News Security Technology

The Year Encryption Won

SECURITY

BETWEEN THE REVELATIONS of mega-hacks of Yahoo and others, Russia’s meddling in the US electoral system, and the recent spike in ransomware, it’s easy to look at 2016 as a bleak year for security. It wasn’t all so, though. In fact, the last 12 months have seen significant strides in one of the most important aspects of personal security of all: encryption.

End-to-end encryption, which ensures that the only people who can see your communications are you and the person on the receiving end, certainly isn’t new. But in 2016, encryption went mainstream, reaching billions of people all over the world. Even more significantly, it overcame its most aggressive legal challenge yet, in a prolonged standoff between Apple and the FBI. And just this week, a Congressional committee affirmed the importance of encryption, giving hope that future laws around the topic will include at least a modicum of sanity.

There’s still a long way to go, and any gains that were made could potentially be rolled back, but for now it’s worth taking a step back to appreciate just how far encryption came this year. As far as silver linings go, you could do a lot worse.

Apple Bites Back

In February of this year, a California magistrate orderedApple to help the FBI get into an iPhone used by San Bernadino shooter Syed Rizwan Farook. Apple said no.

What followed was a nearly two-month stand-off between the FBI and Apple, one that saw both parties make their cases in court and in front of Congress alike. The core issue wasn’t whether Apple would help law enforcement; it does so regularly. It was whether Apple would create a tool that would weaken the iPhone’s encryption at the FBI’s behest. To do so would have both created special access that bad actors could also have exploited, as well as set a dangerous precedent. This would not have been—and likely still won’t be—the FBI’s last request.

“The FBI thought they had picked the perfect test case,” says Andrew Crocker, staff attorney with the Electronic Frontier Foundation. Because it involved a terrorist attack, public sympathy seemed likely to be on the FBI’s side. And to some degree it was; Donald Trump, at the time a long-shot GOP primary nominee, went so far as to call for a ban on Apple products.

What happened instead, though, is that Apple was able to effectively mount its case not just in the courtroom, but for the public. In the process, it explained what encryption is, and why it’s important, in ways that many iPhone owners may never otherwise have bothered to consider.

“The level of public engagement did a lot to improve the understanding of encryption,” Crocker says. “There’s a net benefit of having educated the public.”

There ultimately was no ruling in the case, as the FBI found a way into Farook’s iPhone without Apple’s help. In a way, that’s a shame, because a decision in Apple’s favor could have helped cement the separation between tech companies and law enforcement. Still, it brought encryption to the forefront of public consciousness, and put the rest of Silicon Valley on alert.

“It backfired [for the FBI] because it put a deep freeze on law enforcement’s relationship with the tech companies and with civil society,” says Nathan White, senior legislative manager with Access Now.

That broader awareness also couldn’t have come at a better time. Just a week after the Apple-FBI imbroglio finally ended, encrypted messaging blew up on a whole new scale.

Encryption For All

In early April, WhatsApp added end-to-end encryption to its popular messaging service. That includes messages, phone calls, photos, and videos. WhatsApp, it should be said, has over a billion users.

Better still, it rolled out encryption the right way. It’s enabled by default, meaning that two WhatsApp users are instantly secure in their communications without having to change a single setting. And it used the Signal Protocol, developed by Open Whisper Systems and widely acknowledged as the most reliable and secure end-to-end encryption available, to undergird its system. (Apple iMessage has offered end-to-end encryption for several years, but it has several known weaknesses not present in Signal.)

A few months later, Facebook announced that it would roll out end-to-end encryption as well for its popular Messenger platform. Its “secret conversations,” also based on Signal Protocol, launched in October to another billion users. Facebook’s approach isn’t quite as sturdy as WhatsApps; people need to opt-in, rather that encryption being on by default. Still, it’s a large-scale deployment that not only expands encryption’s reach, but helps normalize it.

“By rolling out end-to-end encryption in a very user friendly way, these companies are taking steps to protect people but also exposing people to security without overwhelming them,” says White.”

WhatsApp and Facebook aren’t alone. Google’s Allo messaging app and Duo video app offer opt-in, end-to-end encryption, also using Signal smarts. An app called Viber, which doesn’t have much of a US foothold but has 700 million users around the world, switched on its own end-to-end encryption in April. And the Signal app itself, the gold standard in encrypted messaging, saw downloads increase 400 percent following Donald Trump’s presidential win.

I do think we have to be vigilant. ANDREW CROCKER, ELECTRONIC FRONTIER FOUNDATION

If anything, 2016 is the year encrypted messaging became a default offering. The next step? To have it be a default setting as well, rather than an opt-in for which users have to dig.

“If you teach the public that it’s not something they should be using by default and considered normal, you sort of stigmatize it,” says Crocker. “It seems like something they should only use when they have something to hide.”

For now, though, they at least have the option. And hopefully will far into the future as well.

What Comes Next

While 2016 was a banner year for encryption, it’s uncertain what 2017 will bring. Trump opposed Apple, and has expressed a strong interest in vigorous use of surveillance powers. And the most encryption-based legislation to work through Congress was immediately derided as “ludicrous, dangerous, [and] technically illiterate.”

“Not to be too pessimistic,” says Crocker, “But I do think we have to be vigilant.” The next Apple-FBI case could show up any day, with guarantees how it will shake out.

There’s some hope, though, that the encryption gains made in 2016 have a chance to continue. Just this week, the US Congress Encryption Working Group released a report saying that “any measure that weakens encryption works against the national interest.” It’s as strong an endorsement from a bipartisan group as you’re likely to see.

“The report makes it clear that Congress is not going to move forward with legislation to weaken encryption,” says White, who points out that the Chairman of the House Judiciary committee was one of the report’s signatories. That should minimize the chances of anti-encryption laws making their way through Congress.

It’s not a firm guarantee, and who knows what a Trump administration will bring. For now, though, it’s enough to appreciate the gains encryption made in 2016, and be hopeful that 2017 will only build on them.

 

Leave a Reply