Data | Ethics | Governance

The Principled Data News Review

A Broader Encryption Issue

There is plenty of debate about whether government should have a back door to get access to encrypted data.  My opinion at the moment leans on the ‘yes’ side.  But I am not fully committed to the idea.

However, that aside … what about a bigger issue of society growing more dependent on encryption – the loss of access.  If we move toward an infrastructure that maintains encryption for data at rest, in use and in transit, then we just move the vulnerability to a different place – the keys.  We may have some assurance that data is secure and confidential, but we then rely on securing and backing up the decryption keys.  Then you need another infrastructure to assure key security and integrity.  Although, I think MFA helps here.  Store the key on (multiple) hardware device(s) (like by Yubico) and protect that with a pin or pass-phrase.

Not long ago I faced the challenge of recovering data from a Western Digital external hard drive.  Some (many?) of their models integrate hardware encryption so that the data is encrypted.  Access is granted on the fly through a decryption module on the SATA-USB bridge.  But what if the bridge is corrupted, you forget your password, or for whatever reason that part of the system fails?  (That is what happened in my case).  I could pay at least $1000 to potentially have a data recovery company retrieve the data.  But honestly, I found dealing with these companies akin to what it must feel like dealing with snake-oil boiler-room Ponzi schemes; i.e. it is shady, light on transparency and oversight, and it is difficult to get good information online.

Hardware encryption – or, encryption in general – seems like a good idea.  Until it isn’t.