Security's Everyman

Security's Everyman

Saturday, July 28, 2007

Legimitate Uses for Encryption

Robert over at the Errata Security Blog writes about a fear that he has. He read a post that made him start to worry more about the possibility of encryption being used against you. I think I agree with him. Our rights are being eroded almost every day. A new law is passed or a judge with an agenda makes a ruling that makes it illegal for the average person to do something that is completely harmless. Already in some countries rights have been taken away all in the name of "security". Handguns have been banned and made illegal, encryption keys are required to be given to law enforcement, etc...

Robert has a method that he suggest that all of us use to do a couple of things. One will make it much harder for law enforcement to determine what is actually encrypted data and what is just random "junk". The other will make the daily use of encryption more acceptable and "normal". The purpose is to increase the use of encryption so that it is considered something that the normal person would do. Kind of along the line of the "Reasonable Person" rule used in many legal cases.

I like the ideas but the method is not for the faint of heart. Many IT and information security pros would have difficulty making sense of his plan unless they are very familiar with cryptography. So it is out of the question for the "average Joe". Not to mention many would have moral and religious issues with carrying around a DVD full of encrypted Porn. :)

My suggestion is that we, the IT and Security community, need to do a couple of things. First, we need to make sure that we use encryption on all of our personal systems. It's a good idea from a privacy and security perspective, but even if you don't have anything to hide use it just to increase the number of people using it for normal and legitimate reasons. Second, we need to encourage and teach our friends and family how to use it. There are several free and low cost options for encrypting our disk or data. Third, we need to create a plan to get the word out to the rest of the world. We also need to create some easy to understand guides that we can make available to anyone. They need to be done is such a way as to be usable by most anyone without them needing assistance from someone who understands encryption.

This is a big challenge, especially number 3, but I think we can do it. How is the question. I have posted this question to the forums over at the Security Catalysts Community also. So between them and us we can come up with a plan.

1 comment:

Beau Woods said...

Many USB drives now come with encryption software. Hopefully this will go a long way toward forcing this issue. Also, TrueCrypt has a feature that lets you set up the application on a jump drive. Maybe the EFF could do some kind of giveaway where you have to promise to use the standard encryption software or TC.

Creative Commons License
This work is licensed under a Creative Commons Attribution-NC-SA 3.0.