The Security Hot Seat: Personal Device Encyption

This week' s Hot Seat features the latest issue in the debate on personal privacy vs. national security

Without question, Apple and Google’s announcements that they will offer cell phones providing full end-to-end personal encryption were among the biggest and most talked about news stories of the past few weeks. This is a watershed event for personal privacy, with Apple and Google being the first to provide this privacy measure out-of-the-box on consumer mobile devices.

The announcements from Apple and Google are also the latest to fuel debate over the balance between personal privacy and national security. Perhaps the most public opponent has been FBI director James Comey, who spoke out against Apple and Google’s plans this past Thursday in a speech at the Brookings Institution in Washington. Comey is calling for new legislature to prevent technology companies from manufacturing devices that block government access to personal data. He believes this poses a threat to national security, as malicious actors could benefit from having their communications obscured from government or law enforcement surveillance. While this will hold true in some cases, fully encrypted phones and other devices would not hinder legitimate real-time wiretaps of phone calls, text messages, emails, or other communications. Additionally, pursuant to a warrant, law enforcement agencies would still be able to access communications metadata as well as data that is synced to the cloud or stored in applications.

Beyond securing personal data, this measure could also protect users from malicious hacking and non-governmental surveillance. Full encryption eliminates the attack vector created when devices are built with backdoors for government and law enforcement access. According to the New York Times, such backdoors often serve as gateways for criminals to access or steal unencrypted private data.

The FBI’s position could be a real issue for U.S.-based technology companies. New legislation that bans production of encrypted consumer devices by American companies would have no effect on non-U.S. companies that produce the same technology. Passing such laws could result in a serious loss of competitive advantage for many U.S. technology companies, as consumers that demand encryption could instead purchase products not subject to the same regulations.

Comey did emphasize, however, that he was speaking only for FBI, not the NSA or any other government agency. There has been no indication that the Obama administration is looking to ban or restrict consumer device encryption. In fact, in the wake of the Snowden breach the Presidential Advisory Committee on the NSA called for increased use of encryption by the government and U.S. companies, advising that “the use of encryption should be greatly expanded to protect not only data in transit, but also data at rest on networks, in storage and in the cloud.”

Nate Lord

Please post your comments here

Data-Centric Security: Why You Need it, How to Get Started

Forrester VP and Principal Analyst John Kindervag explains the fundamentals of a data-centric security approach, why you need it, and how to get started. Watch the webinar on demand.

Watch Now

Related Articles
The Security Hot Seat:

Welcome to our newest blog feature, The Security Hot Seat. Every Monday we will put a person or organization in the Hot Seat based on the security news of the past week. We picked quite a week to kick this off!

Security Hot Seat: Unpatched Drupal 7 Sites Compromised

The Open Source CMS Leader in the Hot Seat after Announcement of Widespread Compromise

The Security Hot Seat: PCI Security Standard

As the number of card breaches hits new records, the industry standard created to prevent these breaches finds itself in the Hot Seat