The Case for Strong Messaging Encryption
You don’t like eavesdroppers in real life, why is online any different?
My experience with security and encryption goes back more than twenty years. I like to say it all started watching Crimson Tide , I was enthralled with the encrypted messages and confirming if the message was genuine with challenge keys. I tried to use PGP back then — tied into Eudora with a few plugins — with little success. No one wanted to mess with signing and encrypting messages with PGP; it was too much of a pain, frankly. I didn’t think much more about security and encryption until a lot later, not until I was part of a local political party and we often joked about the authorities reading our messages in Yahoo groups. We knew they weren’t really secure. I don’t even think the connections were secured with https back then. Heck back in the early 2000s when you connected to Gmail it didn’t use https either. Not only were emails stored in plaintext (they still are by the way), we sent them that way too. It wasn’t until two things about internet life exploded onto the scene did we think about security in any meaningful way: online shopping and Wi-Fi.
Online shopping and securing purchases
One of the biggest barriers to online shopping in the early days came down to trust. How do I know that my credit card info was safe coming and going to your site? To shop (banking would come later) people wanted a sense of security. Secure certificates were the simple answer. Look for the wee lock in the address bar and you’re good. Your transaction was secured. The irony that back then we’d hand a credit card to a server at a restaurant who would wander away to swipe our card without thinking isn’t lost on me. Still, we started to be okay with shopping, banking, and everything else online and shopping in a store seems dated.
But if online shopping got people thinking about https (I know people didn’t think about https, just security), Wi-Fi opened our eyes to what we were all sending into the ether for people the snatch out of the air. Which brings me to strong encryption and eavesdropping.
WiFi and unencrypted connections
If you’re reading this post, saying “you know that coffee shop WiFi isn’t secure at all” is a blinding flash of the obvious. Still, my post on the 5 reasons why public WiFi isn’t safe might be handy to share with friends. When I got my first WiFi router (and needed a PCMIA card for my laptop), I didn’t put a password on my WiFi. Why? If someone wanted to be in range of my WiFi they had to be in my driveway — I figured I’d notice that. Back then discussions about putting passwords (with WEP no less) on WiFi APs was more about keeping your neighbors off your network and using your internet bandwidth than security.
Then we got a wake up call when a Firefox extension called “FireSheep” made packet sniffing over WiFi child’s play. Yeah, the tools were out there already then, but a freakin Firefox extension made it easy — and made news. Almost overnight we started thinking about WiFi security and VPNs. I emphasize thinking because not much as changed except pretty much everyone secures their WiFi at home and work. Public WiFi is still just as dangerous — maybe even more so — as it was back then. Which brings me back to the point of the article: if you don’t want something to leak out, you have to encrypt it with strong encryption.
Hey, are you listening in on our conversation?
When you’re chatting with a friend over coffee, you know your conversation isn’t private per se , but you sure get antsy if someone appears to be listening to your conversation. It’s not that you’re saying anything secret or private, but it’s rude. It’s none of their business. You’re having a private chat, so buzz off. And what you talk about online should be no different.
No one needs to know who you’re talking to, about what, or why. I’d say 99.9% of the time there’s nothing other folks need to know about. You might be talking about your favorite ways to cook turkey (as I was with a friend today) or catching up with an old friend. No one’s business. I don’t want people eavesdropping on what I say in public or online. I prefer to use strong end-to-end encrypted messaging whenever possible. WhatsApp with daycare, iMessage with family, at work we use SKY ECC.
But what about the conversations that governments or police might be interested in? This is the thorn in the side of every argument about strong encryption with no backdoors. What about terrorists? What about criminals? And believe me I don’t like that terrorists or criminals can use the same technology I use to share financial data with my accountant and no warrant in the world can get those messages for police. However, the cost is too great to allow it to be otherwise.
We know the “if you have nothing to hide, you have nothing to worry about” argument is hollow, we know this. The “…you have nothing to hide…” part is too slippery a slope. The number of data leaks, hacks, intrusions we see daily should give everyone pause when they post/write something that goes over the internet. That doesn’t even get into people outside of North America and Europe who often don’t have even a modicum of freedom of speech. Everyone has things they want — and have a right to — to keep private. The only way to achieve that is with end-to-end encrypted messaging. Yeah, and the consequence isn’t always pretty. It isn’t always nice. And it sucks. Locks protect doors to our homes. Locks also protect caches of weapons or drugs or money. We still need locks. We don’t have a master key for all locks. Well except for these locks from Caterpillar, and that’s just dumb.
As unpalatable as some of the consequences are, we still need strong, end-to-end encrypted messaging (without backdoors) for our own privacy, security and peace of mind.