In Learning Tree’s System and Network Security Introduction we spend a lot of time talking about encryption. That’s because encryption is the core technology behind confidentiality, which is one of the key concepts in cyber security.
One issue in the use of security is who can access encrypted data. I can, for example, encrypt a message or file such that only one particular other person can decrypt it. If I don’t encrypt it so I can read it too, then I can’t read it either. (This can be done in different ways depending on the encryption used, and we discuss that in the System and Network Security Introduction.) I can also encrypt the file so many people can decrypt it.
But what if Mary works for XYZ company and she sends a message to Bob at ABC company that only they can read? That might be good and it might be bad. If Mary were exposing company secrets, that would be bad – and her boss could never find out, because she couldn’t read the message. To solve that three basic schemes have been developed: 1) Every message or file encrypted by employees using company resources is encrypted in such a manner that management can access the message or file; 2) one or more people (or a group of them acting together) have access to Mary’s key, if necessary; or 3) different individuals or groups have access to different parts of Mary’s key. These latter approaches are forms of key escrow.
If Mary were thought to be engaging in criminal activity, law enforcement could ask a court for permission to access the escrowed key, if one existed. The same would apply to Mary’s phone conversations which are also encrypted, data on her phone and so forth. But now some law enforcement agencies want direct access to Mary’s personally encrypted data directly. This is speculated to be because modern encryption can be configured to be so strong that it cannot be broken in a reasonable amount of time. The basic idea is that if they can access the data on Mary’s phone or tablet promptly and doing so can prevent a crime or act of terrorism, then that access is good for everyone. Civil libertarians argue that it is an infringement on individual rights and that the access could be easily abused.
I see both sides in this debate, and I’d love to hear your opinion. Which side are you on: easy government access or more protection for the individual? Let us know in the comments below.
To your safe computing,