Business and Consumer Use of Encryption Are Different
In the ongoing discussion of how to define an encryption policy that balances citizens’ right to information privacy and the needs of law enforcement officials to investigate and prosecute crimes, it can be useful to clarify how the use of encryption by businesses differs from the use of encryption by individual consumers. Key points to understand include the following:
- The use of encryption by businesses and by individual citizens is fundamentally different
- The biggest difference is in the way in which cryptographic keys are managed
- The difference is due to the regulatory environment in which businesses operate
- Individual consumers typically do not want the same key management technology that businesses require
Encryption is a critical element of a cybersecurity architecture that will protect either businesses or consumers from cyber-attacks. The way that encryption is used to protect sensitive information is essentially the same in each of these cases, but the ways in which users’ keys are managed are typically very different. In particular, centrally managed key management is critical for the business use of encryption while consumers may have a very negative view of it.
Key management includes everything that is done with a cryptographic key except actually encrypting or decrypting data. This includes generating keys, storing keys, destroying keys, etc. And even though they are often described as relating to encryption, many of the policy issues related to the use of encryption actually relate to key management instead of itself encryption.
Key management is so important to the business use of encryption that HPE likes to echo the sentiment of General Robert H. Barrow, the former Commandant of the Marine Corps: Barrow once noted that “Amateurs talk about tactics, but professionals study logistics” while HPE is fond of saying that “Amateurs talk about encryption, but professionals study key management.”
The use of encryption in the business world can cause regulatory and compliance issues if it is done carelessly because if you lose the key that was used to encrypt data then you also lose the data that was encrypted with it. Businesses are often required by law to maintain certain business records and to be able to produce these records when required to do so by regulators or court orders, so losing business information is something that they want to avoid.
Incidents that could require the recovery of keys might include the loss of a critical employee. If an organization’s CFO dies unexpectedly, for example, the organization will still need to get access to all of the business information that the CFO had. If the CFO used encryption to protect this information from cyber-criminals, this will require the recovery of the key that the CFO used to do this, and this capability is required by the regulatory environment in which businesses operate.
On the other hand, if an individual citizen wants to accept the risks associated with careless key management, like losing any sensitive data that they might have encrypted, there are no regulatory or compliance pressures to keep them from doing this. If an individual wants to accept the risk of losing the data on their personal laptop or phone because they lose a key used to encrypt the data on their device, that is certainly acceptable.
In fact, many consumers would not want the same robust key management technology that the business world relies on. The ability to recover keys is an essential feature of business software, but an individual consumer might interpret that same capability as providing a way for their privacy to be violated by either a rogue administrator of the key management system or by law enforcement officials.
The technology used to recover a key because the CFO is unavailable produces the same result as recovering a key because a law enforcement official orders it with a warrant. In both cases, someone who is not the original owner of the key is able to obtain a copy of the key and then use it to decrypt any information encrypted with it. But while the users of business encryption need this capability, most individual citizens do not. In fact, many of them do not want this capability to exist at all and might be very unwilling to use any commercial products that includes this capability.
The result is that the key management that supports the business use of encryption is typically very different from the key management that supports the consumer use of the technology. Key recovery is a necessary feature of business software, and it is very difficult to sell products that do not include it. But the same technology it is probably seen as a very bad feature of consumer products, and it is probably close to impossible to sell consumer products that do include it unless this capability was required by law.
Understanding this distinction may be useful when considering how to define an encryption policy that balances citizens’ right to information privacy and the needs of law enforcement officials to investigate and prosecute crimes.
About the Author
Luther Martin, HPE Distinguished Technologist, is a frequent contributor to blogs and articles. Recent articles include White-box Cryptography in the April ISSA journal, and Is the Need for Speed Real? and Fast, Secure NIST SP800-38G Format-Preserving Encryption – Clearing Misunderstandings and Myths on the Voltage.com blog.