SQL Clone
SQLServerCentral is supported by Redgate
 
Log in  ::  Register  ::  Not logged in
 
 
 

The Worst Data Breech

By Steve Jones,

I noticed this week that Australia passed a law that requires companies to hand over user information, even if encrypted. Quite a few articles that point out this might require backdoors to be created in communication systems to comply with the law. Companies are required to provide plain text user communication if they can, or build tools to allow this if they do not have the capability. The proponents of the bill argue this is necessary for criminal prosecution.

Perhaps they are right, but if this capability is required, this means that either companies will have backdoors built into their products that allow them to decrypt things you might have expected to remain encrypted. That's disconcerting to me, not because Apple, Google, or someone else might read my communications, but because no company has really proven they can protect all the data they store.

Can you imagine how many malicious actors might spent their efforts trying to find those backdoor encryption keys? What if there aren't backdoor keys, but companies decide to build some sort of key logger into software that copies data before it's encrypted. Can you imagine how problematic it might be to secure that data?

I'm also concerned because this would mean that there could be a few keys that can be used to get access to encrypted data, something like "master keys" in door locks. In this case, the loss of a key might mean problems for huge numbers of people. The other option would be lots of backdoor keys, potentially a different one for each customer/device, in which case we have a large data set that I'm sure will get leaked. At that time, how likely will it be that we'll be able to implement new keys for large numbers of people?

I sympathize with law enforcement. In some ways, their jobs are much harder. In others, however, I think they have many more tools, and the need to weaken encryption doesn't seem to be necessary. Many of us have a need to secure data, to protect it from unauthorized access. At a time when security is proving to be a challenge and record numbers of data breeches are occurring, do we really want tech companies to start building products with less security? I don't.

 
Total article views: 66 | Views in the last 30 days: 2
 
Related Articles
BLOG

Why Government Required Backdoors Are a Bad Idea

I've heard the argument, "I've got nothing to hide. If it helps them catch the next guy, I'm all for...

FORUM

SQL 2000 DB Encryption

How to encrypt the SQL Database without requiring any changes to applications

FORUM

Hosting Company

looking for a good hosting company

ARTICLE

Encrypt Everything

Yahoo recently announced they are encrypting their traffic between data centers. Steve Jones thinks ...

FORUM

SQL Server Encryption

Implementing encrypted database columns

Tags
database weekly    
editorial    
encryption    
 
Contribute