Here’s what you really need to know about encryption

a key going into the side of a computer

You use encryption everyday—even if you don’t realize it.

Everyone who has used the Internet has used encryption. The technology—boiled down, it’s just math—is everywhere. It plays a central role in how the Web is secured.

Encryption codes messages so that only the intended recipient can read it. That means it can help protect your communications and Internet activity—making a credit card purchase or visiting a Website—against eavesdroppers. It can also ensure the integrity of your communications and thwart tampering so that you know the data you’re receiving isn’t being secretly changed up in transit. It’s difficult to overstate cryptography’s importance today—or the impact it will have on the future.

“As information becomes an increasingly valuable commodity, and as the communications revolution changes society, so the process of encoding messages, known as encryption, will play an increasing role in everyday life,” Simon Singh wrote in 1999’s The Code Book.

“Nowadays our phone calls bounce off satellites and our emails pass through various computers, and both forms of communication can be intercepted with ease, so jeopardizing our privacy. Similarly, as more and more business is conducted over the Internet, safeguards must be put in place to protect companies and their clients. Encryption is the only way to protect our privacy and guarantee the success of the digital marketplace. The art of secret communication, otherwise known as cryptography, will provide the locks and keys of the Information Age.”

Encryption, in its most abstract form, is thousands of years old, but recent terrorist attacks and product changes by companies like Apple have thrust the issue into the international spotlight. Dubbed the Crypto Wars, politicians, corporations, and activists are fiercely debating how to balance freedom, security, privacy, and technology in the Internet era.

Here’s everything you need to know about encryption.

What does encryption do?

When you do something on the Internet, you’re passing data messages from one endpoint to another. In between, there are middle points where an eavesdropper could sit and steal your credit card number, instant messages, phone calls, Internet browsing history, and anything else you’re doing online while it’s in transit from one end to the other.

It’s difficult to overstate cryptography’s importance today—or the impact it will have on the future.

End-to-end encryption is when your computer or smartphone encodes the message and sends it to the other end to be decoded. In the middle, anyone could still be able to pick up the message and examine it, but they wouldn’t be unable to decipher its true meaning.

A smartphone app like Signal uses encryption to encode your text messages and phone calls. Software like Tor (see our explainer “What is Tor?”) can encrypt all of your Internet traffic so that the Websites you visit are hidden from unwanted eyes. PGP will secure your emails.

That’s just one flavor of encryption of many.

You can encrypt an entire hard drive to protect your phone or computer in case anyone gets direct physical access to it, a tactic Apple and Google employ on iPhones and Androids. All of a sudden, no one but you—the device’s owner—can open it up. That means neither your roommate, Apple, or the police are supposed to be able to access the device and the mountains of data it holds without decrypting it using your password.

As with any technology, there are a number of different variants of encryption. The important thing to remember is that strong encryption makes is so only specific people can access data, whether it’s you seeing your phone or a friend seeing the email you sent only to them. Encryption keeps out prying eyes.

Who uses encryption?

You use encryption, for one. Governments, businesses, activists, militaries, spies, and average everyday people are using encryption to ensure some privacy on the Internet.

If you visit a website utilizing HTTPS (check the URL), you’re using encryption. If you’ve used Apple’s iMessage, that’s encryption. If you’ve ever made an online credit card purchase, you’re using encryption.

As the global debate over encryption widens, there’s spreading confusion about who would really use technology like encryption. But you can ask virtually anyone—whether it’s the civil liberties advocates at the Electronic Frontier Foundation, the government of the Netherlands, or even the director of the FBI—and they’ll tell you that encryption is essential in protecting us online.

Beyond that, however, there are some major disagreements.

What’s the debate over encryption? What is a backdoor?

While everyone agrees that encryption is important, not everyone agrees on who should have access to encrypted data.

James Comey, director of the FBI, is one of the most prominent figures in favor of backdoors into encryption. He never uses the word backdoor because of the negative connotations—it sounds like theft.Comey calls it a front door, a golden key, special access, and any number of other, more appealing terms. But what he’s essentially asking for is a backdoor, according to the technical use of the term for several decades now.  

If you visit a website utilizing HTTPS (check the URL), you’re using encryption. 

A backdoor allows access to encrypted data by parties other than you. If Apple or the FBI wanted access to your encrypted iPhone, they would need a special backdoor to get in. To do that, Apple would keep a decryption key (the company currently doesn’t have one, meaning privacy is very high) and hand it over to the government on request.

Comey’s argument is that if the Islamic State, pedophiles, or criminals are using encrypted communications, police should be allowed access with a warrant. Otherwise, he warns, they’ll be “going dark.”

Virtually every technologist, academic, and industrial expert is lined up against Comey and his push for backdoors into encryption for a number of reasons.

First and foremost, it’s basically impossible to get backdoors on all encryption products. Many are open source, meaning their code is freely available to anyone who wants it. There’s no way to delete or ban that code without radically changing the way we govern the Internet, computer code, and mathematics.

Even if that were to happen in the U.S., other countries stand strongly against encryption backdoors. An international market is emerging that will necessitate a global anti-encryption regime.

Second, the pervasiveness of Internet surveillance startles and scares a lot of people. Much of the resistance to backdoors rest of the principles of liberty and privacy; the idea that government will have access to an increasingly vast trove of data runs against the ideals of Americans and many people around the world.  There is a serious deficit of public trust when it comes to authorities spying in cyberspace—and it’s not hard to see why.

Moreover, the FBI’s claim that encryption that encryption makes investigations “go dark” is challenged strongly by leading technologists who say law enforcement and intelligence agencies actually have more information than ever before.

There is no such thing as 100 percent security.

“We’re questioning whether the ‘going dark’ metaphor used by the FBI and other government officials fully describes the future of the government’s capacity to access communications,” cryptographer Bruce Schneier wrote recently. “We think it doesn’t. While it may be true that there are pockets of dimness, there other areas where communications and information are actually becoming more illuminated, opening up more vectors for surveillance.”

Last but not least, creating backdoors—and the “golden keys” required to open them—will weaken the security of all devices and connections that rely on encryption.  Any intentional backdoor meant for law enforcement can also be accessed by hackers. Few technologists will trust the core security of every device to the U.S. government when it’s so recently demonstrated it can’t keep its own house in order.

“It is important to remember that computer code and encryption algorithms are neutral and have no idea if they’re being accessed by an FBI agent, a terrorist, or a hacker,”Reps. Ted Lieu (D-Calif.) and Will Hurd (R-Texas) wrote last year.

Can encryption be broken?

There is no such thing as 100 percent security. That rule applies across the board, including with encryption.

Encryption can be broken in a number of ways. First, if the encryption is too weak, powerful computers can brute-force their way in. In other words, a computer can guess every possible password or key in order to gain access to the data protected by the encryption, an act that takes a serious amount of raw computing power. This is essentially an arms race: Encryption keeps getting more powerful and, on the other side, the computers that can break it are rising in power as well.

If you want to break past end-to-end encryption—which is meant to protect data in transit—a good bet is to hack an endpoint. If you can compromise someone’s computer, you can watch them type in passwords, look at their encryption key, and spy on any data before it’s even encrypted. This technically isn’t breaking encryption—it’s more like stepping around it, but the effect can be just as devastating.

You can also introduce backdoors. FBI director Comey is pushing for one kind of openly talked about backdoor up above but other, more surreptitious backdoors also for secret access into encrypted data even when users believe it’s fully secure. This is the province of intelligence agencies like the National Security Agency. Undermining encryption like this attracts the ire of many technologists who say it profoundly hurts security online.

There is no such thing as perfect encryption. But it’s one of the last and most formidable lines of defense in an Internet full of adversaries aiming to spy on your cyberspace activities. Criminals, hackers, governments—they’re out there, peering around, looking for holes to peep through.

But no single encryption tech is a cure-all. There’s a wide range of tools you can use to strengthen your privacy online. Check out a good starter list of the best privacy tools around right here.

Illustration by Max Fleishman

Patrick Howell O'Neill

Patrick Howell O'Neill

Patrick Howell O'Neill is a notable cybersecurity reporter whose work has focused on the dark net, national security, and law enforcement. A former senior writer at the Daily Dot, O'Neill joined CyberScoop in October 2016. I am a cybersecurity journalist at CyberScoop. I cover the security industry, national security and law enforcement.