Encryption for Social Media and Email

Social media and email services are drifting toward the encryption of their clients’ information.  Consumers will prefer encryption for some of the information stored in their smartphones, laptops and tablets. US retail consumers’ attitude toward privacy is shaped by the belief that some in law enforcement snoop and by our loathing of hackers. A milder resentment is held for private companies’ use of our personal data, since there is usually a quid pro quo involved.

With strong encryption, the data would be impervious to companies, hackers and law enforcement. In effect, encrypted data would remain safe from prying eyes until the client actively reveals the decrypted contents of the stored files.

Social media and email (e.g. Facebook, AT&T) would also find value in migrating to encrypted client data. It would strengthen their relationship with clients, especially in the wake of a hacker attack. The stolen data would be unusable by the hacker and thus the data loss would be almost inconsequential to the client.

Provided the service providers do not retain the decryption keys, encryption would make it impossible to fulfill a law enforcement organization (LEO) request for the decrypted client information even if backed by a court order. The client would control who is given the key to decrypt the information. One real-world issue is that some clients will misplace their decryption key, just as they forget their passwords and where they keep a record for safekeeping. If that happens with a decryption key, no-one can access the information. There is no simple password change that cures the loss.

Decrypting a file without knowing the key is a theoretical possibility.  In practice, some decryptions could take impractical amounts of computer power and more time than it’s worth. ACI published a summary of encryption schemes that can be cracked by companies and intelligence agencies. As a practical matter several encryption schemes are still “uncrackable” and would be a good choice for social media services.

The European Union (EU) is frantically seeking privacy for Europeans’ personally identifiable information (PII). That quest reached a new peak in a decision by the European Court of Justice (ECJ) which held the PII of Europeans cannot be regarded as adequately protected when it is transferred via the “Safe Harbor” agreement to the US for storage. The ECJ ruled that protection is inadequate because NSA has been able to review European PII with cooperation by US data services companies who rely on the Safe Harbor. Because of the NSA taint, those companies cannot accurately certify that the transferred data is adequately protected. Therefore the Safe Harbor is inadequate protection for European PII.

The ECJ did not block all European PII transfers, just those reliant on Safe Harbor. Other more direct means for guaranteeing protection would be acceptable. For example, Microsoft’s Azure product has been certified as adequate protection for data transferred from EU to the US and back.

A cynical observer might suspect that part of social media’s willingness to encrypt client data hinges on using that protection as a way to deliver privacy protection directly with reliance on Safe Harbor.

Back in the US, law enforcement has been jawboning the social media companies on their duty to assist law enforcement when evidence may be available in their client files. A judge has decided to tee up “whether tech companies should be forced to find ways to unlock encrypted smartphones and other devices for law enforcement” (Note: devices are not encrypted, but the data they contain may be encrypted). Unfortunately, the judge chose poorly because “the device at issue is a phone that runs on an older version of Apple’s operating system that Apple can unlock,” so it is not likely settle the encryption issue.

The White House has stepped back from recommending legislation that would compel companies to cooperate in providing decrypted PII. At times, law enforcement has favored “backdoor” portals they could use to tap into client data, but those are opposed by high tech companies, in part because they could be abused by hackers, and in part because backdoors make they look complicit in breaching privacy.

Consumers value both their privacy and their safety. Our laws prevent victims from hunting down those who unlawfully threaten our families, health, and property – that role has been given exclusively to law enforcement. In pursuit of serious threats, law enforcement may need access to insights from encrypted information. Calamitous failures due lack of information will illustrate the lunacy of always keeping law enforcement away from information they need to do their job.

We need some grownups to shape laws that grant law enforcement access to private information when the public’s interest demands it. They will never be able to satisfy cause-obsessed advocates, but that should not be the mission.