The case against web encryption, Title II designation for ISPs
Sometimes it pays to rethink things. That's what I've been doing on two matters: whether all web data traffic should be encrypted; and whether Internet services should be regulated by the U.S. Federal Communications Commission as utilities under Title II of the Communications Act of 1934.
On the question of encryption, computer security expert Bruce Schneier posits in an article from June 2010 that "encryption doesn't reduce the number of secrets that must be stored securely; it just makes them much smaller." That's because you still have to secure the decryption key, which is usually stored on the same web server that holds the encrypted data.
Data security ultimately has to have a human-only component. Unlocking data must entail some secret stored only in a human's brain, or some unique physiological component that's difficult for a criminal to copy or mimic. Unfortunately, there are problems with biometric-based access controls: The system has to convert the unique physical characteristic into a digital form that can be stored and recalled on demand. What's to prevent a thief from stealing that digital form of your fingerprint, retina scan, heartbeat, or other measure?
In fact, hackers are making off with fingerprints on machines that use fingerprint scanners. SlashGear's Adam Westlake writes in an April 25, 2015, article that some Android phones have a flaw that allows hackers to steal the device's fingerprint data. FireEye, the security firm that disclosed the flaw, points out that the problem has already been fixed in recent versions of Android, so there's little risk to Android users.
As the April 14, 2015, Weekly stated, the loudest opposition to encrypting data on the web is from law enforcement. In an April 23, 2015, article on the Financial Times site (registration required), Rob Wainwright, the director of the Europol European police agency, states that bringing the perpetrators of Internet crimes to justice requires the cooperation of the Internet services the crooks rely on. Rather than build backdoors to encrypted data in the hardware -- which the bad guys inevitably discover -- it's more effective to work directly with the people at the Internet services to identify the criminals who use those services.
Machines alone can't protect our sensitive data. Any machine can be hacked, as has been proven time and again. There has to be a human-only element to any effective data-security plan. End-to-end web encryption will make it more difficult for someone without authorization to access our sensitive information, but not impossible. And maybe that's as it should be. Any digital data stored or communicated anywhere in the world is vulnerable, whether it's encrypted or not.
Thus we circle back to the age-old maxim of computer access controls: Something you are (biometrics), something you have (such as a mobile phone for two-factor authentication), and something you know (good old passwords, or more securely, passphrases). But what do you say we encrypt everything anyway? Doing so adds only a little to the cost of processing and storing the data while providing a much higher level of protection.
Is government regulation the end of the Internet as we know it?
As part of its plan to enforce net neutrality, the FCC has proposed classifying Internet service providers as common carriers under Title II of the Communications Act of 1934. Doing so would subject ISPs to many of the same regulations that apply to telephone companies. The FCC insists it will regulate ISPs in a way that doesn't stifle innovation. Some of the Internet's founders beg to differ.
In an April 26, 2015, post on TechCrunch, Daniel Berninger writes that the FCC's Open Internet regulations will lead to "stagnation and ambiguity." Berninger represents the Tech Innovators coalition that includes such Internet pioneers as Bob Metcalfe, John Perry Barlow, Mark Cuban, Ray Ozzie, and Tim Draper. He claims the "unintended consequences" of telephone-style regulation of the Internet will "expose the communicating public to unnecessary risk."
Is the FCC overstepping its authority by reinterpreting an 80-year-old statute to impose regulations on an industry that has thrived in the absence of any direct government controls? Berninger insists that only Congress has the power to enact such regulation.
I agree with Berninger's assertion that the Internet is not a telephone network. However, I disagree with his claim that the technology will continue to thrive in the absence of any government regulation. It is clearly a public utility, the same as the power grid, water and sewer systems, the interstate highway system, and the POTS telephone network. Businesses and consumers alike need to be protected from abuse of power by the handful of megaservices that dominate the Internet economy.
Whether the FCC's current proposal is the best way to do so is an open question. Could Congress come up with a better regulation plan? Excuse me if I refrain from holding my breath.