WHY WOULD A BAN ON ENCRYPTION BE A BAD THING?
--

There's been a lot of talk recently about banning strong encryption, adding backdoors, and enforcing compliance with government requests.

It's unclear how these bans could be enforced, but as a mental exercise, let's say it did happen somehow. What might the consequences be? Obviously, no-one can predict the future, but here are a few thoughts and assumptions based on similar things that have happened.

- Youtube link
- Archive.org mirror
- Torrent
- Keybase mirror

KEYS WILL LIKELY BE COMPROMISED

Government agencies don't have a great track record at keeping systems and data secure, and this will only be amplified if they are in control of various master keys.

Whoever is in charge of securing and maintaining keys will automatically get a giant target painted on their backs, and every malicious hacker, identity thief and nation state will put significant effort into compromising them one way or another. It could be through incompetence, or they could be threatened or bribed. It'd only take one mistake and the genie would be out the bottle.

A BLANKET BAN

So, if there was a dystopian law banning encryption, what might happen?

Well, all citizens in a specific geography would become targets. Like I mentioned above, as soon as a key is compromised and in the open, that's game over. All those people would be easy pickings for every bad guy out there.

Since different laws exist for different countries, anyone with any sense would start using foreign alternatives, and this would devastate economies. Customers would leave in droves.

Would businesses be able to protect their financial and legal information as well as trade secrets? If not, they wouldn't think twice about moving to a less hostile country, again severely damaging economies.

ENFORCING BACKDOORS

If government agencies started regularly enforcing the installation of backdoors, like they allegedly did with Apple, how might that effect companies and customers?

If this information is made public, then customers will likely leave en mass. Why would they stay if there are many, more secure alternatives?

I'd imagine this would harm companies in terms of talent too. Software engineers mostly understand the importance of encryption, so if they were asked to implement backdoors, I suspect many would quit. There are a few reasons for this, the first being, that those engineers who work on the backdoors will become targets themselves. They may be in possession of keys and information that would be worth a lot of money.

Also, if the creative process of making software is impeded by bureaucrats dictating how systems are designed, it will turn off so many current and potential engineers, incentivizing them to go elsewhere.

The final point is that once a company agrees to unlock a device or account on a case by case basis, then a non-stop conveyor belt of requests will probably start coming in, basically forcing those employees to become de-facto agents of the state, which is probably not why they originally took the job.

BAD GUYS WON'T FOLLOW THE LAW

No matter what ways the laws on encryption are changed, one thing can be certain, the bad guys won't follow them anyway. They don't care about the laws in the first place, so that means any changes would really be targeting normal, law-abiding people.

And if there was some magical way to stop bad people from using encryption, all they would do is change their tactics and go offline, which no amount of encryption laws would be able to combat.

ZERO GUARANTEES

So, after all that, even if this was implemented somehow, there would be zero guarantees that it would actually prevent any attacks and make any of us safer.

In the documentary Citizenfour, one of the first things Edward Snowden says is that though intelligence agencies publicly proclaim things are going dark everywhere, the reality is that they have more data than they ever have done before. The question is, can these agencies even process the oceans of data they have now?

It seems that after every major attack, intelligence agencies often say that the suspects were already known to the authorities. You may say that only if they had been able to unlock their communications, then everything would be safe, but that's not always the reality.

For example, after the Paris attacks this year, following raids, the police found that the culprits were actually communicating using unencrypted SMS on their phones.

We've got to remember that the bad guys are not infosec geniuses, so they probably make many mistakes that would be valuable for intelligence agencies, things like accidentally leaking data packets, ip addresses, choosing weak passwords, using outdated vulnerable hardware and software etc.

CONCLUSION

I hope this video wasn't too long or rambling, but to say this issue is important is an understatement. It needs to be addressed, and talked about.

Are we really willing to destroy our societies both technologically and economically, for the sake of hopefully catching an absolutely tiny fraction of our populations? Any potential benefits are severely outweighed by the devastation that I think would be brought about.

If you found this video useful, please consider sharing it. All sources I mentioned are included in the description. Thanks for watching.

SOURCES

- http://www.wired.com/2015/10/hacker-who-broke-into-cia-director-john-brennan-email-tells-how-he-did-it/
- https://en.wikipedia.org/wiki/Hillary_Clinton_email_controversy
- https://www.washingtonpost.com/politics/intelligence-leaders-push-back-on-leakers-media/2013/06/09/fff80160-d122-11e2-a73e-826d299ff459_story.html
- http://www.informationweek.com/government/cybersecurity/4-worst-government-data-breaches-of-2014/d/d-id/1318061
- http://www.nytimes.com/2015/07/10/us/office-of-personnel-management-hackers-got-data-of-millions.html?_r=0
- https://www.theguardian.com/technology/2015/jun/04/us-government-massive-data-breach-employee-records-security-clearances
- https://www.theguardian.com/technology/2015/sep/23/us-government-hack-stole-fingerprints
- https://www.washingtonpost.com/news/federal-eye/wp/2015/06/18/officials-chinese-had-access-to-u-s-security-clearance-data-for-one-year/
- http://www.wsj.com/articles/u-s-postal-service-says-it-was-victim-of-data-breach-1415632126#
- https://www.washingtonpost.com/local/chinese-hack-us-weather-systems-satellite-
network/2014/11/12/bef1206a-68e9-11e4-b053-65cea7903f2e_story.html
- http://arstechnica.co.uk/tech-policy/2016/04/chinese-crypto-researcher-sentenced-to-death-for-selling-150k-classified-documents/
- https://www.techdirt.com/articles/20151118/08474732854/after-endless-demonization-encryption-police-find-paris-attackers-coordinated-via-unencrypted-sms.shtml
- https://theintercept.com/2015/11/18/signs-point-to-unencrypted-communications-between-terror-suspects/
- https://theintercept.com/2015/11/18/terrorists-were-already-known-to-authorities/

--
BY NODE