Encryption needs balance between privacy and transparency, Virginia tech leader says
Just_Super via Getty Images
By
Chris Teale
The recent “Signalgate” incident highlighted reliance on encrypted messaging apps and tools, even as state and local officials must be cautious to preserve the public’s right to see their communications.
Government use of encrypted messaging software has been in the news a lot recently, after former National Security Advisor Mike Waltz inadvertently added a reporter to a group chat on the Signal messing app.
The incident, known as “Signalgate,” saw Waltz accidentally add Jeffrey Goldberg, the editor-in-chief of The Atlantic, to a group chat between top administration officials discussing airstrikes against the Houthis in Yemen. Since then, officials at several federal agencies have reportedly discussed how to preserve chat records using encrypted messaging apps on work devices.
While federal agencies may be concerned about preserving encrypted messages from apps like Signal, Microsoft Teams or WhatsApp, it could also be an issue for state and local governments given how the apps’ use has proliferated. The COVID-19 pandemic and a shift towards remote work accelerated that trend, and gave tech leaders various headaches, including the need to balance encryption and transparency.
“We've gotten a lot more capabilities and tools that come with the infrastructure that we're all leveraging today,” said Mike Watson, chief information security officer at the Virginia Information Technologies Agency, during a Route Fifty webcast last week. “Whether it's any of the major email providers or whether it’s a lot of the data storage providers, even most of the cloud providers have encryption built into the way that they operate and provide us way more capabilities than we've ever had before to protect our information efficiently.”
Among the biggest challenges when navigating the world of encrypted messages and privacy is compliance with various laws, including the Freedom of Information Act. In addition, states must navigate myriad other laws around data protection, if Tom both their own and the federal government. That can cause a problem when encrypting communications, which may need to be decrypted in the future.
Watson said Virginia prefers to encrypt and then decrypt later, rather than accidentally expose data that they shouldn’t have.
“It's a lot easier to go backwards with encryption than it is to just say, ‘Oops, I should have protected that,’” he said. “We care a lot about our citizen data. We care a lot about our critical infrastructure information. We want to make sure that we don't make mistakes or at least prevent mistakes from happening wherever possible.”
Virginia has taken a simple approach when it comes to encryption, privacy and transparency, Watson said, which helps protect vital records.
“We try to put the encryption essentially as close to the data as possible,” he said. “We find that taking that approach allows us to make sure that, regardless of where that particular data record goes, we know that it's not going to be visible to anyone unless they have that authorized encryption key and the ability to open up that record and see what's inside.”
Other states, meanwhile, must be up on the laws and privacy requirements they are subject to and be sure how to interpret them to avoid any inconsistencies. It can be tricky translating that state to state, especially when it comes to the elements of personal data that either must be protected or are allowed to be left exposed.
“Some people are okay with the last four digits of their Social Security number being exposed,” Watson said. “Some people say it's the last five, some people say it's a combination of that last four and something from your name or address. Those definitions are very nuanced, and honestly, I don't know that anybody has a certain answer on any of them. Setting yourself up to be able to accommodate that within your framework is going to drive a better outcome for you.”
Things could get more complex in the future, especially with the advent of quantum computing, which Watson said is “way closer than it's been before.” Quantum could be used to protect governments from hacks and bolster cybersecurity, but it could also be used by bad actors to more quickly access vital information. While the technology is still a way off from being widely used, cyber experts must start thinking about how quantum will interact with existing encryption techniques.
“One of my professors long ago talked about the way that encryption works is very similar to the way that safes work,” Watson said. “The idea is not that you won't eventually be able to get into the safe, it's just going to protect the stuff long enough that you are either going to lose interest or it's not worth your time to get the data. The problem here is that quantum is making it so that the length of time to get the data is short. It goes from, it may take you months to get into a safe, to two hours to get into a safe. And that's where the concern is.”
At the bottom of everything, Watson said, is the need for governments to be transparent in their communications while making sure they maintain a level of privacy.
“We want to make sure that folks, when they want to understand how government is operating and where all the connection points and stuff are, they're able to do that without trying to figure out how to decrypt 1,000 messages to get information on the topic that they're looking for,” he said.