#MeAndMyRights: ​Encryption - Why You Need It and Why It's Not Enough

Encryption is a very old technique. It just refers to the process by which we can hide the meaning of something by using a code. We explain how it helps protect our privacy and our money, and how authorities are using hacking to get round it.

You may remember arguments erupting between some technology companies and security services about encryption – particularly between Apple and the FBI after the shootings in San Bernardino in the USA. Encryption is a very old technique. It just refers to the process by which we can hide the meaning of something by using a code. For example, a very simple code is to swap out the letters of the alphabet for numbers, so that 1-2-3 is ABC. If I know you have used this code to encrypt your messages, then when you pass me a piece of paper with “9 12-12 2-5 2-1-3-11”, I will know you’re either just nipping to the toilet, or you’re a Terminator.

How encryption works

Encryption can work over the internet in different ways, but the most secure type of encryption, and the type that the authorities most dislike, is referred to as ‘end-to-end’ encryption. Here’s how it works. You write an email to your friend. Your computer encrypts the email before it is sent. Then the email passes over the internet to your friend in its encrypted form. So anyone who intercepts the email cannot actually read what it says. When it reaches your friend’s computer, his/her computer decrypts the message. This type of encryption is the most secure because the codes needed to encrypt and decrypt the messages only exist on the phones or computers of the two people communicating with each other. Neither the company that provides your internet services nor the company that created the email programme know the code. Which means that the security services can’t find out the code either.

You might be unaware, but you probably use encryption regularly. Every time you use banking services or shop over the internet or fill out your taxes online, encryption is being used to prevent other people intercepting and reading the information (or data) that you are sending. This keeps your money and your personal information safe.

Since Edward Snowden released secret documents in 2013, there has been a lot of news about how the security services of the USA, the UK and several other European countries have been carrying out mass surveillance of their own populations. It became clear that technology companies (like Microsoft, Google, Facebook and Apple) had actually been helping governments spy on their citizens. Sometimes technology companies had been handing over information they collected from internet users to the authorities. Sometimes technology companies were even allowing the authorities to collect information directly by tapping into their phone cables and data banks. After Snowden spilled the beans, technology companies became afraid that their customers would lose trust in them, so some of them, including Apple, started to introduce encryption into their services.

For the most part, security services oppose encryption, because they say it prevents them from monitoring what terrorist suspects are saying. Some countries are talking about making encryption illegal. Some countries are thinking of forcing technology companies to give the encryption codes they use to security services, which would allow the authorities to decrypt communications whenever they want to. This latter option is referred to as creating a ‘back door’.

Outlawing encryption would hurt innocent people

Making encryption illegal or creating back doors for security services wouldn’t make life more difficult for terrorist attackers. If terrorists wanted to use encryption, they could still create their own encryption programmes or use encryption programmes created in countries where this is not illegal. Or attackers can just find other ways of getting around mass surveillance, like using code words or frequently changing mobile phone numbers or by using several pre-paid SIM cards. For example, some security services said that French authorities had been unable to stop or intervene more quickly in the Paris shootings in 2015 because the attackers had used encryption to hide their communications. But actually, it seems that the attackers communicated using old fashioned unencrypted SMS text messages.

Making encryption illegal or creating 'back doors' won't really make it easier for security services to catch terrorists. But it would create a lot of problems for innocent people. If encryption became illegal, we would no longer be able to use the internet for things like shopping and banking. That would be bad for the economy and create a lot of inconvenience. Encryption is also used by a lot of people working in dangerous situations, like journalists investigating corruption and democracy activists working in dictatorships. Encryption helps to keep them safe by shielding their activities and contacts from spying governments. If encryption remained legal but companies were forced to give the codes to the authorities, then it is likely that foreign governments and criminal hackers would find a way to get these codes or find another way into the ‘back doors’ created by the technology companies. In effect, encryption would become fairly useless.

Encryption doesn't offer protection from state hacking

Not only is encryption vital to protect us day to day, it doesn't really make life all that hard for security services. First, encryption doesn’t cover up metadata – so the authorities can still see things like what numbers someone has dialled, what websites they visited and the subject lines of emails. The only thing that is encrypted is the content of the message.

Second, security services can get hold of technology to hack directly into the phones or computers of the individual they are investigating - or people close to them - to read what messages they have sent and received. For example, this is what eventually happened with the phone that the FBI wanted to access during the San Bernardino investigation. We don't have time to get into detail, but more and more governments, for example in Belgium and the Netherlands, have already given or want to give their security services the power to hack into any device connected to the internet. Consider nowadays it's not just your phone and computer that connect to the internet. We see cars, TVs, music systems, electricity meters and domestic appliances that connect to the internet too. So even your toaster could be spying on you. That's bad news, because it means governments will be buying up more hacking software, some of which inevitably gets stolen and used by criminals. Remember when the 'WannaCry' ransomware attack that hit hospitals in the UK? You can thank the National Security Agency of the USA for that one.

If you’d like more in-depth information or would like to follow up on the evidence and studies we refer to, you can take a look at our full report ‘Security through Human Rights’ here.