What’s All This About Encryption? A Handy Guide

image via flickr

Apple Inc.’s promise to defy a court decision ordering the company to help investigators access a terrorist-used phone has electrified the tech community, split Capitol Hill lawmakers, and forced the complicated issue of encryption onto the national stage. Donald Trump has weighed in. A House committee has invited Apple’s CEO and the director of the Federal Bureau of Investigation to testify. Lawmakers across the ideological spectrum are discussing encryption, national security and the prospect of “going dark.”

There is just one problem: tech experts, to a person, say many policymakers are ill-informed about how encryption works and what the Apple vs. FBI scuffle is all about. Here, based on interviews, we offer some insight.

What is encryption?

Modern encryption is a system that allows two users to communicate in such a way that no third party can read their messages. An encryption method takes a message such as, “My name is Edward Snowden,” and turns it into a long series of numbers.

As part of a strong encryption system, only two people – the sender and the receiver – can read the message above. Stored data, in addition to communication between two parties, can be encrypted as well. One could encrypt a single file or an entire server.

Why does encryption exist?

Modern encryption, like that described above, dates back to the 1970s. It has been in use for decades for all sorts of purposes. However, in the aftermath of the Snowden revelations about the National Security Agency’s bulk data collection program, tech companies decided to start encrypting more data and communications.

Faced with the apparent ubiquity of government surveillance, consumers cared more about the privacy of their communications and personal data. According to Gregory Nojeim at the Center for Democracy & Technology, “The Snowden revelations made it clear how important encryption can be to privacy in general.”

On another level, encryption was good business sense for consumer tech products and the internet ecosystem in general. Nojeim says encryption is “the glue that makes internet commerce and communication possible. Without it, people wouldn’t trust that their communications weren’t being collected along the way, and they certainly wouldn’t be buying things or doing online banking.”

Just as encryption delivers personal data privacy for people with good and bad intentions – i.e., for a whistleblower, a journalist, or a terrorist – it also delivers online security for a bank customer, an eBay seller or an Uber driver.

What does encryption have to do with the Apple conflict?

Apple’s iPhones, many laptops and other smartphones use encryption for messaging and data. (Blackberries had encryption systems before the invention of smartphones.) Messages sent from an iPhone are transformed from readable text into unreadable strings of digits. The iPhone’s security features (passcodes, fingerprint authorization, etc.) protect it from someone other than the phone’s owner accessing the unencrypted data.

Syed Rizwan Farook, one of the alleged perpetrators of the San Bernardino shootings, used an iPhone 5c given to him by his employer. It is passcode protected. Farook also enabled a feature on the iPhone which erases all data on the phone if one enters an incorrect passcode more than 10 times. Without the passcode, the data on Farook’s phone is encrypted and, as a result, unreadable.

The FBI asked Apple to create a software program that would override this erasing feature, allowing the FBI to break Farook’s passcode by entering thousands of different codes until they determine the passcode he used. (This is known as a “brute force” hack.) Apple refused, arguing in an open letter posted last week that creating such an overriding program would “undermine decades of security advancements that protect our customers” and damage user privacy.

If Apple complies, would it threaten other users’ security? 

If Apple were to create the software program that the FBI wants, Apple says that same program could be easily tweaked and used by the FBI and other law enforcement agencies to break past security features on other iPhones. As Apple writes, “It would be the equivalent of a master key, capable of opening hundreds of millions of locks.”

Tech experts, in general, agree with this assessment. The FBI’s order, if fulfilled, would be so broad that it would be tantamount to saying, “You can’t make fully encrypted iPhones anymore,” according to Ross Schulman of the Open Technology Institute. Law enforcement, using the new software, would be able to break into countless iPhones and read encrypted information. That violates the central promise of encryption — that unauthorized third parties cannot read encrypted information.

Furthermore, TechFreedom President Berin Szoka says Apple’s security promises are only as good as its own security. “If Apple itself gets hacked, and the [software] that they have becomes available, then this software could be used to crack other phones.”

This opinion is as close to universal as it gets in the tech community, although law enforcement officials say the FBI’s request impacts only one phone on this sole occasion.

Is Apple defying a lawful warrant?

Apple has already satisfied warrants from the FBI for data it holds related to the San Bernardino shootings. For instance, pursuant to an FBI warrant, Apple has provided investigators with data from Farook’s iCloud account. Apple has this data, and is able to read it, because Farook’s phone periodically backed itself up to iCloud, a system which Apple owns and oversees.

In the case of unlocking Farook’s phone, however, the FBI is ordering Apple to create new software, which would provide the way in which it can serve a warrant for the inaccessible data on Farook’s phone. They are not ordering Apple to deliver data; they are ordering Apple to create the means to deliver certain data that Apple does not currently have access to.

What can law enforcement do now?

Though encryption is ubiquitous in today’s communications environment, there are big areas of the mobile and internet ecosystem that are not encrypted. Authorities can still access that data to track terrorists, criminals and other malefactors.

For instance, Apple and other tech companies still have full access to information their customers store through web-based systems such as iCloud. In addition, it is relatively easy for users and tech companies to encrypt communications but it is difficult to encrypt “metadata” around those messages.

Metadata is the context of our communications – the time at which we send a message, the recipient of our messages, the length of our calls and texts, etc. Even though a telecom provider would not be able to read an encrypted text message, it would likely have access to the metadata of that message. Telecommunications companies also have access to users’ unencrypted communications in other forms. Phone calls can be wiretapped through court order, and a good deal of web traffic is not encrypted.

What are the stakes?

Apple is concerned that acceding to the FBI’s order would compromise the security of other iPhone users, but tech experts say the consequences are potentially broader.

Other law enforcement agencies could follow the FBI’s lead, ordering Apple and other tech companies to open encrypted phones. This is precisely why Apple does not want to make the software in the first place. Once created, it could not be unmade, and it could set a precedent for tech companies and law enforcement authorities going forward.

“Sure, it’s just this phone at this moment,” said Nojeim of CDT, “but a heck of a lot of phones going forward.

Outside of the United States, tech communities also believe that other countries would take a lesson from the FBI and order tech companies to open up users’ encrypted devices. If the software in question is created, it would be relatively easy for China, India, France or Iran to order Apple to use the same software to access other phones.

If the FBI’s order is not completed, or if a court strikes it down, law enforcement does not stand to lose anything it has now. However, encryption is likely to spread no matter what happens with the order. There are efforts to encrypt metadata, for instance, that could decrease the slate of options at law enforcement’s disposal to spy on and thwart bad actors.

Morning Consult