Skip to main content
Message encryption.
October 14, 2016

Message Encryption Is Great—Depending On Who Has The Key

Corporate execs are understandably worried these days about all of their electronic communications. Whether messages can be intercepted by corporate spies working for the opposition, government investigators snooping for terrorists or cyberthieves looking to steal what they can get, anything that is intercepted can wind up somewhere else. See Edward Snowden.

It's therefore quite understandable why there is much corporate enthusiasm for instant message systems that boast point-to-point encryption. Note that we're not saying end-to-end encryption because, technically, that can't exist. Well, it could exist, but then no one on either end could read anything. Point to point is the better way to reference messages that are encrypted after they are sent and then unencrypted right before they are opened by the intended recipient.

The next decision companies must make are whether to go outside for encryption services and, if so, what they will ask those vendors to do.

Going outside for the encryption effort itself will be the choice for almost all companies that don't happen to have—as companies including Target, Boeing and Chase do—teams of cryptographers on the payroll. So, for most, they will indeed need outside help. The thornier decision is where the company will house the encrypted files and where the decrypting keys will reside. That will speak to the security of the enduser company—in other words, how equipped are they to securely protect such data and keys—and the perceived security and trust level of that outside vendor.

There is no right answer to that question as both options have serious pros and cons. On the one hand, an outside company that specializes in data protection would, theoretically, be able to justify a much greater security investment, both in systems and specialized personnel. The problem is trust.

That's not merely trust in that vendor's employees and contractors. It's also trust that they can protect their data from attackers. With a few exceptions, companies that house the data and decryption keys for lots of customers will be more high-valued targets than the typical individual company. This is for the same reason that payments processors and credit card companies are bigger targets than their retail customers. There are obviously exceptions, such as the largest retailers (Walmart could easily house more payment credentials than many smaller payments processors) and companies with especially valuable data, such as military contractors who are constantly attacked by well-financed government spies for hostile countries.

But there's another trust consideration. Does the vendor have any business interests that would make them tempted to look at—and leverage—your data? As absurd as that they sound, companies have been known to trust their most sensitive data to just such a firm. And that brings us to Google.

Google has recently started pushing an encrypted version of its Allo messenging service to businesses. Why not? Many of those companies are already trusting Google's Gmail with oceans of their most sensitive e-mails. But in this aspect of app security, endusers may have really good reasons to consider a pure security company, rather than a marketing firm that desperately wants to access their data.

Consider this excerpt from a Washington Post story about Google's Allo efforts: "Google started offering users end-to-end encryption for the first time Wednesday with its new Allo instant-messaging app. The move makes Google the latest company to follow a tech trend that has privacy advocates cheering but some law enforcement officials worried. Conversations in Allo are not automatically protected by that extra secure form of encryption, which allows only those who send and receive messages to unlock them. Rather, users can choose to have 'incognito' conversations that feature the security measure — much like a system that Facebook is testing in its Messenger app. Other conversations in Allo are still encrypted between the app and Google's servers, but that means the tech company will be able to access the content of those messages."

Let's bottom line that. Unless customers happen to use this "incognito" option—and it must be done individually, as opposed to with a master setting done by a company's IT operation—the encrypted messages can all be seen by Google. That's a pretty scary default setting. Forget about what happens if a cyberthief breaks into Google's systems or if a Google employee/contractor goes rogue and tries selling the data to the highest bidder—all of which are quite plausible scenarios.

Google itself might love to mine your data and then resell access to that data to quite a few of its customers. That is their primary revenue source, after all.

Security firms at least have a business model focused solely on security—and sometimes specifically app security. That's worth a big chunk of your consideration if you really want to keep your messaging contents secret.

Evan Schuman has covered IT issues for a lot longer than he'll ever admit. The founding editor of retail technology site StorefrontBacktalk, he's been a columnist for, RetailWeek, Computerworld and eWeek and his byline has appeared in titles ranging from BusinessWeek, VentureBeat and Fortune to The New York Times, USA Today, Reuters, The Philadelphia Inquirer, The Baltimore Sun, The Detroit News and The Atlanta Journal-Constitution. 

Love to learn about Application Security?

Get all the latest news, tips and articles delivered right to your inbox.