Beyond Encryption: Experts Discuss Encryption, Privacy at RSAC 2016

Posted on by Tony Kontzer

While it may not be the ideal case to serve as precedent, Apple's battle with the FBI over the notorious iPhone that belonged to a shooter in the San Bernardino, Calif., attacks last year could nonetheless prove to be a seminal moment for the future of information security and privacy. 

Beyond Encryption RSAA keynote panel of some of the U.S.'s best-known security and privacy experts told thousands of attendees at the RSA Conference last week that breaking the encryption on the phone in question is a potential genie-out-of-the-bottle development. And that it could threaten the future of a technology—encryption—that's seen as critical to ongoing efforts to secure data.

"It would be a mistake to sacrifice the security value of end-to-end encryption just to give the authorities, while very important, access to phones that might provide evidence in an investigation," said Michael Chertoff, co-founder and executive chairman of security consultancy The Chertoff Group, former secretary of the Department of Homeland Security, and co-author of the PATRIOT Act. "Encryption is going to be a key element in a strategy to secure all of this going forward."

Which is exactly why the Center for Democracy & Technology just filed an amicus brief in the case. Nuala O'Connor, CEO of the nonprofit advocacy group, told the RSAC audience that the case's implications reach far beyond a single phone because of the precedent for giving law enforcement access to what is increasingly becoming a modern locker for our private lives.

To make her point, O'Connor shared an analogy she'd heard someone else make.

"It's like building a home, putting microphones and cameras everywhere, and saying, 'that's okay, the default is off, and we'll only turn it on if we need to,'" she said. "That's wildly different than getting a warrant."

The panelists were all in agreement that there's more at stake in the outcome of the case than access to smartphone data. The case could become a building block for what is expected to be a massive—and long overdue—rethinking of privacy laws for the digital age.

Mike McConnell, senior executive advisor at Booz Allen Hamilton and former director of the National Security Agency, pointed out that the printing press took 200 years to change society, while the Internet and mobile phones have changed it in less than a generation. Such rapid widespread adoption of technology calls for a more thoughtful process for assessing its potential consequences, McConnell said.

"We should continue to develop new technology, but understand how to live with it at the same time," he said. "Can we have a dialog where the objective is to find the most appropriate compromises?"

In fact, an effort to start such a dialog has arisen. Panel moderator and former RSA President Art Coviello took the opportunity to alert the audience about the Digital Equilibrium Project, a consortium that counts each of the panelists among its members.

Coviello, now CEO of a consulting firm that bears his name, said the group aims to "reach common ground so we can have social norms…a digital constitution, if you will."

Trevor Hughes, CEO of the International Association of Privacy Professionals, said the fact that the industry is having a meaningful conversation about where to draw the lines that balance security needs with privacy rights is an encouraging development. It's important, Hughes said, that the impact on that balance should be a topic of discussion each time a new technology hits the market.

Which is why the increasingly powerful role mobile devices play in our lives—not only as communication and entertainment tool, but also as management console for our digital information—necessitates having that discussion now. But Hughes cautions that refining that security-privacy balance will be a full-time job for society from here on.

"I don’t think we ever get it fully sorted out," he said. "Technology will continue to change our definition of privacy and our expectations of privacy."

Tony Kontzer

, RSA Conference



Blogs posted to the website are intended for educational purposes only and do not replace independent professional judgment.  Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA® Conference, RSA Security LLC or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.

Share With Your Community