I have only recently decided that the time has come for me to weigh in on the so-called “Encryption Debate”. Before I do, I would like to state that given the fact that Raketu has pioneered a lot of new security and encryption related technology, we are obviously on the side of keeping encryption, and on the side of no backdoors.
Firstly, not all encryption that everyone is talking about is the same. Most of the large companies that are proponents of encryption mean “encryption in transit”, not “encryption of content”. Let me explain. Facebook and WhatsApp, for example, claim they support Apple in their fight for encryption. Facebook, and WhatsApp, do not encrypt the content of their posts, messages, etc. – think about it, if they did, could they “scan” your posts and messages and decide what targeted ads to send you? Answer is no. If you read what they do and what they say (mostly between the lines) is that they support the encryption for content in-transit – while it is being sent from the origin to their servers – not while it is at rest saved on their servers. Apple, also is primarily concerned with encryption in-transit of the iMessage and FaceTime content, and clearly not with the content at rest in iCloud (note Apple is developing a form of encryption for iCloud, but they will hold keys to decrypt it). Apple also has what is called local-encryption on their i-devices, which is encryption of local content – but in Apple’s case, the content is not necessarily only on the i-device, locally, but most likely on iCloud and on their servers elsewhere, and not encrypted or encrypted with keys that Apple has. Apple even admits this on their site, but carefully chooses the words to, in my opinion, mislead the consumer:
“Apple has no way to decrypt iMessage and FaceTime data when it’s in transit between devices. So unlike other companies’ messaging services, Apple doesn’t scan your communications, and we wouldn’t be able to comply with a wiretap order even if we wanted to. While we do back up iMessage and SMS messages for your convenience using iCloud Backup, you can turn it off whenever you want. And we don’t store FaceTime calls on any servers.”
Let’s quickly examine these statements. Apple admits that it has no-way to decrypt iMessage and FaceTime data “when it’s in transit”. The next statement, “unlike other companies’ messaging services, Apple doesn’t scan your communications” – probably true while the content is in transit, but how about when it is at rest, in iCloud or on their servers elsewhere? So they can scan your communications. The next statement “we wouldn’t be able to comply with a wiretap order” is only true because of in-transit encryption. They elude to the non-encrypted nature of storing iMessage and SMS on iCloud, and state you can turn it off – by default it is on. And, the last statement about not storing FaceTime calls on any servers implies they do store other data on their servers (since they don’t mention any other data), and they admit they are not storing any voice or video call content itself on their servers – they are not recording your conversations, although there is no mention of storing of the metadata (who is talking to whom). Bottom line, your content at rest is not encrypted with Apple, and Apple is not recording your voice/video calls.
This is not just the case of Apple and Facebook and WhatsApp, there are many, many others who make claims like end-to-end encryption and ‘we don’t store your messages’. The truth is, the vast majority of companies out there that claim end-to-end encryption mean in-transit encryption only – not encrypted content. And, the vast majority of companies out there that claim they ‘don’t store your messages’ actually DO store your messages on their servers – and usually not encrypted.
Undoubtedly, Apple standing up for encryption in general is a very, very good thing in the name of privacy, and we support them in their efforts. Unfortunately, what is happening is a lot of these large companies are getting on the “band wagon” of encryption, while still allowing themselves to see, read, and scan the content.
Specifically in the Apple encryption case with the FBI (2016), Apple is saying they will not unlock the iPhone in question by building a “back door” to unlock it. And, since it is locally encrypted, Apple claims they don’t have the key to decrypt the local content – which is great. However, this content most likely exists elsewhere on Apple servers, on Apple iCloud, on the recipient iPhone. There also exists ways to “unlock” the model of iPhone in question, but newer models are far more difficult to break.
So the questions being debated are: Do we allow encryption or not? Does privacy outweigh national security? Are we to allow the government access to our private information, when they want it regardless of needing it?
From the government’s perspective, they want to the ability to read all content whenever they need it – at best with a warrant to do so, at worst, whenever they want surveillance of an individual. Should we as technology providers be forced into creating back-doors for government access? Should we hold the keys to decrypt your personal information?
As with many things in life, this issue is very complex and there are many problems. A “back door” is a term used to describe getting at the information contained on a system by bypassing security, encryption, etc. It effectively gives the user of the back door all access to either specific information or all information in a given system. If you create a back door, it will inevitably be accessed by more than just the government. So-called hackers will undoubtedly learn/create techniques to break and enter through these back doors, and access the information. If a ‘master’ key is created that decrypts all content on Apple phones, or the company stores the decrypting key sequence for each of its users, for example, the hackers will hack a way to get this key (or the users keys), and then they will have the key to unlock all Apple phones that are accessible by this master key or user key. This becomes an issue not just for day to day information, but also for personal information, like social security numbers, addresses, credit cards, bank accounts, and on and on. All information would be available to these hackers. In the past it has been more difficult to break in on a large company that holds your information, but as we know over the past several years many, many have had break-ins and personal data has been stolen – by the millions. One must ask ourselves, why did the banks, insurance companies, government agencies, etc. not use encryption on your data? Why is it so easy to ‘hack’ these companies? This is because hackers are very, very good at what they do, and the companies are not good at protecting your data – end of story. If the government mandates that if encryption is used, you must have a back-door or a master key, we have just weakened the already weak protection of private information by these companies.
Our answer to these questions have always remained the same (in fact this is why we built RakEM in the first place): your communications are your communications, you own them, you decide to share them or not, and decide when to delete them or not. We give you a secure and private place to do so. We do not hold the keys – in fact uniquely in RakEM’s case, and unlike other messengers, not only do we use device-to-device direct transmission (no servers – meaning our servers do NOT store your messages), we also use self-mutating encryption which means each transaction (message) is different from the last or the next even if it is the same content, and only you and the recipient can receive and decrypt it.
Ultimately, the courts will decide in the Apple vs FBI case (2016), and the world will either be a little more private, or a whole lot less private.