There is growing alarm that digital data is darkening because of the increasing use of encryption on various information communication technologies such as mobile and smartphones.
Over the past couple of years, major providers of ICT products and services have enabled enhanced encryption features and settings for some of their devices and systems. At the same time, however, terrorist groups and criminal organisations are exploiting encryption to conceal their activities and networks.
Responding to announcements by Apple, Google, and other companies to increase encryption on their devices and for their services, the American Federal Bureau of Investigation director James Comey stated that, “Unfortunately, the law hasn’t kept pace with technology, and this disconnect has created a significant public safety problem. We call it ‘going dark,’ and what it means is this: those charged with protecting our people aren’t always able to access the evidence we need to prosecute crime and prevent terrorism even with lawful authority. We have the legal authority to intercept and access communications and information pursuant to court order, but we often lack the technical ability to do so.”
Indeed, there is a rancorous debate between governments and civil liberties groups regarding this going dark crisis.
From a national security perspective, access to information helps governments and law enforcement agencies to prevent terrorism and investigate crime. Many governments and security agencies allege that the darkening of data by and through encryption undermines their information-seeking and interception capabilities of terrorist and criminal activities and networks.
The going dark problem is being fuelled by the use of default encryption settings and strong encryption standards on both devices and networks. Thus, many governments and security agencies are attempting to compel companies, both legally and voluntarily, to maintain access to their user information and communications and provide that access to them on demand, in compliance with appropriate laws and legal processes.
For instance, following the January 2015 attacks on Charlie Hebdo offices in Paris, the British Prime Minister David Cameron proposed an outright ban on various kinds of encryption technologies. Following the Paris attacks in November 2015, the French authorities have engaged in greater scrutiny of encryption software. Other European governments, meanwhile, have passed or are considering legislation requiring companies to maintain their users’ information and provide access to that information to the relevant authorities on request.
Information and communications companies are pressured by different governments to keep and make available user information
From a civil liberties perspective, encryption helps protect personal information from intrusion and surveillance. For example, Apple’s chief executive, Timothy D Cook, argues that providing governments with the keys to unlocking encrypted information and communications would, in fact, also open a door for hackers and therefore put legitimate business operations, transactions, finances, and user information and communications at even greater risk.
Many civil liberties groups argue that encryption helps ensure and protect individuals’ personal privacy from unwanted intrusions and surveillance. They worry that no encryption and unfettered access would compromise individuals’ privacy and also damage these companies’ economic viability. Further, they dispute the degree to which unencrypted access would actually help prevent terrorists and criminals from communicating information and, in so doing, prevent terrorist attacks and criminal activities.
Nevertheless, both sides of this debate have additional problems. On the civil liberties side, can and does preventing governments and security agencies from this access, even under lawful and legitimate circumstances, strike an appropriate balance between national security and personal privacy? Or does it unnecessarily stymie legitimate security measures and investigations?
On the debate’s national security side, can and does this access actually increase vulnerabilities of cyber espionage, hacking, and use by hostile actors who can exploit this access? Authoritarian governments, including Russia, Saudi Arabia, and the United Arab Emirates, already have legislation requiring companies to maintain user information and provide decryption possibilities to them.
In fact, many information and communications companies are pressured by different governments to keep and make available user information. Recently, US President Barack Obama concluded that efforts to enforce government backdoors into encrypted information and communications would also create pathways for hostile actors to gain access while establishing precedents for authoritarian governments demanding similar access. He therefore stated that Washington would not propose any particular legal bans on encryption software.
According to a recent report by Harvard University’s Berkman Centre for the Internet and Society, the going dark fears of governments and security agencies are overblown. The report, entitled Don’t Panic: Making Progress on the ‘Going Dark’ Debate, argues that encryption software does not severely challenge surveillance capabilities because new and diverse technologies, products, and services are providing ample avenues to follow suspects, compile information, and reconstruct communications that can begin to compensate for whatever information and communications channels may possible go dark.
The report notes that, although there will always be information and communication channels resistant to surveillance, online activities are not going dark. It questions, “Whether the ‘going dark’ metaphor accurately describes the state of affairs. Are we really headed to a future in which our ability to effectively surveil criminals and bad actors is impossible? We think not.” It discusses how companies’ commercial interests, coupled with market forces, limit the circumstances in which they offer encryption obscuring user information from the companies themselves. Moreover, ongoing technological developments indicate that there will continue to be abundant unencrypted data.
The report argues that the going dark debate is too narrow because it only focuses on encryption challenges on and for certain kinds of ICT, like mobiles and smartphones, thereby neglecting to take into account the bigger picture of other technological developments. The report presents five major trends that need to be addressed to develop a more informed and nuanced perspective on the inflated concern of darkening data.
First, encryption and other kinds of technologies for obscuring user information are unlikely to be widely adopted by most ICT companies because their own business models depend on access to that same information for their profits, revenue streams, and product functionality. Indeed, most companies want unencumbered access to user information. For instance, Google’s products display personalised advertising based on users’ information-seeking patterns, searches, and other behaviour signals. Facebook, meanwhile, can target specific audiences with tailored advertising with nearly 90 per cent accuracy based upon users’ location, interests, and behaviour.
Encryption, additionally, often makes the user experience more complex, interfering with their use of the ICT. Companies want to keep their interactions as easy and streamlined as possible. Thus, most companies will continue to maintain their ability to use information in the interests of their business and, consequently also, for government access.
Second, current software and systems environments are fragmented and there exists no comprehensive coordination or standardisation between them. For end-to-end encryption to work properly, for instance, both a sender’s and receiver’s messaging applications must support it, but not all do. It will therefore require greater coordination and standardisation in order for encryption to become comprehensive and widespread.
Third, cloud computing involves the movement of user information to centralised locations and data centres controlled and operated by companies. Most individuals are already in the cloud when using their smartphones, tablets, laptops, computers, game consoles, and web browsers. These centralised data repositories mean that user information no longer needs to be installed and stored locally on their own computer or servers – instead, their information is located, stored, and delivered through a cloud service where they are accessed on-demand anywhere at any time. This centralisation effectively removes control and custody from users to that of companies who have access to it.
Fourth, the internet of things is providing new kinds of access to unencrypted images, video, audio, and other data captured in real-time by the growing list of networked objects, thereby opening new surveillance channels. The internet of things is being built into everyday objects – these appliances, products, and clothing are being made with sensors and wireless connectivity in order to generate, collect, store, share, and analyse increasingly granular levels of information about their surrounding environments and then, transmit it to the cloud for processing and to their respective companies to control and use. This year, the number of internet-connect objects will exceed six billion, and by 2020, it will surpass 20 billion. The information gleaned by the internet of things presents countless new ways for the government, and others, to gain access to increasingly fine-grained, real-time information.
And, fifth, metadata is not encrypted because systems need it to operate. Metadata is unlikely to ever be encrypted because of functionality requirements, but also because it provides vast amounts of surveillance data that is too valuable for companies and governments, to relinquish.
This report, however, curiously provides a kind of Janus-faced approach to this debate. On the one hand, it reminds governments of the new and diverse opportunities for surveillance; on the other, it simultaneously warns about the threats to civil liberties invoked by those opportunities. According to Joseph Nye, a Harvard professor and former head of the American National Intelligence Council, “This report shows that the world today is like living in a big field that is more illuminated than ever before. There will be dark spots; there always will be. But it’s easy to forget that there is far more data available to governments now than ever before.”
This report concludes that these five major trends present new ways for the government, and other actors, to continue surveillance capabilities. These trends, consequently, raise even more complicated questions about national security and individual privacy than the current going dark debate. By examining the bigger picture, the tensions between security, privacy, economic competitiveness, technological progress, and government access, not to mention terrorism and crime, become increasingly fraught and entangled.
It is essential to broaden the debate beyond encryption. Informed decisions, regarding how open to surveillance the surrounding environment should be by our governments, foreign governments, and companies, need to be made. According to Jonathan Zittrain, a Harvard professor on internet law, it’s vital to address security and privacy concerns surrounding these trends, especially the expanding internet of things, before they become default conduits for surveillance and information-gathering.
Information is not going dark. Diverse, new, and emerging surveillance opportunities are increasing, not decreasing. They are being illuminated, not darkened. But they also raise important questions about the reach of governments and companies into the realms of personal information. We must understand the implications and address the issues of these trends in order to strike the right balance between security and privacy. But, for now, don’t panic.
Marc Kosciejew is head of department and lecturer in the Department of Library Information and Archive Sciences in the Faculty of Media and Knowledge Sciences, University of Malta.