Junkang Xie

HONOR 3374-002 Privacy in a Digital Age

The Need for Strong Encryption

Introduction
We live in the age of digital ubiquity, where the world around us is tightly connected
through the Internet. Massive amounts of information are transmitted through the Internet and
our financial infrastructure, commerce, communications, business, and government is tightly
integrated with the it. While not all of the information that is being transferred is of the utmost
importance, a large amount of information is sensitive and requires it to be securely stored and
transferred so only the intended recipient can get access to the information. This way,
organizations can ensure that their information is safe and secure, people can affirm that their
messages are sent to the right person, and online business can be securely conducted.
In order to secure the information, encryption has to be used. Encryption can be thought
of as a digital lock for our files. Just like how we have physical locks to prevent intrusion upon
our privacy, digital locks do the same things for our computer files. Encryption scrambles up the
contents of files so that it can only be read by someone who has the right encryption key to
unscramble it.1 Just like a physical lock, encrypted files require an encryption key to encrypt/lock
(transformation into ciphertext) or decrypt/unlock (transformation into plaintext) the file. A
properly implemented encryption will ensure that the data, while encrypted, cannot be read or
deciphered if it has been intercepted or lost.2 This is what makes encryption so valuable, the
ability to ensure that the private data remains private. From government entities like the NSA or
Congress to smartphone owners, encryption is the golden standard for keeping our data safe.
Types of Encryption
1 Microsoft. "What Is Encryption? - Windows Help." Windows. N.p., n.d. Web. 24 Apr. 2016.
<http://windows.microsoft.com/en-us/windows/what-is-encryption#1TC=windows-7>.
2 Northwestern University. "Northwestern University Information Technology." Information Security Policy and
Standards: Data Encryption. N.p., Sept. 2014. Web. 24 Apr. 2016.
<http://www.it.northwestern.edu/policies/dataencryption.html>.

Junkang Xie
HONOR 3374-002 Privacy in a Digital Age

Modern encryption is similar in idea to the cryptographic techniques of the past, such as the
Enigma machine. The message is encrypted by one party and decrypted by another party with the
right key. The main difference is that modern encryption is based completely on mathematics,
instead of complicated sets of machinery of cogs and gears. This way, encryption is guaranteed
to produce data that is identical to random bits.3
There are two broad techniques for encryption: symmetric or private key encryption and
asymmetric or public key encryption. Both techniques have their own strengths and weaknesses
and a good security system likely utilizes both. Symmetric encryption is the oldest and the most
commonly known encryption technique.4 In symmetric encryption, both the sender and the
recipient need access to the same encryption key in order to encrypt and decrypt the data. The
important thing to symmetric encryption is ensuring the encryption key is being properly stored
and the key needs to be securely exchanged thus another layer of security is needed.5 An example
of symmetric encryption is DES or the Digital Encryption Standard, one of the oldest and more
insecure standards. DES uses 64 bits key but 8 bits of it are used for parity to verify the keys
integrity, effectively limiting the key size to 56 bits. While variants of DES are still being used
today, a modern computer can easily brute force the most basic version of DES by trying every
possible key combination.6 AES or the Advanced Encryption Standard has become the modern
de facto for symmetric encryption and has largely replaced DES. In AES, there are three key
sizes of 128, 192, and 256 bits. AES keys cannot be shrunken down like DES, therefore it is
3 Bmy2012, and Scyptnex. "ELI5: What Are the Most Common Types of Encryption, and Which Ones Have Likely
Been Compromised by the NSA?" Reddit. N.p., 2014. Web. 25 Apr. 2016.
<https://www.reddit.com/r/explainlikeimfive/comments/1luh1c/eli5_what_are_the_most_common_types_of_encryp
tion/>.
4 Microsoft. Description of Symmetric and Asymmetric Encryption. N.p., 26 Nov. 2007. Web. 25 Apr. 2016.
<https://support.microsoft.com/en-us/kb/246071>.
5 Behrens, Matt. "Understanding Encryption Symmetric, Asymmetric, & Hashing." Atomic Spin. N.p., 20 Nov.
2014. Web. 28 Apr. 2016. <https://spin.atomicobject.com/2014/11/20/encryption-symmetric-asymmetric-hashing/>.
6 "Introduction to Encryption with DES." CCM. N.p., June 2014. Web. 25 Apr. 2016. <http://ccm.net/contents/134introduction-to-encryption-with-des>.

Junkang Xie
HONOR 3374-002 Privacy in a Digital Age

much more reliable. The only successful attacks against AES has been exploiting the flaws in the
implementation or the management of keys.7
A downside to symmetric encryption is that if it is being used for passwords to protect
software, then the password is needed every time the software starts up. Since the security of
exchanging keys might be a problem, symmetric encryption is best used for encrypting
computers or device storage. Another common use of symmetric encryption is using a cloud
storage to store encrypted files where the key is left in the hands of the user.8
In asymmetric encryption, two keys instead of one is being used, a public key and a private key.
The public key is made freely available to a public directory and any user can send an encrypted
message to the intended recipient using their public key. When the message is received, it can
only be decrypted by a corresponding private key. Likewise, the private key can be used to send
out a message and the corresponding public key can be used to decrypt the data, therefore,
authenticating the user. The private key must be kept private similar to the key for symmetric
encryption, but this technique alleviates the problem to symmetric encryption where if the key
fell into the wrong hands during exchange, then the encryption is compromised. However,
asymmetric encryption is slower than symmetric encryption.9 The most recognized asymmetric
encryption method is the RSA or Rivest-Shamir-Adleman algorithm, named after the first
designers. The typical RSA key sizes are 1024, 2048, or 4096 bits, but can range anywhere
between 1024 and 4096 bits. The large key size is due to the complicated mathematics of
factoring the product of two random prime numbers (for example 7 and 29). It is easy to choose
two large prime numbers and get their product, but considered infeasible to get what the prime
7 Rouse, Margaret. "Advanced Encryption Standard (AES)." SearchSecurity. N.p., Nov. 2014. Web. 25 Apr. 2016.
<http://searchsecurity.techtarget.com/definition/Advanced-Encryption-Standard>.
8 Behrens, Matt. "Understanding Encryption Symmetric, Asymmetric, & Hashing." Atomic Spin. N.p., 20 Nov.
2014. Web. 28 Apr. 2016. <https://spin.atomicobject.com/2014/11/20/encryption-symmetric-asymmetric-hashing/>.
9 Ibid

Junkang Xie
HONOR 3374-002 Privacy in a Digital Age

numbers are based on the product. However, experts believe that the basic 1024 bits key size
may be broken in the near future so 2048 bits key sizes and above are preferred by government
and industry. Itll be a long time before RSA encryption can be broken with traditional
techniques, but if there were significant advancements in quantum computing, the time may be
cut much shorter. Nevertheless, security experts are already promting another technique, ECC or
Elliptic Curve Cryptography, as a better alternative to RSA for asymmetric encryption. ECC uses
further more complicated math involving calculations using an elliptic curve, but results in a
smaller sized key but harder to crack than RSA.10 In principle, ECC is similar to the RSA
calculations where the forward calculations are relatively easy, but difficult to reverse.11
Asymmetric encryption is most commonly used to secure electronic communication over
an open network like the Internet. Protocols like SSH also uses it to securely logon to remote
servers as well as authorize users without passwords. It is also being used for TLS/SSL to secure
connections between the browser and the website. If there is a padlock icon found usually on the
URL bar of a web browser, then the connection should be secure. However, this brings up a
weakness of asymmetric encryption. While TLS/SSL establishes a chain of trust between the
browser and the website, this chain can be compromised with man-in-the-middle attacks where
an attacker is able to eavesdrop on the contents of the conversation.12
The Current State of Encryption
Organization encryption

10 Rouse, Margaret. "RSA Algorithm (Rivest-Shamir-Adleman)." SearchSecurity. N.p., Nov. 2014. Web. 26 Apr.
2016. <http://searchsecurity.techtarget.com/definition/RSA>.
11 Rouse, Margaret. "Elliptical Curve Cryptography (ECC)." SearchSecurity. N.p., Sept. 2005. Web. 26 Apr. 2016.
<http://searchsecurity.techtarget.com/definition/elliptical-curve-cryptography>.
12 Behrens, Matt. "Understanding Encryption Symmetric, Asymmetric, & Hashing." Atomic Spin. N.p., 20 Nov.
2014. Web. 28 Apr. 2016. <https://spin.atomicobject.com/2014/11/20/encryption-symmetric-asymmetric-hashing/>.

Junkang Xie
HONOR 3374-002 Privacy in a Digital Age

In a paper published by SafeNet/Gemalto, a company exclusively focused on the

protection of high-value information assets, it summarized the current state of encryption for
organizations across Europe and the Middle East. They found that the use encryption in
organizations has continued to increase in the recent years as the organizations accumulate more
data and move their data across the Internet but also to keep pace with the increasing scope of
threat. 31.4% of the organizations said that their top reason was to comply with standards such as
the EU Data Protection and the Payment Card Industry Data Security Standard. 28.8% of the
organizations said their top reason was to protect their intellectual property. In the digital age
where much of the information we generate ends up on some form of digital storage, it is vitally
important to ensure that the digital information is secured. 25.8% said that their top reason was to
protect transactions such as doing electronic banking, online business, or filling our government
forms. The final 11.3% said that it was to ensure data is safe when moving to an external IT
infrastructure such as cloud storage or outsourcing to a different organization.13
While the paper found the implementation of encryption was adequate, the management
of encryption keys were lacking. Since encryption keys are vitally important considering that it
can be used to decrypt the data while encrypted, if the keys are lost, then any of the security
benefits of encryption are negated. They found that 16% of respondents didnt know how many
keys their organizations managed, and 21% manage more than 100 keys. Organizations expect
that encryption to be the catchall solution to maintaining security but many dont realize that
poor and inadequate management of keys might leave the organizations vulnerable and lull into a
false sense of security.14

13 SafeNet. "The Current State of Encryption and Key Management." Gemalto. N.p., 2011. Web. 26 Apr. 2016.
<http://www2.gemalto.com/email/2012/dp/pdf/TheCurrentStateofEncryptionandKeyManagement_WP(EN)A4_v4_
web.pdf>.
14 Ibid.

Junkang Xie
HONOR 3374-002 Privacy in a Digital Age

Personal encryption
Many of us own computers and smartphones and contain a lot of sensitive information about our
finances, personal history, family, and other private matters. Luckily, most modern technologies
come with the required tools to help us encrypt the information on our personal devices. Many
computers have built-in encryption program that can secure the files on the storage drive as well
as the storage drive itself. Microsoft Windows have the function built in via the BitLocker
program15 and Apple OS X has the function built in via FileVault 2.16 Third party software
solutions such as VeraCrypt, AxCrypt, and GNU Privacy Guard are also available to consumers
if they require more options and better granular control offered by these programs.17
On our smartphones and tablets, Apple iOS devices running iOS 8 and later are automatically
encrypted. The encryption key is tied to the users device and its password so not even Apple has
no access to it.18 For Google Nexus devices running Android 5.0 or later, the device is
automatically encrypted upon first use and some devices also have the option to require a
password or a PIN to startup the device.19

Encryption in the Real World

In December 2013, Target revealed that hackers have infiltrated their payment terminals at the
checkout counters. When a customers debit card was used, Targets payment terminals sent the
15 Microsoft. "Encrypt or Decrypt a Folder or File - Windows Help." Microsoft. N.p., n.d. Web. 26 Apr. 2016.
<http://windows.microsoft.com/en-us/windows/encrypt-decrypt-folder-file#1TC=windows-7>.
16 Apple. "Use FileVault to Encrypt the Startup Disk on Your Mac." Apple Support. N.p., 7 Apr. 2016. Web. 27
Apr. 2016. <https://support.apple.com/en-us/HT204837>.
17 Henry, Alan. "Five Best File Encryption Tools." Lifehacker. N.p., 8 Feb. 2015. Web. 26 Apr. 2016.
<http://lifehacker.com/five-best-file-encryption-tools-5677725>.
18 Apple. "Privacy - Government Information Requests - Apple." Apple. N.p., n.d. Web. 26 Apr. 2016.
<http://www.apple.com/privacy/government-information-requests/>.
19 Google. "Encrypt Your Data." Nexus Help. N.p., n.d. Web. 26 Apr. 2016.
<https://support.google.com/nexus/answer/2844831?hl=en>.

Junkang Xie
HONOR 3374-002 Privacy in a Digital Age

PIN to Targets servers as well as the hackers servers. However, the PIN was encrypted at the
payment terminal and remains encrypted in Targets servers where it is then sent to the debit card
processor to be decrypted so Target did not have the encryption key within their servers.20 This
hack demonstrated the usefulness of encryption of sensitive data. Encryption is simple, yet it
provides a high value by preventing the data from being exposed to unauthorized parties. Since
the encryption key was not with Target but with the debit card processor, the encrypted PIN is
worthless without the key. Similar to how we should never write the passwords to our accounts
on a file pad next to the computers, keeping the encryption key separated from the encrypted
data is good practice.21 While the customers PIN were encrypted, 70 million customers
identifiable information such as name and address were also leaked along side the card
information, but in this case, that information was not encrypted. Target has come under scrutiny
from security experts for not encrypting the customers identifiable information, making the
customers more prone to identity fraud.
In cases of storing passwords, encryption may not be the best option for protecting it. In mid2014, details about about a breach in eBays servers emerged where hackers were able to obtain
the login information as well as other identifiable information of 145 million customers. In a
press release announced by eBay, they assured that the database [] included eBay customers
name, encrypted password, email address, physical address, phone number, and date of birth.22
While encryption have become a buzzword to the common people to mean something is secure
and would take a long time crack the information, security experts noted that encryption was not
20 Yang, Jia Lynn. "Target Says up to 70 Million More Customers Were Hit by December Data Breach."
Washington Post. The Washington Post, 10 Jan. 2014. Web. 27 Apr. 2016.
<https://www.washingtonpost.com/business/economy/target-says-70-million-customers-were-hit-by-dec-databreach-more-than-first-reported/2014/01/10/0ada1026-79fe-11e3-8963-b4b654bcc9b2_story.html>.
21 Robinson, Rick. "Three Lessons from the Target Hack of Encrypted PIN Data." Security Intelligence. N.p.,
2014. Web. 27 Apr. 2016. <https://securityintelligence.com/target-hack-encrypted-pin-data-three-lessons/>.
22 EBay Inc. Staff. "EBay Inc. To Ask EBay Users To Change Passwords." EBay Inc News. N.p., 21 May 2014.
Web. 27 Apr. 2016. <https://www.ebayinc.com/stories/news/ebay-inc-ask-ebay-users-change-passwords/>.

Junkang Xie
HONOR 3374-002 Privacy in a Digital Age

enough if this was for passwords if thats indeed what eBay did. They noted that while
encryption can be reversed, salted hashing, which is what password should be protected by, cant
be reversed.23
Hashing is technically not an encryption method but it does involve cryptography. For
hashing, the same data will produce the same hash, no two different sets of data will have the
same hash value, and it is theoretically impossible to reverse the hash. For example, if the
password to an account is privacy, it can be stored in a raw file. But this is insecure, thus a
SHA1 hash can be applied which would result in a string like this:
privacy 96ed5c5789b174a01557791c8e936673ae4d973f
Using the SHA1 hash, the password can be authenticated without being stored. While in theory,
it is impossible to reverse a SHA1 hash, a simple Google search on the exact string yielded the
plaintext. In a password database leak, multiple users might have the same password, which will
have the same SHA1 hash. If one of these users have a transparent password hint like try
privacy then well know the other users passwords as well since the same data produces the
same hash. Thus before hashing a password, we add a little bit of salt, or a piece of random data
to the password so the hash generated will be unique for very different instances of privacy
being used as the password. Adding a random string of 1randydryer2 in front of the
password privacy will result in a SHA1 hash of:
1randydryer2privacy bd19f9bad937b6e22e54fe18c0f4d5ed8e2d96ad

23 Mimoso, Michael. "EBay Hack Raises Password Encryption Questions." Threatpost The First Stop for
Security News. N.p., 22 May 2014. Web. 27 Apr. 2016. <https://threatpost.com/ebay-hack-raises-passwordencryption-questions/106258/>.

Junkang Xie
HONOR 3374-002 Privacy in a Digital Age

Googling the string above returns no results. A different random salt is used for every password
so those who have privacy as their password will have different hashes. Using these salted
hashes, the password can be authenticated without it ever being stored.24
In the case of eBay, they later clarified that the passwords were protected via proprietary
hashing and salting technology. However, this did not apply to Adobes blunder when 150
million customers records were hacked. In that instance, Adobe confirmed that the password
was indeed only encrypted and not salted and hashed and received a lot of backlash from the
media and security experts.25

Rising Attention on Encryption

Apple v. FBI
After the terrorist attack in San Bernardino by Syed Farook and his wife in December 2015, the
FBI announced that they were unable to unlock Farooks employer-issued iPhone 5C running
iOS 9 due to its security features in February 2016. The FBI believes that there may be valuable
information on the encrypted iPhone 5C relevant to the investigation that could help them with
the investigation, but the information was stored on a PIN protected phone. While the 4 digits
PIN of the iPhone 5C would only have 104 or 10000 possible combinations, which would be
trivial to crack by brute force, the FBI feared that the phone might have the auto-erase feature
enabled where it would automatically erase all its contents after 10 unsuccessful PIN trials. As a
result, the FBI asked Apple to design a special version of iOS to allow the FBI to brute force the
password without being locked out and have the contents of the phone erased. Apple declined to
24 Tsyras, and Tylerl. "Why Are Salted Hashes More Secure for Password Storage?" StackExchange. N.p., 21 Feb.
2014. Web. 28 Apr. 2016. <http://security.stackexchange.com/questions/51959/why-are-salted-hashes-more-securefor-password-storage>.
25 Duckling, Paul. "Anatomy of a Password Disaster Adobes Giant-sized Cryptographic Blunder." Naked
Security. N.p., 04 Nov. 2013. Web. 27 Apr. 2016. <https://nakedsecurity.sophos.com/2013/11/04/anatomy-of-apassword-disaster-adobes-giant-sized-cryptographic-blunder/>.

Junkang Xie
HONOR 3374-002 Privacy in a Digital Age

10

create such software and the FBI had an US magistrate court judge issue an order to compel
Apple to create such tool. Apples CEO, Tim Cook, issued A Message to Our Customers on
February 16, 2016 explaining Apples position on refusing the order to compel. Cook
acknowledges that Apple has the technology to create such software but refuses to do so on the
grounds that it would compromise the security of millions of iOS users around the world. Cook
pointed out that the government suggests this tool could only be used once, on one phone is
not true. By having a backdoor for just one phone ignores both the basics of digital security and
the significance of what the government is demanding argued Cook. If the encryption key is
revealed, then the encryption can be defeated by anyone with that knowledge. Cook also raised
concerns that if Apple unlocked the iPhone, the case might set a dangerous precedent that
allows future violations to undermine the very freedoms and liberty our government is meant to
protect.26
Despite Apples refusal to create a custom version of iOS to allow the FBI to unlock the phone,
reports have come out in March 2016 that an Israeli company, Cellebrite, has been able to unlock
the iPhone for the FBI. Later reports said that it was not Cellebrite but professional hackers. It
doesnt matter who unlocked it, the fact remains that the FBI had a way to unlock the iPhone yet
they still insisted on Apple building a backdoor into iOS. It makes us wonder whether the FBI
was truly trying to set a precedent as Apple is suggesting.

WhatsApp
On April 5, 2016, the most popular messaging platform, WhatsApp, announced that they
were implementing end-to-end encryption in their services. The timing is notable given the
26 Cook, Tim. "Customer Letter - Apple." Apple. N.p., 16 Feb. 2016. Web. 27 Apr. 2016.
<http://www.apple.com/customer-letter/>.

Junkang Xie
HONOR 3374-002 Privacy in a Digital Age

11

events surrounding Apple and FBI. End-to-end encryption on the app ensures that WhatsApp
cannot decrypt a message in transit even if they wanted to. As the largest messaging platform in
the world, coming out in support of encryption has made them a target of governments
worldwide but also received strong approval from not only security experts but regular users as
well. Other apps have also followed suit after WhatsApps decision to support end-to-end
encryption such as Viber.27

Ransomware
Not all recent attention on encryption has been for the good. Recent cases have highlighted a
negative use of encryption by targeting organizations like hospitals and law firms with
ransomware. Just like the name suggests, ransomware is used to extort money from victims
through social engineering and outright intimidation. It is distributed similar to other kinds of
malware like through fake email attachments, spam campaigns, and impersonating as a
trustworthy entity to try to make the victims click on a link that would download the
ransomware. Once downloaded, the ransomware encrypts a wide variety of file types including
photos, videos, documents, and other information that users might deem valuable. The file is
encrypted by AES 256 bits encryption and the encryption key to decrypt the files also encrypted
using a public key. Without the private key, the AES encryption key is impossible to obtain. To
obtain the AES encryption key, a ransom payment via bitcoin has to be paid if the victim wants
to recover the files. Using bitcoins, the payment is harder to track and the identity of the hackers
are concealed.28
27 Ducklingg, Paul. "WhatsApp Encrypts Messages End-to-end: Why You Should Care." Naked Security. N.p., 6
Apr. 2016. Web. 28 Apr. 2016. <https://nakedsecurity.sophos.com/2016/04/06/whatsapp-encrypts-messages-end-toend-why-you-should-care/>.
28 Editor. "The Current State of Ransomware: CryptoWall." Sophos Blog. N.p., 17 Dec. 2015. Web. 28 Apr. 2016.
<https://blogs.sophos.com/2015/12/17/the-current-state-of-ransomware-cryptowall/>.

Junkang Xie
HONOR 3374-002 Privacy in a Digital Age

12

While ransomware first appeared in 2013 targeting home users, hackers have progressed to
targeting hospitals, healthcare providers, and law firms where the data is highly important. In
February 2016, Hollywood Presbyterian Medical Center had to pay $17000 in order to get its
files back. The president of the medical center said that in the interest of restoring normal
operations the ransom was paid. Similar affected organizations have also chosen the path of
least resistance and paid the ransom payment to obtain the encryption key in order to decrypt
their files.29

Arguments Against Encryption

Many opponents of encryption have raised the argument of in order for the government to
effectively combat terrorism and for law enforcements needs to fight crime, encryption makes
this process much more difficult. On April 13, 2016, Senator Richard Burr and Dianne Feinstein
officially released their draft of encryption bill titled Compliance with Court Orders Act of
2016. The bill establishes that no one is above the law so when ordered to do so by the court,
the recipients must comply with the rule of law. When a recipient is asked to comply, they
must provide the technically assistance necessary to render such information or data in an
intelligible format if the information or data has been made unintelligible by a feature, product,
or service owned, controlled, created, or provided by the covered entity or by a third party behalf
of the covered entity. In the context of encryption, which is highly likely seeing how this was
released shortly after the Apple v. FBI encryption debate, the bill would require tech companies
to decrypt their customers data when ordered to do so. The draft encryption bill would require
any person who provides a product or method to facilitate a communication or to process or
29 "Hollywood Hospital Pays $17,000 to Ransomware Hackers." Digital Trends. N.p., 17 Feb. 2016. Web. 28 Apr.
2016. <http://www.digitaltrends.com/computing/hollywood-hospital-ransomware-attack/>.

Junkang Xie
HONOR 3374-002 Privacy in a Digital Age

13

store data to engineering backdoor into their services which would compromise their integrity
and security.30 The bill has been met with a lot of backlash from the media, security experts, and
even other members of Congress. Senator Ron Wyden has come out saying that [he] will do
everything in [his] power to block Burr-Feinstein anti-encryption bill including filibustering it.31
In an opinion piece published by Senator Burr and Feinstein on April 27, 2016 in The Wall Street
Journal titled Encryption Without Tears, the Senators defended their bill arguing that it is
possible for companies to keep data safe while providing a way for law enforcement to legally
access the data. They cited the examples of encryption barring FBI investigation of the ISIS
attack on Garland, Texas last year as well as an encrypted phone having information relevant to a
murder case. However, the opinion piece and the draft bill contains language that directly
contradict one another. While the bill says all provider of communications services and products
(including software) should protect the privacy of United States persons through implementation
of data security and the Senators claim that they want to preserve this, but at the same time
complying with court orders to bypass security by designing a backdoor. This kind of
doublespeak from the Senators tries to argue that the two mutually exclusive priorities can
coincide with on another, security and privacy. The especially worrying part of the piece is all
we are doing is asking companies to find a way to keep their data secure while also cooperating
with law enforcement in terrorism and criminal investigations.32

30 "United States Senator Dianne Feinstein." Intelligence Committee Leaders Release Discussion Draft of
Encryption Bill. N.p., 13 Apr. 2016. Web. 28 Apr. 2016.
<http://www.feinstein.senate.gov/public/index.cfm/2016/4/intelligence-committee-leaders-release-discussion-draftof-encryption-legislation>.
31 Conger, Kate. "Burr-Feinstein Encryption Bill Is Officially Here in All Its Scary glory." TechCrunch. N.p., 13
Apr. 2016. Web. 28 Apr. 2016. <http://techcrunch.com/2016/04/13/burr-feinstein-encryption-bill-is-officially-herein-all-its-scary-glory/>.
32 Feinstein, Dianne, and Richard Burr. "Encryption Without Tears." WSJ. N.p., 27 Apr. 2016. Web. 28 Apr. 2016.
<http://www.wsj.com/articles/encryption-without-tears-1461798028>.

Junkang Xie
HONOR 3374-002 Privacy in a Digital Age

14

While the war on terrorism and the need to combat crime is highly important, the price of giving
the government the ability to tap into all forms of electronic communication and devices as well
as having a legally binding method to do so, then its not worth it. The FBI argues that criminals
are using encrypted resources and going dark to prevent being tracked. While this is certain
true to an extent, a Harvard study found that encryption will poses challenges in some instances
but it doesnt represent the current state and trajectory of technological development which
points to a future abundant in unencrypted data. The study noted that there are and will
always be pockets of dimness and some dark spots communication channels resistant to
surveillance but this does not mean we are completely going dark.33 Detailed by the New
York Times, the Paris attackers used only new phones that they would then discard to evade
detection. The case for undermining encryption to tackle terrorism is weakened by the use of
burner phones.34
Some people have made the argument that they dont care about intrusion upon their privacy
because they have nothing to hide and they are a law abiding citizen. If you are trying to hide
something, then you are up to no good. This kind of thinking is fundamentally flawed because
we always have something to hide. We have locks on our home doors and blinds for our
windows to prevent strangers from coming into our spaces. When people say I have nothing to
hide, more often than not, they meant I have nothing illegal to hide. Someones sex dungeon
might be legal to have but they dont want someone to know that information to gain leverage
against you. Even if you have nothing illegal to hide, there are also plenty of legal things that
people want to hide such as your garage code, where you keep your valuables in your house, and
33 Olsen, Matt, Bruce Schneier, and Jonathan Zittrain. "Don't Panic. Making Progress on the "Going Dark"
Debate." Berkman Center. N.p., 1 Feb. 2016. Web. 28 Apr. 2016. <https://cyber.law.harvard.edu/pubrelease/dontpanic/Dont_Panic_Making_Progress_on_Going_Dark_Debate.pdf>.
34 Callimachi, Rukmini, Alissa J. Rubin, and Laure Fourquet. "A View of ISISs Evolution in New Details of Paris
Attacks." The New York Times. The New York Times, 19 Mar. 2016. Web. 28 Apr. 2016.
<http://www.nytimes.com/2016/03/20/world/europe/a-view-of-isiss-evolution-in-new-details-of-paris-attacks.html>.

Junkang Xie
HONOR 3374-002 Privacy in a Digital Age

15

voting preference. Even if the government as a whole has no incentive to abuse such
information, that cant be said for individual government employees or contractors.

My Thoughts
When I was researching this topic, I kept on thinking about the physical lock versus
digital lock metaphor. Both the physical and the digital lock help us keep people away from
things we wish to keep private. While the physical locks in our lives keep the burglars out of our
homes, they arent always very effective. There are hundreds of tutorials online showing
someone how to pick a lock and there are lock picking sets that can be purchased on Amazon.
The only thing that keeps burglars away is that they have to canvas a house and carefully choose
their targets and have a limited time to strike. In the case of digital locks, the degree of separation
doesnt exist. If some piece of valuable information exists in the digital world, then someone
from across the ocean can be targeting it. Brute force methods and dictionary attacks are getting
better and better with the advancement of computing power with the capability to run more
operations per second. However, modern encryption, the best form of digital locks, would be
able to prevent hackers from infiltrating it since brute forcing the way through encryption would
take an obscenely long time. Using the smallest AES key size, 128 bits, there would be 2128
possible keys for a computer to test out. It would take a conventional computer approximately
785 million times the age of the universe (13.75 billion years) to test all the possible keys if 1
trillion keys were tested per second. While quantum computers at the same operation rate (still a
long way from that kind of operation rate) would break AES 128 bits encryption in about 6

Junkang Xie
HONOR 3374-002 Privacy in a Digital Age

16

months, breaking AES 256 bits encryption on a quantum computer would take about as much
time a conventional computer to break AES 128 bits encryption.35
Since there is no natural weakness to a digital lock unlike a physical lock, the government is
trying to legislate legal weaknesses into the digital lock. Physical locks already have legal
weaknesses through things like a search warrant, but when the files are stored digitally, there is
no way to get to them
So many of us have a powerful miniature computer right in our pockets, with us
everywhere we go. It knows and interprets more information about ourselves than we could ever
imagine. It knows where we had lunch 5 weeks ago (messages/GPS information), who we had
lunch with (messages), where we went on vacation (pictures/GPS information), our health
records (Apple Health Kid/Google Fit), or even control things in our homes (Nest
Thermostat/Phillips Hue Lightbulb). These kind of information is kept secure because of
encryption.
The Burr-Feinstein anti-encryption bill shows how the people who legislate the laws can
be technologically illiterate regarding the thing they are legislating on. Modern encryption is
based on lots of fancy math, something that a skilled coder can do at home. Even if this bill gets
passed, terrorists would still be able to implement their own encryption from plenty of open
source encryption methods made available online or use foreign made encryption products and
bypass the law. Without strong encryption, our entire e-commerce platform would collapse,
foreign corporations and governments would be able to steal US secrets, and set back the United
States long ways. Forcing corporations like Apple and WhatsApp to fundamentally change the
way that they protect the customers privacy in order to comply with the court is not in the best
35 Wood, Larmont. "The Clock Is Ticking for Encryption." Computerworld. N.p., 21 Mar. 2011. Web. 28 Apr.
2016. <http://www.computerworld.com/article/2550008/security0/the-clock-is-ticking-for-encryption.html>.

Junkang Xie
HONOR 3374-002 Privacy in a Digital Age
interest of the American people. Our privacy is paramount in the digital age, even if most of us
dont give a damn about it. Encryption doesnt discriminate against who it protects, it protects
everyone, even those that arent in favor of it and thats the way it should be. The need to have
strong encryption is the only viable option and it should not be weakened for any purposes.

17