoor, there is the potential for misuse. This is not about casting aspersions on a particular government’s intentions, but acknowledging a realistic risk based on historical precedence. Absolute power can lead to absolute corruption, and it’s possible that such information could be used not just to protect citizens, but also to suppress dissent, manipulate public opinion, or target political opponents.
Undermining Trust: This proposition has implications for trust in digital communications, as well. If citizens know their communications are potentially monitored, they may hesitate to express themselves freely or engage fully online. This undermines trust not only in the applications themselves but in digital communications more broadly.
Global Impact: Digital borders are not recognised in the realm of the internet. If a government can access these backdoors, what prevents other governments, including authoritarian regimes, from accessing them as well? This is not a local issue but a global one, with potential to infringe upon the rights of citizens worldwide.
Technical Infeasibility: There’s also the question of whether such a system of backdoors could even be implemented effectively. Encryption is based on complex mathematical algorithms, and introducing a backdoor could destabilise the entire system, making it less secure for everyone.
Unintended Consequences: This is what I believe will happen if this was implemented. There’s a likelihood that those intent on hiding their activities would simply move to other, possibly more secure methods, if they knew their communications could be accessed through backdoors. This means the people governments most want to monitor could become even harder to track.
The risks associated with creating backdoors in end-to-end encryption far outweigh any perceived benefits. It would compromise the privacy and security of every user, possibly lead to misuse of power, stifle innovation, and potentially cause wide-reaching economic and social damage.
Won’t good governance mitigate the risk?
Edward Snowden’s revelations about the activities of intelligence agencies like the NSA in the United States demonstrated that governments can and do gain access to digital communications, often by legal means under the umbrella of national security. I got curious about this process a number of years ago when researching data access and eventually took a Stanford University course on Surveillance which dived deep into the legal processes.
While this legal process already raises significant privacy concerns, it is fundamentally different from creating universal backdoors in encryption. Let me explain, when a government agency requests access to specific data from a tech company
for a particular case, it often involves a legal process and judicial oversight. There are checks and balances in place, albeit imperfect ones, that attempt to prevent misuse and protect individual rights.
It’s important to remember that backdoors aren’t selective. They don’t discriminate between “good” actors and “bad” ones. If a backdoor exists, it can be exploited by anyone who finds it - including cybercriminals, hackers, or foreign adversaries. It’s not just about the risk of government overreach and mass surveillance, but also about the significant threat to cybersecurity.
It’s one thing for a government to legally request data in specific cases under supervision, it’s quite another to insist that every communication be potentially open to scrutiny without cause or oversight. The latter is a clear invasion of privacy and poses enormous security risks. For these reasons, the creation of backdoors in end-to-end encryption should be strongly opposed.
So how do we reclaim OUR privacy?
Well, tech companies first of all need to get their house in order. An example is Apple who are championing privacy and end-to-end encryption to sell products, yet this end-to-end encryption is either not available for everyone, or simply just doesn’t work for everyone. As an example, at the time of writing this most of those with privacy concerns that I work with can enable end-to-end encryption for their accounts, yet for some in the same country, same device, same software, it can’t be enabled, something Apple support are left scratching their head over, or simply not revealing why.
We can begin by using and supporting organisations and applications which provide us with privacy end to end. A good resource to begin to dive deeper into learning how to protect your privacy is the Electronic Frontier Foundation (EFF), a leading non-profit organisation dedicated to defending civil liberties in the digital world. They have been at the forefront of major fights for privacy, free speech, and innovation for over 30 years.
The EFF provides a wealth of resources to learn more about online privacy and how to protect it. They provide guides on Surveillance Self-Defense, a particularly useful EFF resource that provides a guide to defending yourself and your friends from surveillance by using secure technology and developing careful digital habits. It offers tutorials and advice about security for various platforms and situations.
They also provide advice to developers and startups on how to incorporate strong privacy and security practices into their services and products. Like threat modelling, we can also model for privacy in designing systems, something I will touch on soon.