Why Everyone Should Care About Strong Encryption

One often hears statements along the lines of “I have nothing to hide, why should I care about encryption, government access, etc.” The fact is, though, that most of us either directly access services over the internet or do business with companies that store data on computers. And even if you fully trust your government, you certainly don’t trust criminals who want to break in and steal your data, your money or your identify. Strong encryption is essential for protecting this data. I suspect this may be obvious to any regular readers of this blog, but this may provide some useful information for discussion with your friends and colleagues who don’t think they have a stake in the game.

I”ll use password protection as an example. Anyone doing any sort of business or information sharing online uses passwords. Using weak passwords and/or reusing the same few at many sites is a very bad practice that leads to ID theft and hacked bank accounts. But it’s difficult or not impossible to remember dozens and dozens of strong random passwords. That’s why many of us use an online password manager that we trust (I happen to use LastPass, but there are several good ones).

A key element in trusting them is that, at LastPass puts it: “The user’s master password, and the keys used to encrypt and decrypt user data, are never sent to LastPass’ servers, and are never accessible by LastPass.” Only highly encrypted versions of my passwords go to LastPass, and my master password never does. So whether a hacker or the government breaks into LastPass, all they get is the encrypted data.

Even if you don’t use a password service, it’s basic good security practice for the companies you do business with to NOT store your password anywhere, but rather a secure hash of the password. This allows them to verify that YOU have correctly entered your password without actually knowing the password, but rather knowing a value that was algorithmicly derived from your password but that cannot reasonably be reverse-engineered to determine your password. If they don’t know your password, then it can’t be stolen from them.

Bills like Burr-Feinstein  propose to outlaw such services! The Senate bill, and similar proposals, would require that a company be able to decrypt the data they store for you, outlawing secure mechanisms that protect your data by never getting your unencrypted data AND never knowing your decryption key. Instead, weaker services that are vulnerable to hacks would be all that would be legally available.

You may not be a dissident or an investigative journalist, but you likely have bank and credit card accounts you’d like to keep as safe as possible. You need strong encryption.