Crypto wars: Why weakening encryption misses the mark

Rashmi Dahiya

The crypto wars have revealed the tension between security and privacy. Organizations can protect both by implementing a thoughtful approach.

Weakening encryption does more harm than good in the fight against cyberthreats.

Under the auspices of combating cybercrime, governments around the world have pushed for access to encrypted communications because they see these secure channels as potential havens for illicit activity. At the same time, privacy advocates and tech specialists warn that weakening encryption exposes everyone to risks and undermines the trust that forms the backbone of digital interactions. This tension, generally referred to as the crypto wars, raises an important question: Is sacrificing privacy the price for security, or can security and privacy coexist in a solution that protects safety without eroding the freedoms that encryption was designed to protect?

Organizations don’t exist outside of this larger, theoretical context. Indeed, by understanding this tension, they can play an important role in establishing a secure and transparent digital environment for their business and their customers.

Sign up to receive the latest cybersecurity insights on identifying threats, managing risk, and strengthening your organization’s security posture.

Subscribe now

A brief history of the crypto wars

Asymmetric encryption emerged in the 1970s against the backdrop of heavy government surveillance used to weaponize information against domestic and foreign enemies. Since then, law enforcement and government intelligence agencies have argued that widespread private use of encryption can hamper criminal investigations and national security efforts. For many cryptographers and privacy activists, however, this surveillance was the primary threat that made widespread use of cryptography a moral necessity in the first place.

One pivotal moment in this history was the prosecution of Phil Zimmerman by the U.S. federal government for distributing his encryption software, Pretty Good Privacy (PGP), without a munitions export license. In the 1990s, U.S. arms control regulators treated cryptography software like a munition, and as a result, exporting such a program overseas by posting it on the internet was in violation of these regulations. The case dragged on for three years before eventually being dropped, and export control laws were rewritten after it became obvious that software couldn’t be contained like rocket motors.

Fast forward to 2021, when a presidential executive order charged the National Institute of Standards and Technology (NIST) with setting standards requiring the encryption of data to protect software supply chains. What’s more, NIST’s Federal Information Processing Standards have included forms of PGP software for more than two decades. This shift illustrates how the federal government eventually recognized the importance of strong encryption and that, despite the different shapes and forms it has taken over the decades, the conflict between the security and privacy advocates reflects a lag in governmental adaptation to technological advancements.

While the overarching debate generally remains the same, the crypto wars now primarily revolve around end-to-end encryption (E2EE). Widespread public access to E2EE means that criminals can also use it with impunity, making it harder to detect and investigate the transmission of illegal content, such as child sexual abuse material and terrorist plots. Law enforcement officials are challenged with investigations going dark because they are unable to conduct investigations due to a lack of access to communications and data. This situation is a surveillance and security problem and a content moderation problem. In addition, E2EE makes it harder for platforms to defend users from spam, abuse, and harassment, and encrypted communications can become vectors for abusive harassment and misinformation campaigns.

Computer scientists and privacy advocates, in turn, counter these criticisms with the argument that strategies for content moderation go beyond merely reading messages, with automated data analysis, user reporting workflows, and message flagging mechanisms as some available tools. Further, with ongoing research in this field, E2EE isn’t necessarily the roadblock to content moderation that many think it is.

Why targeting E2EE is fundamentally flawed

Opponents of encryption oversimplify this challenge by assuming a middle-ground approach can allow for strong encryption with exceptional access for law enforcement. As straightforward as it might sound, this approach is a fundamentally flawed solution for three main reasons:

Weakened security. Regardless of how it is implemented, exceptional access jeopardizes citizens’ privacy, and it can also lead to the unintended consequence of imperiling national security. One of the biggest technical challenges here is ensuring that the back door itself does not become a weak point that can be exploited by malicious actors who could potentially attack the system’s vulnerabilities, steal the keys held by law enforcement, and move their communications to non-U.S. platforms that are outside the reach of U.S. law enforcement.
First Amendment violation. If mandated by the federal government, exceptional access would violate the First Amendment under the compelled speech doctrine. By requiring companies to create back doors in their encryption, the federal government is compelling them to express a message contrary to their commitment to user privacy and security. This coerced speech violates the principles of free expression and undermines the integrity of both the products and the companies that create them.
Potential abuse of power. The entire argument in favor of weakening encryption rests on the assumption that governments around the world are sacrificing user privacy for the greater good in order to combat serious crimes. But what is stopping them (or even other entities) from misusing back-door access for purposes beyond the intended scope, such as unauthorized surveillance or political repression? Without adequate checks in place, exceptional access holds the potential to cause more harm than the good it seeks to offer.

Where to go from here?

Achieving the balance between security and privacy in digital communications, particularly in the context of E2EE, remains a daunting task. Despite ongoing research in this field, security specialists are far from securing a robust solution to tackle this challenge. However, following are several promising approaches that offer steps in the right direction.

Homomorphic encryption is a form of encryption that enables computations on encrypted data without decryption, allowing operations such as keyword filtering and pattern matching while maintaining data confidentiality.
- Pro: Supports complex analysis without exposing data
- Cons: High computational overhead; cross-platform compatibility issues
Metadata-based moderation allows platforms to analyze message metadata attributes such as frequency and size to identify patterns indicative of harmful content without accessing message contents. It complies with privacy regulations by focusing on noncontent data and strikes a balance between user privacy and security.
- Pros: Preserves message confidentiality; complies with privacy regulations
- Cons: Might miss sophisticated threats; subject to legal concerns over metadata usage and storage
Source tracking is a way to integrate the original sender’s identity into message metadata, allowing platforms to trace the dissemination of harmful content across networks. Source tracking enhances moderation capabilities while preserving user anonymity and confidentiality.
- Pro: Preserves user anonymity by only using metadata
- Con: Complex to implement in decentralized systems
Client-side moderation is another way of minimizing user data exposure in content moderation. It keeps tasks such as spam filtering and malware detection on the user’s device. By processing sensitive data locally, client-side moderation enhances user privacy and reduces server-side exposure, thereby mitigating risks associated with centralized data storage.
- Pro: Sensitive data remains encrypted and within the user’s control
- Cons: Limited by user devices’ processing power; requires constant updates to client software
Perceptual hashing is a technique that can be used to generate unique fingerprints of media files, facilitating efficient comparison against databases to detect known harmful content, thus enhancing content moderation capabilities across diverse media formats while preserving the encryption of original files.
- Pros: Effectively identifies illicit materials without breaking encryption; works across diverse media formats
- Cons: Needs regular database updates; might struggle with new or sophisticated threats

The bottom line is that continued advancements in encryption technologies and regulatory frameworks will play pivotal roles in shaping the future landscape of digital communication and can help protect privacy as a fundamental right in the face of evolving security threats.

The crypto wars and business

The crypto wars hold significant implications for organizations operating in the digital space. Balancing these elements is crucial for compliance and for building and sustaining user trust. Strong encryption is a cornerstone of user trust because customers need to feel confident that their communications and data are secure. Weakening encryption can erode this trust, leading to reputational damage and potential loss of business.

One action that organizations can take is to prioritize incorporating E2EE into their operational frameworks. To do so, they can take the following steps:

Develop and implement policies. Organizations should have policies in place to mandate the use of E2EE for all internal and external communications. These policies should align with regulatory requirements and industry best practices.
Prioritize E2EE in acquisitions. When acquiring new software or services, prioritizing vendors that offer strong E2EE capabilities is essential. Encryption standards should meet or exceed industry benchmarks to safeguard sensitive data.
Train employees. Because employees are the first line of defense for any organization, they must be trained on the importance of E2EE and how to use encryption tools effectively.
Evaluate regularly. Regularly evaluating and updating encryption practices to keep pace with evolving threats and technological advancements is vital, as conducting security audits can help identify potential vulnerabilities and address them promptly.

Long story short

Security and privacy aren’t two sides of the same coin. Rather, they are overlapping functions within society’s technological framework. Prioritizing one over the other fails to respect the balance necessary for good public policymaking. With the world no longer being divided between the physical and the digital, the crypto wars aren’t a state versus citizen or security versus privacy conflict but rather a societal risk management challenge.

As the Zimmerman story highlights, governmental understanding can evolve, albeit slowly. The ongoing struggle underscores the need for governments and businesses to keep pace with technological advancements and adapt their policies accordingly. Organizations must understand the critical role of encryption in securing data and fostering customer trust, adapt to regulatory changes, and invest in innovative solutions that balance security and privacy.

Looking ahead, continued research and technological innovation will lead to the development of more robust encryption methods and effective moderation strategies. This progression can enhance security measures and reinforce user trust in digital platforms. Aligning such advancements with global privacy regulations will be crucial in fostering a secure and transparent digital environment.

Cybersecurity Privacy Encryption

Manage risks. Monitor threats. Enhance digital security. Build cyber resilience.

Discover how Crowe cybersecurity specialists help organizations like your update, expand, and reinforce protection and recovery systems.

Explore services