The greater good: should the government hack you?
If you heard that the police had arrested the members of a vicious criminal group, you’d probably be pleased. But what if they did so by hacking an encrypted app, jeopardizing the safety of the hundreds of activists who used it? Could you justify that kind of privacy breach?
What does encryption do?
Encryption is the process of encoding information so that nobody but the intended receiver can decipher it. It’s the main way that we can protect our privacy online. Without encryption, internet service providers, hackers, and many others can monitor your unencrypted traffic and see what you do online.
This is why encryption is so important for activists, researchers, or vulnerable groups operating in high-risk environments with restricted online freedom. It protects them from oppressive regimes and can sometimes even save lives.
Law-enforcement vs. personal privacy
Many people around the world also use encryption for more mundane purposes, like protecting their personal privacy and avoiding bandwidth throttling. However, criminals can also use encryption to hide their activities from law-enforcement.
And this is where the issue becomes contentious. To prevent criminal or terrorist operations, law-enforcement agencies sometimes need to break encryption.
They usually do this by installing backdoors into software, which serve as an entry point to the data they need. However, it can also compromise the privacy of innocent users and establish precedent for future abuses.
A growing problem
This isn’t theoretical; we already have a growing number of cases that show the risks. One of the most recent examples was Google’s discovery and patching of 11 zero-day vulnerabilities used by US allies in counterterrorism operations.
It seems that US authorities knew of these vulnerabilities, and despite the risks they posed to Google’s users, did not report them. They evidently believed that their counterterrorism operations were worth the risk, but that debate is far from settled.
Here are some more contentious cases when law-enforcement groups appear to have risked or directly breached users’ privacy:
- The Hafnium hack. Following cyberattacks that exploited Microsoft Exchange Server, the FBI accessed the affected users’ devices without their consent. They did so to protect them from Hafnium’s intrusion, but this may have set a precedent for FBI agents hacking private citizens — for the greater good.
- Apple iPhone backdoors. A few months ago, Apple announced plans to scan the photo libraries of every iPhone user. This is part of Apple’s strategy for combating the abuse and sexual exploitation of children. Apple will report any suspicious findings to the national organizations dealing with these issues.
- The FBI honeypot app. The FBI made more than 800 arrests in one of the largest stings in modern history. They infiltrated the criminal world by distributing smartphones with a pre-installed encrypted communications app called AN0M. The app had a backdoor allowing police to read the messages of their targets.
As these examples show, we’re in a very grey ethical area here. There’s a thin line between a legitimate law-enforcement operation and a privacy breach. Do the ends justify the means?
Stockpiling vulnerabilities
Stockpiling is the process of finding vulnerabilities and not reporting them. Instead, law enforcement agencies can keep a list of these weaknesses — in encrypted apps and messaging platforms, for example — for future use. The vulnerabilities stay unpatched, and could potentially be exploited by criminals.
Again, this may already be having negative consequences for private citizens. The SolarWinds case is speculated to be the result of hackers finding NSA backdoors in the SolarWinds software.
Who suffers when encryption is targeted?
While encryption breaking can help tackle crime and terrorism, it can also cause substantial damage to innocent people who really need to protect their privacy. It can:
- Set a dangerous precedent that can be abused or exploited in the future.
- Endanger societies living under oppressive regimes with low freedom of speech. It could also endanger activist groups that use encryption to hide their activities from adversaries while fighting for freedom and against injustice;
- Expose informants and whistleblowers who provide sensitive and confidential information.
- Prevent vulnerabilities from being fixed, which could give hackers the chance to exploit them for their own purposes.
How VPNs enhance your privacy
A VPN is one of the most powerful encryption tools you can use to protect personal data. It routes your traffic through an encrypted tunnel to remote servers, so not even your internet service provider can invade your privacy. That being said, it’s worth noting that if you use an insecure or disreputable application, your data will still be visible to the app provider.
Premium VPN services use ultra-strong 256-bit encryption algorithms that are almost impossible to decipher. It will also change your IP so no one can see your location. And the Threat Protection Pro feature will stop trackers from following you around, while also blocking intrusive ads, malicious websites, and scanning your download for viruses.
Stay safe and encrypted with NordVPN!