A few weeks ago, the IRS began publishing a set of Security Awareness Tax Tips; they’ve also come out with Publication 4524, “Security Awareness for Taxpayers”. These documents are basically checklists, but they’ve got some reasonable advice. For example (quoting from Pub 4524):
- Treat your personal information like cash, don’t leave it lying around
- Give personal information only over encrypted websites – look for “https” addresses.
- Keep old tax returns and tax records under lock and key or encrypted if electronic.
Point one is well taken — if more companies treated personal information like cash, we might reduce the number of data breaches, and fewer people would be at risk for social engineering and identity theft. This point also applies to your smart phone (i.e., don’t leave it laying around).
Points two and three deal with encryption. “https” means using secure (encrypted) versions of web pages; you should do this whenever possible. Point three involves encrypting data at rest; you should also do this whenever possible. It’s nice to see the IRS talking about the importance of encryption, and I applaud them for doing it.
On the other hand, some of our Washington politicians are dead set on demonizing encryption, even if it means undermining security and privacy. For example, take this recent press release from Senate Majority Leader Mitch McConnell (with emphasis added)
[President Obama] “should tell us what legal authorities he needs to defeat encrypted online communications, and what is needed to reestablish our capture, interrogation, and surveillance capabilities. He should tell us how the coalition or NATO will forge a ground force capable of not just attempting to ‘contain’ ISIL within its interior lines in Iraq and Syria — even as the group expands its reach into other countries — but actually driving it from Raqqa. He should tell us the force structure and funding our commanders will need to rebuild so we can continue and expand this fight while facing other threats around the globe. And he should explain why he won’t use the secure facility at Guantanamo Bay to safely hold and interrogate newly captured terrorists in order to help prevent the next plot against innocent Americans.
And there you have it: Mitch McConnell vs the Internal Revenue Service, and least where it comes to encrypted online communications.
Senator McConnell’s press release doesn’t explain what he means by “defeat encrypted online communications”, but I’ll assume it has something to do with severely undermining encryption, or trying to ban it outright. Undermining encryption is only slightly better than having no encryption at all. Back doors are back doors; they don’t care who walks through, or which way the person goes.
I’d like to spend a few minutes taking about the role strong encryption plays in our everyday lives. This isn’t an exhaustive list, and I’m sure everyone could think of things to add.
- Wireless Networks. Most wireless networks require a password, which acts as an encryption key. This encryption protects your privacy from people in your vicinity of your wireless signal. Take away the encryption, and your wireless card is just a radio, broadcasting everything you do to those in range. A person in the next room can easily listen in as you read email, check your bank account, or order a pizza.
- Online shopping. When you shop online, strong encryption protects your credit card information. Without strong encryption, you’re effectively writing your card number, expiration date, and CCV on a postcard and dropping it in the mail. Anyone between you and the merchant can read (and copy) your credit card information, and use it for their own purposes. Ditto for business that authorize credit card transactions over the internet.
- Virtual Private Networks. VPNs are often used by companies, both for employees working remotely, and to connect different offices to each other. The VPN’s strong encryption permits a company to move data around without having to worry about the data being copied in transit. This might be payroll, contracts, product designs, studies, and what have you. No encryption means this material is all out in the open for everyone to see (and copy).
- Device and hard disk encryption. Say your laptop is stolen; disk encryption means that the thief gets a laptop, but none of the data that laptop contains. Without encryption, the thief gets the data too.
- Passwords. I’m sure you’ve heard “when logging in to a website, make sure you see https and the lock icon” (even the IRS says so!). HTTPS is a form of strong encryption; aside from protecting your privacy (e.g., what you’re doing on the website), this encryption protects your login details. Without the encryption, your login details are out in the clear, for anyone to observe (and copy, and use later for their own purposes).
Beyond the basic matter of privacy, strong encryption is a very effective way to prevent identity theft, financial fraud, and unauthorized access to your online accounts. The absence of strong encryption makes these types of crimes significantly easier to commit.
When we say “weakening encryption will not make anyone safe”, we really mean just that.
The EFF sponsored a whitehouse.gov petition, called Publicly affirm your support for strong encryption, which gathered 104,000 signatures; above the 100,000 threshold needed for a response. The white house responded with we want to hear from you on encryption. Apparently 104 thousand signatures wasn’t hearing enough. If you have a moment, please pay a visit to https://www.whitehouse.gov/webform/share-your-thoughts-onstrong-encryption and remind the white house of the vital role that strong encryption plays in our everyday lives. You can even point out that their own pages use https.