Professor of Computing Sciences Megan Squire writes about how a move to ban systems that totally encrypt messages from sender to recipient threatens access to the best security mechanisms. Originally published by The Conversation, the article has appeared in Scientific American, the San Francisco Chronicle, Phys.org and other media outlets.
By ,
Government officials continue to seek technology companies’ help fighting terrorism and crime. But the most commonly proposed solution would severely limit regular people’s ability to communicate securely online. And it ignores the fact that governments have other ways to of investigations.
In June, government intelligence officials from the nations held a meeting in Ottawa, Canada, to talk about how to convince tech companies to “.” In July, Australian Prime Minister Malcolm Turnbull to voluntarily ban all systems that totally encrypt messages in transit from sender to recipient, an approach known as “end-to-end encryption.” British Home Secretary Amber Rudd made global headlines with her July 31 arguing that “” don’t need end-to-end encryption.
One thing is very clear to computer scientists like me: We real people should work on improving security where we are most vulnerable – on our own devices.
Endpoints are the weakest link
For the moment at least, we do have good, easy-to-use solutions for secure communication between computers, including of our messages. End-to-end encryption means that a message is encrypted by the sender, and decrypted by the recipient, and no third party is able to decrypt the message.
End-to-end is important, but security experts have that the most vulnerable place for your data is not during transit from place to place, but rather when it’s stored or displayed at one end or the other – on a screen, on a disk, in memory or on some device in the cloud.
As the highlighted, if someone can gain control of a device, they can read the messages . And compromising endpoints – both smartphones and personal computers – is all the time.
Why are we most vulnerable at the endpoint? Because we don’t like to be inconvenienced, and because adding more protection makes our devices harder to use, the same way putting multiple locks on a door makes it harder to get in, for both the homeowner and the burglar. Inventing new ways to protect our digital endpoints without reducing their usefulness is very challenging, but some new technologies just over the horizon might help.
Next-generation solutions
Suppose a criminal organization or bad government, EvilRegime, wants to spy on you and everyone you communicate with. To protect yourself, you’ve installed an end-to-end encryption tool, such as , for messaging. This makes eavesdropping – even with a court’s permission – that much more difficult for EvilRegime.
But what if EvilRegime tricks you into installing spyware on your device? For example, they could swap out a legitimate upgrade of your favorite game, “ClashBirds,” with a compromised version. Or, EvilRegime could use a malware “” as a backdoor into your machine. With control of your endpoint, EvilRegime can read your messages as you type them, even before they are encrypted.
To guard against either type of EvilRegime’s trickery, we need to improve our endpoint security game in a few key ways, making sure that:
- EvilRegime isn’t as the company that makes “ClashBirds” when we install our software.
- No one has with our “ClashBirds” app before or after installation.
- The app doesn’t have any or that could be exploited by EvilRegime after we install it.
In addition, it would be ideal if , rather than having to rely on provided by yet another vulnerable corporation.
Computer security experts are excited about the idea that might be able to help us secure our own endpoints. Blockchain, the technology that underpins Bitcoin and other cryptocurrencies, creates a of information.
What this means for endpoint security is that computer scientists might be able to create blockchain-based tools to help us . We could also use blockchains to , and to . And as long as the source code for these programs is also free for us to inspect – as today – the security community will be able to .
As with any new technology, there is an enormous amount of around blockchain and what it can do. It will take time to sift through all these ideas and develop secure tools that are easy to use. In the meantime, we all need to continue to apps whenever possible. We should also stay vigilant about and about what apps we install on our machines. Finally, we must demand that real people always have access to the best security mechanisms available, so we can decide for ourselves how and when to .
, Professor of Computing Sciences,
This article was originally published on . Read the .