[RWSB] 2016-10 Brussels, Privacy & Security
The Brussels attacks this past week have opened the debate on privacy once again. Privacy and cryptography continue to be at the forefront of the security debate as society and governments question the balance between what should be private and when this privacy should be violated to protect security interests. Unfortunately, cryptography is misunderstood by many of the players â€“ both governments and society â€“ making it difficult to predict the current debateâ€™s outcome.
At the center of the debate are data retention policies. Data retention is relatively easy to understand for citizens and politicians and can be fluidly adjusted. For example, governments may decide to retain phone data for 90 days and web access data for 180 days and then increase or decrease both as needed. We therefore expect a relatively reasonable outcome of the discussions surrounding data retention.
On the other hand, very few people understand cryptography on the level which is being discussed at the moment. Cryptography is either secure or it is not. Cryptographic keys are either long enough to take an incredible amount of time to crack, or they are so short that third-party entities can crack them with enough effort. The same is true for cryptographic algorithms â€“ they are either secure or they are not. Naturally, governments want secure cryptography for their own activities but also desire the ability to crack the encrypted communications of others.
The ability to crack the encryption used by other governments or civilian actors ties into national security and surveillance issues. Cryptography is relatively difficult to understand, so having a debate between governments and the general population is difficult. In many cases, neither party fully understands the technical issues involved.
This makes the outcome of upcoming cryptography-related debates hard to predict. Governments claim to require backdoors for security purposes, and citizens do not understand the technology enough to form a complete opinion on the issue.
The Brussels attacks provide governments with more reasons to argue that cryptography must be controlled and backdoored. Providing a backdoor however, makes cryptography virtually useless. Tools and algorithms providing strong cryptography are also in the public domain, so regulating them will prove difficult. Where governments and citizens decide to draw the line between privacy and security remains is unpredictable at this point.