Bob Sullivan

It’s natural to look for a scapegoat after something terrible happens, like this: If only we could read encrypted communications, perhaps the Paris terrorist attacks could have been stopped.  It’s natural, but it’s wrong.  Read every story you see about Paris carefully and look for evidence that encryption played a role.

There’s a reason The Patriot Act was passed only a few weeks after 9-11, and it wasn’t because Congress was finally able to act quickly and efficiently on something.  The speed came because many elements of the Patriot Act had already been written, and forces with an agenda were sitting in wait for a disaster so they could push that agenda.  That is wrong.

So here we are now, once again faced with political opportunism after an unthinkable human tragedy, and we must remain strong in the face of it.  There is no simple answer to terrorism, and we should all know this by now.  And so there must be no simple discussion about the use of encryption in the Western world.  The debate requires a bit of thoughtful analysis, and we owe it to everyone who ever died for a free society to have this debate thoughtfully.

The basics are this: Only recently, computing power has become inexpensive enough that ordinary citizens can scramble messages so effectively that even governments with near-infinite resources cannot crack them. Such secret-keeping powers scare government officials, and for good reason.  They can, theoretically, allow criminals and terrorists to communicate with a cloak of invisibility.  Not surprisingly, several government officials have called for a method that would allow law enforcement to crack these codes.  There are many schemes for this, but they all boil down to something akin to creating a master key that would be generated by encryption-making firms and given to government officials, who would use the key only after a judge granted permission.  This is sometimes referred to as creating “backdoors” for law enforcement.

Governments can already listen in on telephone conversations after obtaining the proper court order.  What’s the difference with a master encryption key?

Sadly, it’s not so simple.

For starters, U.S. firms that sell products using encryption would create backdoors, if forced by law.  But products created outside the U.S.?  They’d create backdoors only if their governments required it.  You see where I’m going. There will be no global master key law that all corporations adhere to.  By now I’m sure you’ve realized that such laws would only work to the extent that they are obeyed.  Plenty of companies would create rogue encryption products, now that the market for them would explode.  And of course, terrorists are hard at work creating their own encryption schemes.

There’s also the problem of existing products, created before such a law. These have no backdoors and could still be used. You might think of this as the genie out of the bottle problem, which is real. It’s very,  very hard to undo a technological advance.

Meanwhile, creation of backdoors would make us all less safe.  Would you trust governments to store and protect such a master key?  Managing defense of such a universal secret-killer is the stuff of movie plots.  No, the master key would most likely get out, or the backdoor would be hacked.  That would mean illegal actors would still have encryption that worked, but the rest of us would not. We would be fighting with one hand behind out backs.

In the end, it’s a familiar argument: disabling encryption would only stop people from using it legally. Criminals and terrorists would still use it illegally.

Is there some creative technological solution that might help law enforcement find terrorists without destroying the entire concept of encryption? Perhaps, and I’d be all ears. I haven’t heard it yet.

Only a few weeks after 9-11, a software engineer who told me he was working for the FBI contacted me and told me he was helping create a piece of software called Magic Lantern.  It was a type of computer virus, a Trojan horse keylogger, that could be remotely installed on a target’s computer and steal passphrases used to open up encrypted documents.  The programmer was uncomfortable with the work and wanted to expose it. I wrote the story for msnbc.com, and after denying the existence of Magic Lantern for a while, the FBI ultimately conceded using this strategy.  While we could debate the merits of Magic Lantern, at least it constituted a targeted investigation — something far, far removed from rendering all encryption ineffective.

For a far more detailed examination of these issues, you should read Kim Zetter at Wired, as I always do. Then make up your own mind.

Don’t let a politician or a law enforcement official with an agenda make it for you. Most of all, don’t allow someone who capitalizes on tragedy a mere hours after the first blood is spilled — an act so crass it disqualifies any argument such a person makes — to influence your thinking.

Bob Sullivan

It’s natural to look for a scapegoat after something terrible happens, like this: If only we could read encrypted communications, perhaps the Paris terrorist attacks could have been stopped.  It’s natural, but it’s wrong.  Read every story you see about Paris carefully and look for evidence that encryption played a role.

There’s a reason The Patriot Act was passed only a few weeks after 9-11, and it wasn’t because Congress was finally able to act quickly and efficiently on something.  The speed came because many elements of the Patriot Act had already been written, and forces with an agenda were sitting in wait for a disaster so they could push that agenda.  That is wrong.

So here we are now, once again faced with political opportunism after an unthinkable human tragedy, and we must remain strong in the face of it.  There is no simple answer to terrorism, and we should all know this by now.  And so there must be no simple discussion about the use of encryption in the Western world.  The debate requires a bit of thoughtful analysis, and we owe it to everyone who ever died for a free society to have this debate thoughtfully.

The basics are this: Only recently, computing power has become inexpensive enough that ordinary citizens can scramble messages so effectively that even governments with near-infinite resources cannot crack them. Such secret-keeping powers scare government officials, and for good reason.  They can, theoretically, allow criminals and terrorists to communicate with a cloak of invisibility.  Not surprisingly, several government officials have called for a method that would allow law enforcement to crack these codes.  There are many schemes for this, but they all boil down to something akin to creating a master key that would be generated by encryption-making firms and given to government officials, who would use the key only after a judge granted permission.  This is sometimes referred to as creating “backdoors” for law enforcement.

Governments can already listen in on telephone conversations after obtaining the proper court order.  What’s the difference with a master encryption key?

Sadly, it’s not so simple.

For starters, U.S. firms that sell products using encryption would create backdoors, if forced by law.  But products created outside the U.S.?  They’d create backdoors only if their governments required it.  You see where I’m going. There will be no global master key law that all corporations adhere to.  By now I’m sure you’ve realized that such laws would only work to the extent that they are obeyed.  Plenty of companies would create rogue encryption products, now that the market for them would explode.  And of course, terrorists are hard at work creating their own encryption schemes.

There’s also the problem of existing products, created before such a law. These have no backdoors and could still be used. You might think of this as the genie out of the bottle problem, which is real. It’s very,  very hard to undo a technological advance.

Meanwhile, creation of backdoors would make us all less safe.  Would you trust governments to store and protect such a master key?  Managing defense of such a universal secret-killer is the stuff of movie plots.  No, the master key would most likely get out, or the backdoor would be hacked.  That would mean illegal actors would still have encryption that worked, but the rest of us would not. We would be fighting with one hand behind out backs.

In the end, it’s a familiar argument: disabling encryption would only stop people from using it legally. Criminals and terrorists would still use it illegally.

Is there some creative technological solution that might help law enforcement find terrorists without destroying the entire concept of encryption? Perhaps, and I’d be all ears. I haven’t heard it yet.

Only a few weeks after 9-11, a software engineer who told me he was working for the FBI contacted me and told me he was helping create a piece of software called Magic Lantern.  It was a type of computer virus, a Trojan horse keylogger, that could be remotely installed on a target’s computer and steal passphrases used to open up encrypted documents.  The programmer was uncomfortable with the work and wanted to expose it. I wrote the story for msnbc.com, and after denying the existence of Magic Lantern for a while, the FBI ultimately conceded using this strategy.  While we could debate the merits of Magic Lantern, at least it constituted a targeted investigation — something far, far removed from rendering all encryption ineffective.

For a far more detailed examination of these issues, you should read Kim Zetter at Wired, as I always do. Then make up your own mind.

Don’t let a politician or a law enforcement official with an agenda make it for you. Most of all, don’t allow someone who capitalizes on tragedy a mere hours after the first blood is spilled — an act so crass it disqualifies any argument such a person makes — to influence your thinking.

Larry Ponemon

User growth has become a key indicator of a company’s financial growth and sustainability. Even a company’s revenues can take a back seat to its user base as a metric that predicts future success. While it may have taken the telephone 70 years to reach 50 million users, in today’s fast-paced world companies can reach that same number in a matter of months.

As the user-base becomes a new form of currency, driving valuations of companies around the world higher and faster than ever before, it is becoming increasingly important to protect the integrity of these users. Information about who users are, what they do and how they do it is incredibly valuable. If not adequately protected this information can be (and is being) exploited.

The purpose of this report is to understand the scope of registration fraud, and how this epidemic is impacting companies and their users. It offers a glimpse into how companies verify and protect their users, and the damage that can be done when fraudulent users and fake accounts are allowed to exist within a user base.

Thanks to a sponsorship from Telesign, We surveyed 584 U.S. and 414 UK individuals who are involved in the registration, use or management of user accounts and hold such positions as product manager, IT security practitioner and app developer. Eighty-nine percent of these respondents say their organization considers its user base a critical asset with an average value of $117 million.

However, account fraud is becoming more prevalent because most organizations have a difficult time ensuring bona fide users and not bad actors are authenticated during the registration process. Only 36 percent believe they are able to avoid fraudulent registrations. Moreover, once fake users are registered, they spam legitimate users and often create more fraudulent accounts. Fake users also steal confidential information as well as engage in phishing, social engineering and account takeover.

The findings reveal why companies are vulnerable to the threats of fake users:

• The authentication process is difficult to manage, according to 69 percent of respondents, allowing fake users to infiltrate the user base.

• Fifty-eight percent of respondents say user convenience is most important to their fraud prevention strategy and 42 percent of respondents say ease of use is critical. Only 21 percent say security is important.

• The majority of respondents (54 percent) say a phone number is enough to stop fraudulent registrations and protect account access.

• Companies seem to be unwilling to crack down on fraudulent registrations. Forty-three percent of respondents say their company doesn’t worry about the registration of fake accounts to avoid friction in the registration process. Most companies do not have a formal method for determining whether a potential user is real.

• Only 39 percent of respondents say their company is vigilant in determining that each user account belongs to a real person.

• Only 25 percent of respondents believe the traditional username and password(s) is a reasonably secure authentication method for their users. However, 94 percent of respondents say they use passwords or PINs and 79 percent use email addresses to create an account(s).

To read the rest of the report findings, please download the PDF from Telesign.com

Larry Ponemon

User growth has become a key indicator of a company’s financial growth and sustainability. Even a company’s revenues can take a back seat to its user base as a metric that predicts future success. While it may have taken the telephone 70 years to reach 50 million users, in today’s fast-paced world companies can reach that same number in a matter of months.

As the user-base becomes a new form of currency, driving valuations of companies around the world higher and faster than ever before, it is becoming increasingly important to protect the integrity of these users. Information about who users are, what they do and how they do it is incredibly valuable. If not adequately protected this information can be (and is being) exploited.

The purpose of this report is to understand the scope of registration fraud, and how this epidemic is impacting companies and their users. It offers a glimpse into how companies verify and protect their users, and the damage that can be done when fraudulent users and fake accounts are allowed to exist within a user base.

Thanks to a sponsorship from Telesign, We surveyed 584 U.S. and 414 UK individuals who are involved in the registration, use or management of user accounts and hold such positions as product manager, IT security practitioner and app developer. Eighty-nine percent of these respondents say their organization considers its user base a critical asset with an average value of $117 million.

However, account fraud is becoming more prevalent because most organizations have a difficult time ensuring bona fide users and not bad actors are authenticated during the registration process. Only 36 percent believe they are able to avoid fraudulent registrations. Moreover, once fake users are registered, they spam legitimate users and often create more fraudulent accounts. Fake users also steal confidential information as well as engage in phishing, social engineering and account takeover.

The findings reveal why companies are vulnerable to the threats of fake users:

• The authentication process is difficult to manage, according to 69 percent of respondents, allowing fake users to infiltrate the user base.

• Fifty-eight percent of respondents say user convenience is most important to their fraud prevention strategy and 42 percent of respondents say ease of use is critical. Only 21 percent say security is important.

• The majority of respondents (54 percent) say a phone number is enough to stop fraudulent registrations and protect account access.

• Companies seem to be unwilling to crack down on fraudulent registrations. Forty-three percent of respondents say their company doesn’t worry about the registration of fake accounts to avoid friction in the registration process. Most companies do not have a formal method for determining whether a potential user is real.

• Only 39 percent of respondents say their company is vigilant in determining that each user account belongs to a real person.

• Only 25 percent of respondents believe the traditional username and password(s) is a reasonably secure authentication method for their users. However, 94 percent of respondents say they use passwords or PINs and 79 percent use email addresses to create an account(s).

To read the rest of the report findings, please download the PDF from Telesign.com