New encryption laws could create more problems for banks
25 Oct 2017

The regulation of encryption technology is currently a topic of debate for governments around the world.

From the infamous Apple v. FBI case to WhatsApp’s battle with Brazil, security and law enforcement agencies have clashed with technology companies over access to encrypted information.

At a meeting of the Five Eyes (an intelligence alliance of the UK, US, Australia, Canada and New Zealand) in June this year, the governments declared that encryption “severely undermine[s] public safety efforts by impeding lawful access to the content of communications during investigations into serious crimes, including terrorism.”

The US Deputy Attorney General recently met with British counterparts, including interior minister Amber Rudd and the heads of MI5 and GCHQ, to discuss ways to regulate so-called “warrant-proof” encryption (encryption which the tech companies themselves are not able to decrypt, even if presented with a warrant from law enforcement).

Speaking about the UK government’s stance on strong encryption, former foreign secretary William Hague has said there is “no absolute right” to privacy for British citizens.

The Australian government has been particularly vocal in calling for increased regulation, and is expected to introduce legislation in the parliament in November.

The vast majority of experts agree, however, that weakening encryption or mandating the creation of back-doors is a terrible idea.

Encryption essentially means putting information into a code which only the intended recipient can decode and read.

You cannot make the code easier to break for law enforcement without also making it easier to break for criminal hackers.

Far from keeping us safer, undermining encryption would dramatically increase the risk of a vast array of cybercrimes. This includes leaving financial institutions and professionals significantly more vulnerable to both direct and indirect criminal attacks.

Most money in the world today exists solely in a digital format, creating an enormous incentive for talented hackers. Encryption plays a critical role in securing banks, stock exchanges, payment card transactions and a host of other financial systems against attacks, theft or interference by criminals and even nation states.

In just the past few years, hackers have successfully stolen hundreds of millions (and in the case of one hacking ring, allegedly over a billion) dollars from banks around the world.

Any legislation which targets the use of encryption broadly, preventing financial institutions from using the strongest encryption available on their digital infrastructure, will directly undermine the ability of those institutions to protect themselves and their customers from criminal attacks.

Even legislation with a more narrow scope, directed only at communication technologies, would have an impact on the risk of financial crime. Financial professionals often work with highly sensitive information which may be of great value to cybercriminals.

In 2016, for example, three Chinese citizens were charged with having made more than $4 million by hacking New York law firms, stealing emails containing confidential details about their clients’ corporate mergers and trading on that information.

Using encrypted communications, particularly what is known as end-to-end encryption, makes it vastly more difficult for hackers to access and steal information. Forcing financial professionals to rely on unencrypted (or weakly encrypted) communication channels would leave them and their clients far more vulnerable to corporate espionage, data theft and other forms of cybercrime.

Weakening encryption would also lead to indirect risks for financial institutions. One particularly significant area is identity fraud. The recent hack of credit broker Equifax is an alarming example of just how bad a major data breach can be.

The personal information of more than 143 million US residents, including Social Security Numbers, driver’s license numbers, addresses, birth dates, and credit card information has been exposed, creating the potential for identity fraud on a mind-bogglingly huge scale. Much of the fallout from the Equifax hack is likely to land on the banks, who will be dealing with the consequences of identity theft for years to come.

Part of the reason Equifax’s data was so easy to steal was that most of it was being stored unencrypted. Equifax is far from the only organisation to have failed to encrypt, and subsequently lost control of, sensitive personal data.

In August 2017 Islington Council inadvertently published the unencrypted personal information of nearly 90,000 people on the website for its parking system, including bank details, medical records, home addresses and even someone’s prison record.

If Islington Council had encrypted the personal data it held, as according to its own policies it should have, the highly personal details of those 90,000 people could not have been read by total strangers just trying to pay parking tickets – or by anyone who might seek to use that information to commit fraud.

Encryption doesn’t only protect against malicious attackers; it also helps reduce the impact of human error.

Undermining encryption would also have implications for the future of fintech. Cryptocurrencies (which are based on blockchain technology) have their name for a reason – encryption is the foundation on which the entire system is built.

Whilst legislation in any one jurisdiction would be unlikely to affect cryptocurrencies as a whole, it could have a substantial impact on the international competitiveness of the fintech sector in that jurisdiction for many years to come.

Governments’ goals in protecting the safety of the public are commendable, but safety from terrorism should not come at the cost of making our society and our entire financial system more vulnerable to criminals.

There are alternative methods for achieving those ends which do not involve weakening encryption technology.

Encryption’s role in safeguarding banking and financial systems, protecting confidential and sensitive information, reducing identity fraud and enabling a functional, secure digital economy far outweighs the misuse of it by a tiny minority.

The financial sector should be an active participant in the public debate over how this critically important technology is used and regulated now and in the future.

Melbourne-based Elise Thomas has a background in international affairs and a strong interest in financial crime, data and technology issues.

More on this:

Blockchain – considering the regulatory horizon

Regulation and realpolitik: The US and the politics of international financial regulatory initiatives

Hurricane headaches: Data privacy and fraud risks trigger BVI firms to take special steps

Cybercrime – tackling the invisible threat

You can claim CPD minutes for this content, by signing up to our CPD Wallet