Encryption Usage Growing, But Gaps Remain With Mobile Apps, Enterprises, Government
Use of encryption, whether over the web with HTTPS, in the cloud or via email and messaging services like WhatsApp, has rapidly risen over the past few years as worries over cybercrime, government hacking, corporate collection and use of people's personal data have soared, several experts said in interviews over the past week. Despite the encryption advancements that are less costly now to implement than in past years, the experts said the lack of widespread encryption remains an issue within companies and governments protecting their data, as well as in mobile apps, which could expose considerable information about users if hacked.
Sign up for a free preview to unlock the rest of this article
Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.
"We are in the moving right direction on encryption," said Alan McQuinn, research analyst with the Information Technology and Innovation Foundation, who co-authored a report on encryption. "Are we fully secure? No, because there’s a whole number of vectors of attack that people can use for cybercrime that are not protected by encryption such as spearphishing or SQL [Structured Query Language] injection. But yes, we’re doing fine. We’re doing a lot better than we were five years ago, a whole lot better than we were 10 years ago, and it’s kind of this steady march toward better cybersecurity as we grapple with it and understand it better."
McQuinn said large-scale data breaches pushed the issue to the forefront, but he also credited several initiatives and companies like Apple and Google for making encryption a higher priority. For instance, experts said the free certificate authority, Let's Encrypt, is trying to get the web 100 percent HTTPS, which is the protocol to protect data in transit and ensure the authentication of a visited website. In a June 22 blog post, the initiative, led by the Electronic Frontier Foundation and Mozilla among others, said it had issued 5 million certificates since December when it expanded the service's availability to the public. Of those issued, 3.8 million certificates are active and cover more than 7 million unique domains, it said. About 45 percent of page loads on the web use HTTPS, and getting to 50 percent this year "seems within reach," the initiative said.
Experts said email communications are largely encrypted. As of Aug. 9, Google's transparency report said 86 percent of messages from Gmail -- one of the most popular email services globally, the experts said -- to other email providers were encrypted, while 77 percent of messages from other providers to Gmail was encrypted. In early 2014, the outbound figure was just 33 percent, and the inbound figure 30 percent.
There are plenty other examples. McQuinn said broadband network provider Sandvine's February report indicated 70 percent of global internet traffic will be encrypted this year, with many networks eclipsing 80 percent. And besides Facebook's WhatsApp, which began providing full end-to-end encryption by default in April, the social networking company said a month ago that it has begun testing end-to-end encryption on its Messenger tool to enable "secret conversations" between people. Plenty of other messaging services like Signal and Telegram also offer end-to-end encryption.
Cybercrime and ID theft have been big motivators for encryption, but Ross Schulman, senior policy counsel with New America's Open Technology Institute, said people also are worried about companies getting ahold of their personal information. He said Americans are becoming more conscious of their privacy, partially evidenced by the increasing popularity of ad blockers. People have the tools to make themselves safer now, but they need to learn how to use them and that's where companies like Facebook and Google are falling short by not making encryption the default setting, he said. Those companies don't do it for valid business reasons like providing more services to their customers, he said. But defaults do matter, especially for dissidents and reporters in other countries, who depend on their communications not being deciphered by their governments, and that's very worrying, said Schulman.
Americans are also more concerned about the government surveillance revealed by former NSA contractor Edward Snowden, leading some to change their behavior and push for encryption, said Ryan Hagemann, Niskanen Center technology and civil liberties policy analyst. But people will have to make tradeoffs on whether they want to learn to turn on encryption for some services, pay for a higher grade of protection, or exchange their data for a free service and run the risk that the government may scoop up their data, he said.
It's easy to spot a padlock on a website showing it's protected, but Chet Wisniewski, principal research scientist at security company Sophos, said there's no way to know whether mobile apps are encrypted, and that's a major problem. “Study after study after study has shown these apps are largely not using encryption or if they are using encryption they’re doing it incorrectly, and that means [it’s] very easy to intercept again or bypass,” he said. It's debatable whether user data within gaming apps like Pokemon Go needs to be encrypted, Wisniewski said, but information such as battery percentage, cellphone carrier, name of a user's Wi-Fi and other data could be used by hackers. "If we encrypt all the things, then even if you make a mistake hopefully you’re not being put in harm's way even when you don’t understand the gravity of the mistake that you made," he said.
Earlier this year, Sophos released a global survey that found about 44 percent of businesses are using encryption extensively and 43 percent are using it in some manner. Overall, relatively small percentages of companies are encrypting their customers' data (24 percent), intellectual property (41 percent) and employee human resource records (43 percent), the survey found. But the survey found that U.S. companies typically use encryption more than those in other countries, including Australia, Canada, India, Japan and Malaysia. Wisniewski said there has been more adoption in larger companies especially in the defense and finance sectors, but even small businesses like a flower shop or pizza place should consider encryption because some store customer information like credit cards.
Companies are largely employing more encryption, Hagemann said, but "the government is woefully, woefully behind in terms of cybersecurity best practices," partially because many agencies operate in a federated manner. For instance, while many federal departments use HTTPS, the House and Senate websites don't. He said those sites may not have a whole lot of data to protect, but activating the SSL certificate is easy and "low-hanging fruit" for cybersecurity best practices: "And the fact that they still haven't been able to sort of pick that low-hanging fruit and get it done, I think, should worry a lot of us."
Editor's note: This story is the first of a two-part series. The second story will look at law enforcement's concern with encryption and actions to resolve those worries.