Security news that informs and inspires

The Encryption Storm on the Horizon

For users of encrypted services or those who simply care about the privacy and security of their data, there are ominous clouds gathering in the east, signaling a storm that could make its way west before long.

On Tuesday, a high court judge in Russia issued a ruling that may force officials from Telegram, the encrypted-messaging app, to hand over to the FSB the encryption keys for customer data. The ruling is the apparent end to a dispute that goes back to last year when the Russian security service demanded the keys as part of a renewed push against secure messaging apps, under the guise of anti-terrorism. Telegram officials had declined to provide the encryption keys and the Russian government levied a fine against the company, which eventually appealed the order.

Telegram is planning to appeal the Russian supreme court’s ruling, too, which could take several months. But, given the track record of the regime in charge, the chances for success on appeal seem low.

“Threats to block Telegram unless it gives up private data of its users won't bear fruit. Telegram will stand for freedom and privacy,” Telegram CEO and founder Pavel Durov said on Twitter Tuesday.

Durov and Telegram are in a difficult position. The company has several million users in Russia and if it eventually fails in its appeals, it either will have to share the encryption keys with the government or possibly withdraw from the country altogether. That is no easy choice, especially when the user population likely includes people whose safety and security depends upon being able to communicate privately.

Telegram’s predicament is similar to one in which Apple found itself recently. Last month, Apple began hosting the iCloud accounts of Chinese users in a data center in mainland China as part of a move to get in line with that country’s laws. The second part of that move is more troubling, as Apple also now will store the encryption keys for Chinese users’ iCloud accounts in China. That means the Chinese government no longer will have to deal with United States courts in order to get access to a target Chinese iCloud account.

Like Telegram in Russia, Apple tried to fight the Chinese requirements, but failed. The upshot is that is Chinese law enforcement officials want access to a Chinese customer’s iCloud account, they now will have very few hurdles to cross in order to get it.

Companies that do business in those countries should understand the rules of the game before they play.

These two decisions, while separate and distinct, are worrisome in the broader scheme of things. Many governments have been putting pressure on technology companies such as Apple, Google, Twitter, and others, to give them a way to access encrypted customer data. Some of this pressure has come under cover of anti-terror measures, while some has been undisguised and is simply standard operating procedure for authoritarian regimes. These tactics have had varying degrees of success, depending upon the country and the company and what the economic incentives are.

That’s expected behavior from such regimes and companies that do business in those countries should understand the rules of the game before they play. But the worry is that the storm that’s been brewing in Russia, China, and elsewhere could hit the U.S. before long. The fight over encrypted data certainly isn’t anything new to American companies (see: Apple v. FBI, Google v. FBI, Zimmermann v. Everybody, etc.), but traditionally those conflicts either have wound their way through the courts or been halted before they even get that far. The U.S. Constitution tends to stand in the way of many of the demands that might go through in other countries. That has worked to the advantage of tech companies and the customers who worry about the privacy of their data.

The question now is how long this will continue to be the case. Law enforcement agencies and lawmakers continue to apply economic and political pressure to tech companies, trying to find some way to ensure access to encrypted communications and data. Meanwhile, some providers are going in the other direction and designing their systems in such a way that they never hold encryption keys and so can’t be forced to relinquish them, even with a court order. Those two positions are incompatible and both sides are dug in and showing signs of becoming more entrenched as time goes on.

A showdown seems inevitable. Whether it comes sooner rather than later remains to be seen, as does the which company or companies winds up taking the lead. Users can only hope that tech providers remain steadfast in their resolve to protect users’ rights. It’s not an easy fight, nor will it be quick one. But it’s a vitally important one.