Digital Transformation
Showing results for 
Search instead for 
Did you mean: 

Mobile encryption pits tech companies against law enforcement


Guest post by John O'Donnell


In April 2016, WhatsApp founders Jan Koum and Brian Acton announced that the company would move to full end-to-end encryption, protecting all data shared over WhatsApp from the prying eyes of hackers, governments, and even WhatsApp itself. According to Koum and Acton, the goal is to "promote safety and security in the new digital age" by making sure the only people who can read a message are those who sent it and those to whom it was sent.

The decision—a provocative one, considering an estimated one billion people are using WhatsApp—may seem like a reaction to the FBI's effort to force Apple to crack the encryption on the San Bernardino terror suspect's iPhone. In reality, it's the latest blow in a long, multi-continental battle over whether the keys to strong encryption technology will be held by the organizations that own the data or law enforcement agencies that demand easy access to the data.

The encryption is based on the Signal Protocol developed by open-source encryption developer Open Whisper Systems. The developer also makes Signal, the text- and mobile-encryption app that NSA whistle-blower Edward Snowden recommends, according to independent security analyst Graham Cluley.

Euro-war on mobile encryption laws

Both these battles, however, are simply skirmishes in a longer war prompted by the combined efforts of the FBI, NSA, and other U.S. law enforcement agencies. They want backdoors inserted in the encryption products of U.S. companies to provide easy access for court-approved search and surveillance. That fight, which has been going on for more than a decade in the United States, is starting to heat up in Europe, as European Union (EU) organizations begin gearing up to implement the tough new data privacy laws. Among them are rules allowing law enforcement agencies to crack or eavesdrop on electronic devices, but not the kind of all-access pass demanded by U.S.-based law enforcement.

The U.K., France, and a few other countries are debating more far-reaching rules, but Europe as a whole is opposed to the U.S. wish for backdoor access. This is partially because U.S.-based law enforcement is unlikely to share that access with Europeans and might be able to bypass EU law enforcement altogether to institute surveillance on European countries in breach of EU law.

Europe's top counter-terrorism agency, on the other hand, is eager for the European Commission to order tech companies to hand over a key to their backdoors—without which, according to leaked briefing documents, law enforcement would be unable to properly pursue those planning terror attacks on the continent.

Weakened mobile security

There are plenty of reasons to want additional security on mobile computing devices, according to WhatsApp and a raft of surveys showing that mobile devices have become an attractive and frequent target of hackers and malware writers. This is largely due to their low level of security compared to PCs and other, more complex devices.

Approximately 75 percent of mobile apps exhibit at least one critical security flaw, compared to 35 percent of non-mobile apps, according to the HPE Cyber Risk Report 2016. Encryption that's weak on mobile devices compared to desktop is at least partly to blame for the frequency of data leaks, security flaws, and the increasing number of attacks targeting mobile apps, the report said.

U.S.-based tech companies argue as strongly against EU backdoor access as they do against the domestic variety, according to a March New York Times story quoting a letter from Apple to the EU Parliament. "A key left under the doormat would not just be there for the good guys," according to the letter. "The bad guys would find it, too."

So far, there is no consensus on the backdoor encryption issue on either side of the Atlantic. For now, analysts expect the cops-vs.-privacy debate to continue, allowing business customers to have access to strong encryption internally while sometimes having to tread carefully where there is a chance of overstepping the bounds of EU privacy regulations. Encryption is critical to the enterprise—a fact that will only increase in our mobile, tech-centric world.

To learn more about why encryption is critical to enterprise security, read the Business of Hacking business white paper (reg. req'd).

0 Kudos
About the Author


Jan 30-31, 2018
Expert Days - 2018
Visit this forum and get the schedules for online HPE Expert Days where you can talk to HPE product experts, R&D and support team members and get answ...
Read more
See posts for dates
HPE Webinars - 2018
Find out about this year's live broadcasts and on-demand webinars.
Read more
View all