Encryption debate could have enterprise security implications

Cyber Security News

A sign with the “like” symbol stands in front of the Facebook headquarters in Menlo Park, California. Facebook is among the companies that would like to incorporate end-to-end encryption to benefit users. (Photo by Justin Sullivan/Getty Images)

United Kingdom Home Secretary Priti Patel is set to tell a conference of child protection activists that end-to-end encryption puts children at risk, according to a draft invitation seen by Wired UK. The speech, slated for April 19, comes as Britain prepares to roll-out its Online Safety bill, and as some groups advocate for stricter against end-to-end encryption for companies like Facebook.

This is not the first rodeo for debates over encryption. Security experts regularly square off against law enforcement for pushing to weaken encryption in popular programs to ensure police have the ability to read messages during investigations. At the same time, law enforcement experts spar with civil libertarians over the myriad threats to civil liberties. But enterprises often get lost in the debate.

“If we go down that road, preventing people from encrypting data or preventing platforms from building that encryption, I don’t see how they could just draw the line and say this is for enterprise use, this is for consumer use,” said Chris Howell, co-founder and CEO of Wickr, maker of an encrypted chat app built for the enterprise.

Encryption, at rest and in transit, is a component of many viable business security plans. Its effectiveness is recognized by regional privacy regulations, including the EU’s General Data Protection Regulation; industry requirements, like PCI for credit card processing; and even in cyber insurance policies.

While Facebook is only starting to move toward universal end-to-end encryption, Howell says that move can have real benefit for a tier of enterprises that use Facebook or other platforms to interface with clients.

“If you’re an enterprise and you’re relying on consumer grade [options to interact with customers], then something like this might mean a lot to you,” he said.

Beyond securing day-to-day communications, encryption is also a matter of preparedness for breaches, Howell added. The AP noted that when Department of Homeland Security email accounts were breached in the SolarWinds campaign, they switched to encrypted chat for a mechanism to securely communicate about the breach.

The argument against encryption for platforms like Facebook is it would shut off one of the major faucets of information about child exploitation material provided to law enforcement. Law enforcement agencies in the United States have made the same argument that Patel has made.

At a U.S. conference in 2019 expressly set up to dissuade platforms from implementing end-to-end encryption, the Department of Justice said the majority of the tips to a child exploitation tipline came from Facebook. End-to-end encryption removes Facebook’s visibility of raw data, in turn removing some of Facebook’s ability to make such tips.

Howell, who worked in computer crime and forensics for a decade for the state of New Jersey said he had seen several cases involving child exploitation as a very real problem.

“But even at that point in my law enforcement days, I was a technologist,” he said. “It’s a slippery slope to start blaming and banning the technology to having your enterprise interest be very much exposed. It would be practically illegal to secure your interests how you see fit, based on your determination of risk to your company and your interests and your stockholders and shareholders. You’d have a third party involved telling you: ‘Well, I know you think that’s important, but it’s really not.’”