Standing in the way of control: a note from our CISO
If you’re reading this right now, you’ve probably got an app that uses end-to-end encryption humming in the background of your mobile device or desktop. Encryption – in its many shapes and forms – is everywhere.
The messaging app that you use to discuss what to make for dinner with your partner? End-to-end encrypted. The conference video platform you dial into for your quarterly business reviews? It may not have always been the case, but it’s now end-to-end encrypted. The data room where you keep your company’s board meeting notes? It might not be encrypted right now, but… it definitely should be!
End-to-end encrypted services became particularly important in 2020, a year when business practices across the world endured significant disruption. The upheaval that this caused created a smokescreen for regulators to revisit the case for unravelling end-to-end encryption, with statements emerging from the US Department of Justice (backed by many other governments) demanding access to encrypted services through backdoors.
Backdoors would severely compromise the ability of almost every industry vertical to store individual consumer data. This would create weaknesses for an entire ecosystem of encrypted messaging apps and platforms. Gaping holes would appear in the defences of any company or service provider in the business of retaining personal information. And… let’s just say that customers would soon lose trust and confidence in their banks, telco providers and government agencies if this scenario was to develop.
Enterprises have less ‘skin in the game’ when it comes to end-to-end encryption (as a result of slower adoption rates), but this does not make them any less vulnerable. Businesses require central control for their systems to function, control which is normally facilitated through a front-end admin housed within the organisation. Access to this closed off to everyone (not just law enforcement) for a very good reason: get multiple parties involved, and you create a scenario where unacceptable weaknesses creep into your once intact system. This is what backdoors cause, and this is why the privacy of individuals and businesses is such a priority for myself and the business.
Regulation, however well intentioned, does not eradicate the problem at hand. This is a set of circumstances that should be familiar to the US Department of Justice, given the failures of its government to deal effectively with Prohibition, the War on Drugs in recent years – situations where overzealous regulation did nothing to address the demand or availability of the controlled substances at hand.
And it’s at this point where the argument for encryption backdoors really falls flat on its face – regulation of encrypted services simply does not present a barrier to entry for anyone willing to bend some rules to get their hands on the forbidden fruit. Increased regulations will only hurt the good guys – operators who, like Tresorit for example, simply want to give businesses the opportunity to manage their data centrally (and securely) without sharing sensitive information with the cloud provider.
We hope that regulators everywhere join us and all other encrypted players on the right side of history, and stop the bad guys from winning again!
Szilveszter is the co-founder and CIO of Tresorit, and is responsible for the smooth functioning of IT operations, compliance and business intelligence. Szilveszter is a Computer Engineer by education and has won several programming competitions (ACM, ImagineCup). He is also a problem writer for and participant in computer science competitions such as “Challenge 24”. Previously, Szilveszter was a lecturer of Programming at Budapest University of Technology and Economics.