The debate over whether to provide governments with “backdoors” to break encryption in software and devices continues to rage. Earlier this month, messaging company WhatsApp added end-to-end encryption for the billion users of its service. And today, messaging firm Viber announced it would follow suit, meaning it won’t be able to decode messages its users send; neither will any government agencies.
That stance is popular with IT professionals, according to the results of a survey conducted by the Spiceworks Community, an online professional network of IT pros. The survey, which polled more than 600 IT professionals from North America, Europe, Africa and the Middle East in March 2016, found that 87 percent of the respondents believe that backdoors in encryption protocols, hardware or software leave organizations more exposed to a data breach.
Valuing Encryption for Security
Law enforcement agencies have argued that end-to-end encryption can aid criminals and terrorists. The FBI, in particular, has expressed worry about “going dark” on investigations as encryption on smartphones and online services becomes more popular.
However, civil liberties advocates and many in the technology industry believe that providing law enforcement with the ability to break through encryption will inevitably lead to weaker security for organizations and users by allowing malicious actors to gain access to the same tools and exploit them for nefarious purposes.
Providing backdoors can also weaken a company’s reputation, according to Spiceworks. The community separately surveyed 220 IT professionals in the United States and the United Kingdom to “understand what impact, if any, a tech vendor’s history of allowing backdoor access would have on the bottom line.”
In that survey, 65 percent of respondents said they are less likely to purchase from a company that's been known to place encryption backdoors into its products. Just 20 percent said that knowing a company had used backdoors would have no effect when evaluating vendors.
The survey of the 220 IT pros found that 57 percent believe network or device encryption “helped their organization avoid a data breach,” which Spiceworks says is an indication “that encryption, as part of a holistic, layered approach to network security, can help protect corporate data in the event of a cyberattack.”
But how much data encryption is being done? The second Spiceworks survey found that it is more common to encrypt data that is in transit than data that is at rest on devices and networks.
Forty-seven percent of the IT respondents encrypt data in transit from cloud computing resources, notebooks and desktop computers, and 46 percent encrypt data in transit from servers. Only 31 percent encrypt data at rest on servers, and just 28 percent encrypt data at rest in cloud storage systems.
The issue becomes more acute for devices such as smartphones and tablets, since law enforcement can more easily gain physical access. Only 28 percent of respondents in the Spiceworks survey of 220 IT professionals said that their organizations’ smartphones have data encrypted when at rest, and just 25 percent said the same is true for tablets.
Apple Keeps Fighting While BlackBerry Cooperates in Canada
Meanwhile, tensions over encryption continue between law enforcement agencies and technology companies. The Justice Department said late last month that it had, without Apple’s help, cracked the iPhone 5c belonging to one of the gunmen in the December terrorist shooting in San Bernardino, Calif. While that case has been resolved, similar cases are proceeding.
Last week, Apple asked a federal judge to block the DOJ’s efforts to unlock an iPhone in a New York drug case, arguing that the solution the FBI found in the San Bernardino case undercuts the government’s contention that only Apple’s help will let it unlock the phone.
In a separate case, a joint VICE News/Motherboard investigation found that the Royal Canadian Mounted Police (RCMP) “intercepted and decrypted roughly one million PIN-to-PIN BlackBerry messages” related to an investigation into a murder in the Montreal area.
BlackBerry CEO John Chen defended the company’s involvement in the case. “Regarding BlackBerry’s assistance, I can reaffirm that we stood by our lawful access principles,” he said in a company blog post. “Furthermore, at no point was [the BlackBerry Enterprise Server] involved. Our BES continues to be impenetrable — also without the ability for backdoor access — and is the most secure mobile platform for managing all mobile devices.”
But as Motherboard points out, Chen did not address whether the company provided the RCMP with an encryption key to decrypt consumer-grade messages sent via BlackBerry Messenger. Chen only said that its corporate BES systems was not involved in the case.