The Danger of Transparent Encryption

Satisfied Needs Don't Motivate

With all the renewed furor over the government attempting to force Apple to backdoor iOS devices so the FBI can inspect the phone of the San Bernardino terrorists I found myself with a usual set of emotions. I have always been an advocate of limited government involvement in the lives of private citizens (i.e. approaching zero) and every time the government endeavors to have back doors built into encryption systems to facilitate their investigations of crimes I find myself angst-ridden. Agents of the government, in their efforts to assuage the fears of uninformed people, tell us things like, “we only want into this phone” and “we would only access phones that were involved in crimes”. The problem is that they don’t know that the work phone issued to the San Bernardino terrorist by his employer contains any relevant evidence; they just want to overturn every stone in their search. How many phones get to get back-doored in the next investigation? While I don’t fault their motives I do take issue with their conclusions. There is no limit to the downward spiral that we will be on if Apple concedes and complies.

None of this is new. Phil Zimmerman, the author if PGP, wrote an article in 1991 that is as relevant today as it was back then. Check it out.

All of this got me thinking: Why don’t people appreciate their privacy more? Why is a government pushing for legalized back doors into your private life not a hair-raising, get-ready-to-fight event in the minds of every American? And I think I know at least part of the answer. We, the purveyors of technology solutions, have made things too easy for too long for the average user. And the end result is that much of the product of what we do has become so ubiquitous, so invisible, and so automatic that they don’t know it’s there. And it is difficult to appreciate something if you don’t know it’s there. Satisfied needs don’t motivate.

  • We fail to appreciate the oxygen in the room until it’s gone.
  • We fail to appreciate not having a headache until our head is pounding.
  • We fail to appreciate our health until we are sick.
  • And we fail to appreciate the ability to have a private idea, thought, conversation or message …until we can’t have one.

When it comes to quietly making the average person the beneficiary of confidentiality in their daily lives we have done a bang up job of satisfying needs. As a result, these users are not motivated to protect something they don’t know they have. I often tell IT folk that, “the better you are at your job the fewer people will know who you are and what you do.” It’s tongue in cheek when I say it but it has a glimmer of truth. My job is to make the data go from Client A to Server B as fast, as efficiently and as securely as possible. And when firing on all cylinders, users never get bothered with the underlying complexities in making that happen. And that is as it should be. I want my truck to just work when I step on the accelerator or the brake. Don’t bug me with how, just do it! Just like my HVAC system, my CheckCard and my digestive tract. Being bothered with the inner workings of these things is something most of us get to remove from our contemplations. And this whole computer-Internet-thingy is right there along with them. For the most part the stuff just works and users are left to think that it’s automagic, like breathing.

And there’s the rub. Users benefit without knowing what’s happening. Data displayed on their screen is in plain-text. It may have been cipher text a fraction of a second before that but that doesn’t change what it looks like now.

  • They don’t know that their data is encrypted when traveling across their wireless LAN. They only know they have to enter a “password for the Wifi” (whatever that means).
  • They don’t know that their data is encrypted the majority of the time as it traverses the Internet. They just know the web pages pop up. Some of them have, shamefully, been taught to “look for the lock” and that means security but they can’t articulate what that actually means.
  • They don’t know that their data is encrypted by default on their smart phone. They just know the apps open when they tap on them.
  • They don’t know their data is encrypted as it moves between their computers and their favorite cloud storage solution. They just know the data is there.
  • They don’t know their data is encrypted when they “remote into the office”. They just know they have to type numbers or passwords into a few more fields than normal.
  • They don’t know that their private journal software encrypts their personal thoughts, they just know they have to type a password to open the program.

I’m sure a lot of users have a cursory awareness that doesn’t extend much beyond a general notion of the ethereal concept called ‘encryption’. It’s like telling people that “food gives you energy” vs getting into the details of the Krebs Cycle. We get to benefit from the Krebs Cycle even though we don’t know how it works or why it’s important (or that it even exists). But if it wasn’t there…

So should encryption be made more evident? Should it continue to be as invisible as it is today? Would it be beneficial to intentionally make users more aware of they fact that they are the beneficiaries of an encryption technology? What do you think?

Cheers,

Colin Weaver

About the Author

Colin Weaver

Colin Weaver is co-owner and lead instructor at ITdojo, Inc., a network security and information assurance training center and consulting firm located in Virginia Beach, VA. His passion for technology, networks, and security has led him to become enthralled with the idea of IPv6 and its implementation. In this blog he will share with you glimpses of what he has learned and a hint at what you’ll learn in his classes.