“Recently I was invited to meet some representatives from the UK government. The reason was not very specific but the invitation was unambiguous: as the CEO of a security software vendor please attend this meeting as it is important. Having been involved in IT security for over 30 years I have learned that when your own government insists it is better to comply than to argue. So I made the 100 mile journey and as always was greeted with great courtesy along with some others who like me are veterans of the IT community.
Over a number of hours we discussed a variety of topics, but what seemed to me to be the core reason to attend was the posing of a question to us all: Would we be willing or even able to allow them (the government) access to our encryption methods so that in matters of national security they would be able to intercept and gain knowledge of what the bad guys are up to?
By professional necessity I was reading about the recent comments to vendors of NSA Director Michael Rogers about allowing them (the NSA) access by "the front door" rather than the back door to encrypted content. Again the reason being given related to national security, a principal that all right minded citizens support? Right?
Let's look at that more closely. All companies are obligated by national and international laws to protect many kinds of data from possible data breaches, and the penalties for none compliance are considerable. At the same time all companies are facing a barrage of attacks from sophisticated gangs who want to steal valuable information and use it for profit often with great damage to that business. Just to make things worse, there are agencies set up in many nations with the primary aim of tilting the competitive landscape in favour of companies from that nation, don't get me wrong we are all up to this but here is an example that is quite well known. www.export.gov/advocacy
Let me comment on this. There is a wealth of data out there, as distinct from information or knowledge, fragments of documents, names and addresses, parts of a strategy paper; it becomes information when it is assembled into logical blocks that can be interpreted and in due course turned into knowledge when the whole picture emerges. Knowledge is very powerful. So, much of the data exchanged is not of much value until compiled with other data - for example the metadata that is carried in plain text in an encrypted email. To whom, from whom, subject line, time of send and delivery and so on. The final ingredient transforming this information to knowledge may be a leaked or stolen file - a story the business and political world has seen many times. At a base level this approach of data gathering is already used to great effect by government and by criminals to spot patterns, turning data into information into knowledge. It is not only top secret documents that need to be protected, nor is it just the government who want to gather your communications.
So on the one hand you are obligated to protect information and data, on the other hand your data is becoming a prized asset to be stolen by good guys and bad. As a vendor of security software we set out to enable companies to protect what they choose to protect and what they are obligated to protect. Privacy is important. Responsible use of encryption technology is necessary and should not be inhibited by intrusive government tactics targeting software vendors or indeed right minded business leaders who have responsibilities to their shareholders, staff, customers and suppliers to compete in a fair market, but to defend the value of the businesses they lead.
As a Germany Company we comply with German privacy and export laws. Beyond that we don’t intend to weaken our product on purpose as it not only makes it easier for governments to access information but potentially the bad guys as well: We are committed to responsible secure ad hoc exchange of information and files for organisations of all kinds and rely on the responsible use of this technology by right minded people.
This debate is by no means resolved as evidenced by the letter to the US president published today.”
Mark Forrest, CEO befine Solutions AG
Read the original letter to President Barack Obama and how we recently commented on NSA-Director Michael Rogers thinking about creating ‘front doors’ to encrypted digital data on phones, in emails etc. for authorities.