Skip to content

Smartphone Encryption is a Red Herring

Published January 27, 2016 by Geoff Perlman

EnigmaMachine.pngAs the Founder and CEO of a software company that makes a development tool for mobile platforms, as well as for desktop and web, I have a lot of experience with encryption. The current controversy over encryption is really important to me. During World War II, the Germans created a way of sending encrypted messages to commanders in the field. The device came to be known as an Engima machine. It looked like a typewriter but had an encryption key that changed a message into unreadable noise. That message could only be decoded if you knew the key used to encrypt it. The Allies worked very hard to get their hands on one of these devices so they could learn how it works and be able to decrypt the messages and know what the German military plans. Ultimately the Allies figured it out and it helped them win the war. If this has peaked your curiosity, check out the movie U-571 (a fictional account of the effort to obtain an Enigma machine) and The Imitation Game about the team that figured out the encryption key.

Today, terrorists are using encryption to hide their communications just like the Nazis did in WWII. What makes encryption different today is that it is also being used by millions of ordinary people, many of whom have no idea they are even using it. Almost every smartphone in use today, encrypts text messages and other data automatically. This is all done behind the scenes without the user ever being aware of it.

The type of encryption used on the iPhone and Android is called AES and it’s formidable. Intercepting your text messages isn’t actually difficult but decrypting those messages is, at best, impractical. To decrypt a message, just like with the Enigma machine, you need to know the key that was used to encrypt it. If you don’t have that key, you’d have to guess at what the key might be then look at the results of decrypting the message with that key to see if you have anything but unintelligible gibberish. Even with access to the fastest computers in the world, it could literally take years to guess the right key. It will come as no surprise that governments at almost every level don’t like this one bit. At their most transparent, they are used to getting a search warrant and being able to look at whatever you’ve got to see if it supports their suspicion that you are in fact up to no good. At their least, they wish to get on your phone (ideally from a secure, remote location) and take your data without a warrant or you having any idea they were ever there. The problem for governments is that they can’t. In Apple’s case, even if Apple was willing to compile with a request that they decrypt the data on your phone, they can’t. The key is stored on your phone in a way that even Apple can’t get to it. In this sense, Apple is in complete alignment with you in terms of your privacy.

red_herring.png

There are lawmakers here in the United States that want to force companies like Apple and Google to provide a back door. This would be a way for Apple to get into your data should a search warrant (presumably) be issued. Apple’s CEO Tim Cook as pointed out what a bad idea this is. Back doors don’t get used by just the good guys. They will get used by the bad guys as well. In an effort to make it possible for law enforcement to get at the data of the tiny percentage of the population that is doing wrong, we would be opening everyone up to being hacked remotely. It’s not possible to make a back door that only the good guys can use. Think about your contacts, text messages, email, photos, all being exposed. Just the increased level of extortion alone would be so bad that your smartphone would go back to being useful as nothing more than a phone. Do any of you really want to go back to the 1980s?

What is worse than that, however, is what is not being talked about in the news. Smartphone encryption is a red herring. A back door wouldn’t solve the problem. Bad guys would simply write their own apps to encrypt the data themselves before they send it. This is incredibly easy to do. Xojo, the development tool my company created, has this same type of AES encryption built-in. Many other development tools have it as well. I could write an app to encrypt a message in a few minutes. Even if you have never written a line of code in your life, after a few hours learning Xojo, you could write the same app yourself. If you or I can do it, the bad guys can too. The smartest of them are almost certainly already doing this today. The end result would be that every law-abiding citizen’s personal and private data would become hackable- causing a digital tsunami of cybercrime that would be impossible for law enforcement to stop while achieving next to nothing towards actual security.

edited_lock_and_code.pngI understand why our lawmakers and law enforcement are concerned about encryption. It is a barrier to evidence for them. Tim Cook has argued that we have to balance law enforcement with our personal privacy. That’s certainly true. However, in this case, you don’t even have to go that far. What our elected officials are proposing will not work and will only create an exponentially greater problem. You may be asking yourself, “Surely they have thought of this, right?” Clearly they haven’t. Too often people make decisions without complete information or having taken sufficient time to to think the matter through. We have all seen this many times in our lives. Smartphone encryption is just the latest example. It’s not the first and won’t be the last. I’m all for looking for better ways to catch the bad guys but smartphone back doors will not work. Your elected officials are wasting your precious taxpayer dollars. If you want to stop this, contact them and ask them to better educate themselves on this topic. You can point them to this blog post to start. I can’t speak for countries outside the United States, but here elected officials give considerable weight to their constituents that reach out to them. You can contact your Representatives in the House here and your Senators here.

Lastly, while I am proud of Tim Cook for fighting back on this issue, it saddens me that he appears alone on the world stage while doing this. Powerful people in technology such as Mark Zukerberg of Facebook, Larry Page and Sergey Brin of Google, Satya Nadella of Microsoft and others should be taking an equal stand. They are in an even better position than we are as individuals to make it clear that the proposed solution won’t work. Until then, contact your elected officials and tell them that dog won’t hunt.

Security: How to Track The Bad Guys

Published in Security and Technology