Privacy in the wake of the Paris attacks
Like the vast numbers of people around the globe, I’m appalled and saddened by the events of November 13, 2015 in Paris. I feel for the families as well as Western culture which, like 9-11, as taken a huge hit.
Which brings me to the issue of private and secure communication and data. A number of commentators in the US have been railing against commercial apps that offer unbreakable encryption for communication that likely were the methods that the terrorists used to communicate between themselves. Regardless of which side you fall on regarding privacy against governmental snooping, having no way to intercept terrorists messages that lead to an event like Paris is a legitimate problem.
Vendors like Apple have listened to the concerns of their customers (post the Snowden revelations) and have provided very powerful encryption on certain communications and data for which the decryption keys are kept on the user’s device not on the server side. This is a huge advance, since even a hacker breach of the vendor’s servers will not compromise the encrypted data. For example, did you know that iMessage on iOS and MacOS is securely encrypted in this manner? (See the TechCrunch article for more information.) Same with Keychain on MacOS. Without this level of security, Cloud services are simply too porous to store extremely sensitive data. However, since the vendors do not have access to the keys, they can’t provide them to law enforcement.
The Paris attacks demonstrate the rub: Preventing legitimate, lawful access by law enforcement (including the NSA) to private communications and data is important to help prevent or at least anticipate attacks like we saw in Paris. It’s really problematic that the French authorities didn’t see it coming.
As readers of this blog are aware, I’m less concerned about governmental agencies in the US spying on me. In some other countries, I’d be much more concerned about this. What I am concerned about is the amount of data being collected about me (and others) in the name of commerce in conjunction with the apparent lack adequate safeguards on my data by various entities (both governmental and private). I do not trust that my communications and data will not be released into the wild. For some stuff, that’s fine. However, for other stuff, it’s a huge problem that has been largely mitigated by secure encryption that permits me to hang onto the keys.
So, what to do?
There’s going to be renewed debate whether governmental agencies, with appropriate safeguards, will be able to have a backdoor into your private communication and data. This time, the momentum will be much more in favor of it. I welcome the discourse. In my opinion, we need to solve this issue and soon. On the surface, governmental access vs. private and secure data appear to be mutually exclusive goals. I’m hoping we can come up with a reasonable compromise that satisfies both needs.
However, we all need to be diligent to insure that lawmakers and others don’t gut the safeguards that currently exist.
Viva la France!
November 19th Update: I neglected a crucial element in the discussion of this issue. It turns out that there are other ways to get encrypted apps, even if the US government mandates some form of back-door. The end result is no real benefit, while potentially allowing your data’s security and privacy to get into the wild. Please read Update on the encryption issue post the Paris attacks for more on this.