Encryption is a way of making data secure, so that it can only be accessed by authorised parties. Cryptographic techniques are used to render information unintelligible to any third parties whilst it is being stored on an electronic device such as a laptop or smartphone, or during its transit from sender to recipient over the internet or other types of computer network.
There are many techniques of encryption but the main principles are as follows:
- Unencrypted data is referred to as “plaintext”.
- Plaintext is encrypted using an algorithm known as a “cipher”.
- The algorithm also generates a pseudo-random encryption “key”.
- Once plaintext has been encrypted it is known as “ciphertext”.
- The ciphertext is unreadable and can only be deciphered (ie converted back to plaintext) with the symmetric (private) or asymmetric (public) key which was previously generated by the algorithm.
- End to end encryption means that data which passes through a company’s servers (eg WhatsApp) can only be read by the sender and recipient and cannot be accessed or interfered with by the company handling the data.
Hashing is another method used to help to preserve the integrity of data but it is different from encryption. A hash is essentially a digital fingerprint of mapped digital information and it can be used to verify that a second instance of the information is exactly the same as the original and has not been tampered with. But hashing is a one way process; there is no way to reverse a hash or obtain any intelligible information from it. However, it can be used effectively in conjunction with encryption, particularly where the encrypted data needs to be transmitted across insecure networks.
Pros and cons
In an age where vast swathes of personal information are stored on internet-connected devices and online, the need to protect privacy has never been greater. Whether it’s alleged Russian interference in the 2016 American elections or personal details of 143 million individuals being compromised by a hack into a worldwide credit report company, the relentless surge of cybercrime means that leaving data unencrypted is akin to leaving your front door unlocked. Most of the tech giants are building sophisticated encryption into their devices, apps and software as standard – not least because laws increasingly demand that data protection be taken seriously, but also due to customer expectation. Furthermore, privacy campaigners, including human rights organisations such as Amnesty International, argue that end to end encryption is crucial for providing people who live in totalitarian regimes with the ability to communicate freely without being monitored by oppressive governments or dictatorships.
However there are also many concerns about encryption, primarily raised by governments, police and law enforcement agencies. Whilst encryption can be used to thwart criminal hackers, on the flipside it can also facilitate crime and prevent criminals from being caught. The authorities often claim that encryption impedes criminal investigations into terrorism, paedophilia and other crimes where crucial evidence is locked away on a smartphone, laptop or cloud based storage or communication services. One solution, which is often put forward to prevent criminals hiding behind encryption, is to provide law enforcement with a virtual skeleton key which gives them ‘backdoor’ access to any encrypted material. However, the fallacy of this argument is that any such backdoor would also be hackable by malevolent parties and consequently creates a huge opportunity for cybercriminals. An example of this is the ransomware attack which affected the NHS; the WannaCry virus apparently used an exploit which had previously been leaked as part of a cache of NSA hacking tools.
Legislation dealing with encryption
Principle 7 of the Data Protection Act requires that all businesses holding personal data take “appropriate technical and organisational measures” against its “unauthorised or unlawful processing”. Although it does not specify the use of encryption, the ICO notes that data controllers should “be aware of any industry or sector specific guidelines that may recommend a minimum standard for encrypting personal data”.
The General Data Protection Regulation (GDPR) comes into effect on 25 May 2018. This will tighten up many of the existing data protection requirements, significantly increase maximum penalties and introduce new rules. Of particular note for purposes of encryption is Article 32 which requires data controllers and processors to “implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate … the pseudonymisation and encryption of personal data”.
Part III of the Regulation of Investigatory Powers Act 2000 (RIPA) allows authorities to force a person to either hand over an encryption key to access data or to provide the requested material in an intelligible form.
The Investigatory Powers Act 2016 extends the powers of authorities to demand that service providers who are served a Technical Capability Notice (TCN) remove any “electronic protection” (s 253(5)(c)) – which essentially means encryption or any similar technology. However, this requirement is subject to the “technical feasibility” of complying with the notice (s. 255(3)(c)).
In the USA, following the San Bernardino terror attack in December 2015, the US government asked Apple to help the FBI access encrypted data on the suspect’s iPhone in case it contained any useful evidence or leads. Apple refused to comply with this request, arguing that the creation of a backdoor would pose a threat to the data of other customers. Although a legal battle was on the cards, the FBI withdrew its request after it purchased hacking software for $900,000 – which in the event found “nothing of real significance”.
In the UK, following the Westminster Bridge terrorist incident in March 2017, home secretary Amber Rudd claimed that it was “completely unacceptable” that the government could not read messages protected by end-to-end encryption. She argued that: “We need to make sure that organisations like WhatsApp, and there are plenty of others like that, don’t provide a secret place for terrorists to communicate with each other.” However, her rhetoric was met with resistance from the former GCHQ director Robert Hannigan who said that “It’s not a good idea to weaken security for everybody in order to tackle a minority” and warned that “Trying to weaken the system, trying to build in backdoors won’t work and is technically difficult”.
Pinsent Masons: Cryptography
ICO: Guide to Encryption
legislation.gov.uk: Investigatory Powers Act 2016 s 255
Amnesty International: Easy guide to encryption and why it matters
The Verge: The five big lies of the encryption debate
Alex Heshmaty is a legal copywriter and journalist with a particular interest in legal technology. He runs Legal Words, a copywriting agency in Bristol. Email firstname.lastname@example.org. Twitter @alexheshmaty.
Image: cc by Christoph Scholz on Flickr.Tweet