The member states of the United Nations are preparing to negotiate a draft of a new convention on cybercrime. United Nations Office of Drugs and Crime have invited NGOs and other stakeholders to participate in the negotiating sessions and share their views and expertise in this field. Our colleague, Szilárd Pfeiffer, Security Engineer & Evangelist at Balasys, has shared his thoughts on data privacy, encryption, and cybercrime as a member of the Cybersecurity Tech Accord with the delegates of the member states:
The first international milestone in the fight against cybercrime was the Council of Europe’s Budapest Convention. The Budapest Convention not only defined the concepts of cybercrime, but also contained procedural rules. To this day, the convention remains one of the starting points for international regulation of cybercrime. It may also serve as a good guideline for the regulation to be developed by the United Nations.
However, all regulation can contain points of debate. In the case of the Budapest Convention, the issue of privacy is one such point. It has been the subject of criticism over the last two-decade history of the convention. The convention sets out obligations for collecting, recording, and intercepting content data in real-time, transmitted by computer systems. It is important to highlight that the vast majority of the content data that is transmitted through the internet is encrypted. This means that data can only be collected and recorded in encrypted form. To break the encryption, law enforcement agencies need a backdoor in the system or a deliberate weakening of the encryption. These are theoretically and technologically feasible, but they raise practical feasibility concerns, doubts concerning proportionality and security risks.
Before continuing, I would like to emphasize that I do not intend to question the importance of fighting against cybercrime, but merely to find a way to minimize both security risks and privacy concerns.
In order to deliberately weaken any encryption algorithms, the active involvement of all the major players in the technology sector is essential, as they should implement these weakened encryption algorithms in their commercial products. At the same time, we should not forget the free software movement alongside the big tech giants. In this community, efforts to weaken encryption may be resisted because of their strong commitment to both trusted technologies and privacy. It is important to emphasize that the encryption software products we currently use in most web, cloud, and mobile technologies on our smartphones and laptops have been developed by technology companies and members of the free software movement.
Even if methods to weaken encryption can be successfully enforced, the question is what the drawbacks are alongside the benefits they bring. For law-abiding citizens, surveillance is likely to be 100% successful, but for criminals, this rate might not be significantly higher than it is now.
For instance, free software is never backed by a single organization, company, or state, but by decentralized communities that no one directly governs. The essence of free software is the right that users are free to modify the functionalities according to their needs. This means that cybercriminals can also evade the surveillance and weakened encryption that law enforcement agencies are able to break. In other words, our tools against the most dangerous cybercriminals and terrorists will be no more effective than they are today. Whatever solution we choose, let us not forget that backdoors in our security systems can be exploited not only by us, but also by our enemies – against us. Cybercriminals today are still working hard to find specific software flaws that can be used to break into computer systems to acquire or corrupt as much data as possible. These criminals, knowing that there is a backdoor in every encrypted communication on the internet, would probably devote all their resources to finding and exploiting it. If even one of these criminal groups succeeds, the impact is currently unimaginable.
Originally published at https://www.balasys.hu.
Weakened encryption is a silver bullet - not just for law enforcement agencies, but for cybercriminals is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License