aoakley.com

A Little Rant About Encryption

Excuse me while I have a little rant about encryption.

There's been a campaign since 2010 called HTTPS Everywhere1, which has really taken off in the last year, encouraging all websites to use encrypted connections. I'd like to call this out as unnecessary bunkum.

Encryption is great and there are many specific, really good reasons why you might need to use it. Financial transactions are probably top of the list. Connecting to your employers' network, another good reason. Dealing with government agencies about really sensitive stuff such as passports or child work background checks, more good reasons. Any organisation who sends personal data in bulk between distant servers, good call.

Then we get onto the stuff where encryption is essentially smoke and mirrors, usually providing a false sense of security. Avoiding government snooping; in all honesty if any first or second-world government wants to snoop on you, then consumer-grade encryption is not going to prevent them (and may even be deliberately weak to allow snooping), and military-grade encryption really isn't going to help unless you also take extreme precautions such as only using your home-built computer in a windowless Faraday cage, a room that you have personally built to high specifications from raw materials (and bear in mind you can't trust anyone else to do this work for you, nor any supplier to provide fabricated goods such as plasterboard panels or metal girders- they might build-in some bugging devices). If you have something to fear from agencies which are that powerful, they will get their information by being, or planting a device which is, physically present at the time of encryption and decryption. They won't need to do the maths to defeat the encryption because they can watch you doing it for them, when you open or send your messages. And even if they did need to do the maths, HTTPS is not a strong enough defence against a determined attacker.

Finally we get onto my real pet peeve. Encryption for no reason at all. As a first-world citizen with nothing more serious on my record than a teenage car crash, I have absolutely nothing to fear from anyone intercepting the vast majority of my internet usage. Facebook... why would I care? Youtube... why? Any of several thousand news websites, technical blogs, games review sites, reference sites... pointless. Sure, there may be social media posts that I restrict to certain friends or family, but I have no real expectation that this is secure, nor any strong reason to worry about it. Anyone motivated enough to sidestep "friends only" posts would also be motivated enough to work around HTTPS and indeed any similar weak encryption.

Encryption is pollution; literally. It chews up computer processor time which wastes electricity, much of which is still generated through pollution. If you're using a battery-powered device then this waste is quadroupled or more, because batteries require many more times energy to charge them than they provide in output. Furthermore, computer processing causes heat, especially with laptop or desktop computers, and heat is another pollutant.

Encryption is expensive, for most of the same reasons it is polluting. You end up either requiring a faster, more expensive system to cope with the overhead of encryption, or you end up with a slower machine.

It's not just network encryption. Some devices such as newer Android and Apple smartphones are encrypting their storage by default. Whilst it makes sense to encrypt the hard drive of your employers' laptop, there is probably no reason why you'd encrypt the storage on your personal smartphone or personal computer, especially if you install "fun" apps on it, for which you grant all kinds of permissions, allowing those apps to see and edit information on that encrypted storage. You need to keep your device pretty spartan and clean in order to justify whole storage encryption.

For the vast majority of uses, encryption is unnecessary, slows your computer down, wastes electricity, wastes bandwidth, wastes heat, causes pollution, wastes money, causes a false sense of security and did I mention unnecessary?

I don't want to ban encryption. If you're doing online banking, entering your card details into a shopping site, applying for a passport or chasing your background check for working with a vulnerable group, encryption is fair enough. I'd even go with the ability to optionally turn on encryption whenever you feel the need.

However, having encryption turned on by default for everything you do, is a very poorly thought-out idea.

[1] The HTTPS Everywhere programme is primarily about a browser app rather than a campaign. Howevver it seems to have inspired such a campaign.

Public Domain - Andrew Oakley - 2016-06-15

Top - More Computing Articles - Article Index - aoakley.com