Why Should New Technology Create New Vulnerabilities?

When you think about it, isn’t it odd that companies pay millions in settlements and suffer devastating reputational damage because of breaches only made possible by the very latesttechnology? The means of transmitting information decades ago might have been much slower before digital technology took off, but it was also much harder to intrude on people’s private conversations.

Today’s communication devices are beautiful aesthetic achievements that offer a dazzling user experience, and they control seemingly every aspect of modern life. Just because technology makes something easy to do does not mean it’s secure enough to do!

Billions of people use smartphones every day, and their ubiquity is enough to lull people into a false sense of security. How risky can they be if everyone uses them, especially if they’re protected by “end-to-end encryption,” right?

Right now, your digital privacy rights can be undermined by both illegal and legal means, underscoring just how vulnerable phones without military-grade encryption are to a breach. It’s complicated, but understanding encryption and how hackers pose one type of threat is crucial. Still, the legal backdoors that governments give to police and military institutions in the name of security pose a different kind of risk altogether.

Around the world, the tension between digital privacy rights and national security is being settled in courtrooms.

Smartphones put people face to face instantly — they’re part of the fabric of modern life, and business can’t proceed without them. But new technology without industry-leading device encryption creates new vulnerabilities.

In a globalized world, a government that systematically undermines encryption in one country is a problem in all of them.

Brazil’s Encryption Backdoor 

Brazil’s Supreme Court has not submitted its final decision regarding whether “end-to-end encryption” is legal in the country after WhatsApp was suspended for not complying with judicial orders requiring the company to submit decrypted data.

The outcome of the case will determine if encryption itself is legal and, if so, should companies that provide encryption be required to give backdoor or access to the authorities when required. In other words, even if encryption is deemed legal, the government may still compel companies to hand over people’s encrypted communications anyway.

Forcing companies to decrypt communications and give them to the government undermines and even subverts the entire purpose of encryption, but it also creates other security vulnerabilities. What if an unauthorized third party sneaks in a backdoor meant for the government?

The battle over encryption is at the heart of online regulations. Brazilian President Bolsonaro himself has spewed wild COVID-19 misinformation, even though the virus has killed over 400,000 Brazilians, and has filed criminal charges against reporters like Glenn Greenwald for uncovering corruption.

The idea of assisting legal authorities in national security sounds laudable, but compromising privacy rights is equivalent to eliminating them — either there is encryption, or there isn’t. It’s easy to underestimate how data is collected by the government and other parties, so handing over privacy rights to a politician with Bolsonaro’s history outlines how quickly legal powers can be abused.

Encryption in India

India’s Madras High Court, one of the country’s three High courts, has considered WhatsApp’s role in spreading disinformation and cyber-bullying, a major problem in the country. Tamil Nadu’s advocate general argued that end-to-end encryption is not essential and that WhatsApp should fingerprint each communication.

The courts want the ability to trace back every communication made on any platform and try to argue that this is compatible with the goals of encryption and privacy. The status of encryption protection is like Free Speech rights, but for software.

India’s Prime Minister, Narendra Modi, has forced social media companies like Facebook and Twitter to remove posts that criticize the government. Anyone hoping that this government would respect privacy rights concerning encryption over national security has only to see how Modi uses strong-arm tactics to control messaging in the social media landscape, where an army of “IT strategists” who work for the Bharatiya Janata Party has very close links to Facebook employees.

India has genuine national security concerns, but it’s easy to imagine that the Modi government will sidestep encryption protections with partisan politics in mind, then invoke “national security” as an excuse. Indeed, the Modi government was accused of spying on citizens in 2019, using an Israeli spyware company to access citizens’ WhatsApp messages, calls and even turn on their phone’s microphone and camera.

Encryption and Terrorism in the EU

Courts in the EU are drawing closer to banning end-to-end encryption on platforms like WhatsApp and Signal in the wake of terror attacks in the late part of 2020.

The EU said in a leaked draft resolution that “competent authorities in the area of security and criminal justice” needed to exercise their lawful powers in the course of their work and rely more heavily now on “accessing electronic evidence.”

Like elsewhere, online security experts in the EU reiterate that governments can either uphold privacy rights or deliberately give backdoor access to the authorities, but not both. ProPrivacy’s Ray Walsh outlines the various kinds of threats: “Removing strong end-to-end encryption creates vulnerabilities that can be exploited not just by the EU government agencies, but also by anybody — hackers, cybercriminals, and state-sanctioned operatives from other countries.

In other words, the compromised encryption laws that governments are leaning towards to strengthen national security may deprive citizens of their privacy rights while also creating new ways to weaken national security.

Business moves at a rapid pace, and no company can afford to get left behind. But executives who cut corners and take security risks by using free apps to make deals will only realize the errors of their ways when it’s too late.  

When it comes to technology, it’s wrong to conflate sophistication with security. Indeed, some phones with very dazzling features and seem very impressive, and these might pose the largest opportunity for a security breach. Thankfully, industry leaders make an encrypted cell phone that can keep up with the pace of modern technology that requires no technical expertise to use, so it’s easy to prevent a data breach no matter what world leaders or international courts decide.