March 16, 2016
The debate, and court battle, over encryption has surged in recent weeks as a byproduct of Apple, Inc.’s refusal to break their own software to allow FBI officials into a domestic terrorist’s iPhone. Because John Oliver’s show, “Last Week Tonight with John Oliver,” on March 13 did a great job of explaining the situation (see video below), I won’t belabor the same points.
However, I did want to cover off why encryption is needed and necessary. John does a great job of explaining why we should strongly disallow government organizations from having a “back door,” or a special version of an operating system capable of hacking the device, but why is the phone encrypted in the first place?
Data breaches have become common in today’s digitally engaged and online purchasing society. It’s compounded by traditional in-store purchases with credit cards being now just as vulnerable when companies don’t properly store, delete or manage payment and personally identified information (PII).
Why do we need encryption, or lock-out security measures, in the first place? Unfortunately, there are nefarious entities out there looking to steal your information, or more directly, your money. Identity theft is growing almost exponentially, and in many instances it’s not a result of a data breach but because of a mistake or poor decision by an individual to share personal information to the wrong source.
Encryption essentially places a highly variable lock on your information. It requires the correct key to open that lock. You may have noticed that many websites now use “https” with the addition of, “s.” I do not use SSL (secure sockets layer) on my site as I don’t collect any personally identifiable information, have user logins, process/receive transactions, etc. However, if my site did have these features, you bet I’d enable SSL to ensure all data passed between the user’s browser and web servers was secure.
However, that’s just the transmission of the data. It needs to be stored and accessed for some period of time. This is where companies have gotten in trouble by having vast amounts of transaction and PII data stored that may not be properly secured. The data, the software that contains it, and the hardware that houses both must be protected and additional layers of encryption provide this protection.
Because no level of encryption is completely impenetrable (there are keys, right?), additional security measures can be implemented to prevent brute force attacks. This is what Apple has developed. It essentially allows for 10 attempts to successfully unlock the device before the lock is indefinitely frozen, “bricking” the device, i.e. making it entirely useless. This is what developers have been asked to bypass.
Aside: from John Oliver’s segment, am I the only one who thinks a team of six to 10 developers spending six to eight weeks coding this bypass seems really small and something the government should be able to accomplish?
The question that remains is should a government or any entity have “back door” access? Remember the movie, “The Net?” Probably not, at more than 20 years old, but “authorized” access can be compromised and does happen within software around the world all the time. You may remember device hacking and tracking during the Sochi Winter Olympics in Russia.
Regardless of where you land on the subject, the value that’s added with these types of security protections is nearly unquantifiable. The risks are far too great without encryption and security protocols and companies as well as individuals should embrace and laud the fact we are still ever so slightly one step ahead of the bad guys.
Apple, Data Encryption, FBI, Privacy, Protection, SSL,