Infosec17: Society needs to address encryption dilemma
There needs to be a discussion about how to balance the interests of privacy, security and the tech industry, says Infosecurity Europe Hall of Fame inductee
According to one of the directors at Interpol we are facing a “tsunami of criminality” online, says Mary Aiken, forensic cyber psychologist and advisor to the European Cyber Crime Centre (EC3) at Europol.
“We are going to have to think about governance in this space even though this makes some people uncomfortable,” she told Infosecurity Europe 2017 in London.
“But if we do not have some form of governance in the cyber context, that will negatively affect real-world social order,” she said.
Aiken’s comments coincide with fresh calls by the European Commission (EC) to give law enforcement new powers to obtain information from online service providers such as Facebook and Google as part of new measures to fight terrorism.
The EC has proposed multiple ways to make it easier for police to retrieve data stored in the cloud directly from technology companies in response to complaints about delays in investigations, reports the Telegraph.
The proposals include allowing security forces in one member state to ask a tech firm directly for data without consulting the authorities in that state, introducing an obligation on tech firms to hand over data to any force from a member state when a legal request is made, and giving police forces direct access to servers so they can copy the data they need.
“This third option is kind of an emergency possibility which will require some additional safeguards protecting the privacy of people,” Vera Jourova, European Union (EU) justice commissioner, told Reuters. These safeguards would include requiring that law enforcement requests are necessary and proportionate, she added.
EU justice ministers are aiming to put forward a proposal for future legislation in this regard by the end of the year or early 2018.
Three conflicting aims in cyber space
According to Aiken, there are three aims in apparent conflict, which are privacy, collective security and the aim of the vitality of the tech industry.
“To achieve a balance in cyber space, none of those aims can have primacy over the other,” she said, adding that she is “very concerned” from a policing and governance point of view that there are encrypted domains that are effectively beyond the law or cannot be accessed easily when necessary.
“It will be almost impossible real-time to deliver on collective security when this information in obfuscated,” she said, suggesting there needs to be a conversation about how best to resolve these tensions.
“We need to stop thinking about things like cyber security and child development in silos and start joining the dots,” said Aiken.
“It is all connected. We can’t look at any one problem in isolation. Hackers don’t wake up at 15 and decide to become a hacker. There’s a developmental pathway to hacking, and if we can understand that and address that early on, then we can start tackling that problem over time.”
Read more about encryption and national security
- UK home secretary backs down on end to end encryption.
- World should consider an international framework on encrypted data access, says FBI director.
- Security experts support Dutch stance on encryption.
The UK has shown “incredible leadership” in this regard, said Aiken, in terms of access to online pornography, which is “very damaging for young people” and looking at online age verification, which is “critical” in terms of child protection.
This is an issue that everyone in society should be concerned about, she said, because in time these children will begin to shape society. “When we are all sitting in a nursing home, they are the ones who are going to be running the country, and they may not have the level of empathy that is conducive to looking after everybody else.”
Asked about concerns from the information security community about giving advantages to criminals by making data more accessible to law enforcement, Aiken said this is the crux of the debate, but without being prescriptive about what should be done, there have to be checks and balances in place.
“Effectively, if we see increasing amounts of negative behaviour associated with wide use of encryption across social media platforms, for example, and that has a negative impact, then we are going to have to think about it again and have a conversation about where robust encryption is appropriate and where it is not,” she said.