Encryption Matters

The Internet has become even more important than ever since the outbreak of COVID-19. Imagine if we were living in a world where the development of the Internet was not as advanced as today, “work from home” or remote learning would be a myth, and our entire world would have been on pause completely in the past months.

In January 2020, the household broadband penetration rate in Hong Kong exceeded 90 percent (OFCA, 2020) and the mobile subscriber penetration rate reached 283.0 percent in November 2019 (OGCIO, 2020). Whether you are digital immigrants or digital natives, you are engaged in using the Internet or new technologies every day. From checking work emails to watching live streaming news with your social media account, we are more inseparable from the online world.

Many of us have added the Internet as the most fundamental need in the pyramid of Maslow’s Hierarchy of needs (GU Executive Education, 2013). Given how Internet has become an essential part, how much do you understand about the Internet though? Would you be fine with —— as long as you got your non-disrupted Internet connection —— exposing your personal data by using a non-encrypted social media service, or falling prey to an insecure network, which very likely might lead to a leak of confidential information? Definitely not recommended.

The Internet has become an inseparable part of our life, and the online and offline world are more intertwined than ever. Yet, most of us are unaware of online safety, just like things as simple as not leaving our wallet unattended in the public in the offline world.

What is encryption?

Encryption helps protect data you send, receive, and store, using a device (Porter, n.d.). It can be text messages stored on your smartphone, bank information sent through your online account, and your saved data on Animal Crossing.

It is a process of scrambling or enciphering data, so it can be read only by someone with the secret code or decryption key to return it to its original state. It provides data security for sensitive information. (2020, Internet Society)

Why do we need to care? 

Data is increasingly central to all aspects of our lives. Keeping our data secured is as important as locking our homes or protecting our valuable business property (2019, BSA). Most of us understand the importance of keeping our properties safe in the physical, but unaware of protecting our own data secured in cyberspace.

Some are under the mistaken belief that encryption is not that important if we have nothing to hide. But if our data falls into the wrong hands, it can be used to damage your reputation; you can be hurt financially by identity theft, as they may impersonate you to redirect a financial payment.

Encryption in daily life

We rely on encryption every day. Strong encryption is fundamental to our security, confidentiality, and privacy. For example, websites use HTTPS, an encrypted protocol, to keep our data from being read by criminals while in transit; we trust companies to protect our credit card information when we make a purchase online; we expect the messages to be kept private when we use messaging app like WhatsApp that uses end-to-end encryption.

End-to-end (E2E) encryption is any form of encryption in which only the sender and intended recipient can read the message. No third party, even the communication service provider that has knowledge of the encryption key. E2E encryption is the most secure form of encryption we can use to protect our data. (ISOC, 2020)

Although E2E is the most secure form of encryption, it does not mean we are 100% safe online without the need of worrying about anything. For example, many of us have been working from home amid the COVID-19 pandemic, business is booming for a video conferencing service, Zoom. Yet, there is some crisis about their service, particularly about encryption. 

The E2E encryption claimed by the company is fraudulent and misleading. E2E means from one end-user device to another end-user device to most of use, but in the definition of Zoom, E2E means from one end-user device to the centralized server as a relay. Although data is still encrypted in transit, Zoom holds the key and they can decrypt the data when it passess through.

Vulnerabilities in a system offer bad actors a chance to collect data from users in general for many purposes. Bad actors are not limited to hackers only, but also technology companies which strive for profit or even governments. For example, they can build up a data model to provide analytics for profit, they can sell it to black market for money, or even use the data to perform surveillance and ransoming.  Some may just do it for fun. Who knows? But if we don’t care about encryption and stay unaware of the complexity of the cyber-world, our security, confidentiality, and privacy will always be at risk.

Beware of the threats to stay safe

Some governments try to make companies create access to the content encrypted to enable content filtering or blocking. Some companies demand access to encrypted data for monetization purposes. However, any so-called backdoor access reserved for “authorized” uses will always weaken the system overall. Backdoor access mechanisms always add complexity to the systems which may lead to vulnerabilities. These vulnerabilities can act as points of entry that anyone can discover. 

A “Ghost protocol” is even proposed in the Government Communications Headquarters (GCHQ) in the United Kingdom (Garcia, 2019), by adding a silent listener into a private conversation, in order to facilitate access to encrypted data. The data is still encrypted, but the government will get a copy of the conversation from the end-user. The ghost proposal inevitably changes the trust relationship between users and service providers, regardless of the users being aware of it or not.

Ghost proposals do not passively add silent listeners, but actively conceal third party intrusion into supposedly secure and confidential services. If such practices are known to be adopted in some dominant messaging platforms, would users still trust any purportedly confidential service? (Internet Society, 2020)

Encryption matters to all of us

Whether you are an ordinary Internet user or a software engineer, we are all in this together. No party can stand alone to persuade governments to stop creating laws or policies that harm encryption and digital security. we need to first be aware of both the importance and potential dangers  of our cyberspace, and further build awareness about the issues or actions that are harming encryption and cyber security together. We are losing our privacy, confidentiality, and security, by not knowing or forgetting the importance of protecting our own data. It’s not too late to start paying attention to all these issues. I guess you wouldn’t want to have your information, or even your identity online, stolen, right?

Submitted by Jenna Fung, ISOC HK Volunteer
June 5th, 2020