ProtonBlog(new window)
Privacy vs security

Privacy vs. security: Why the widespread use of encryption is essential to national security

Share this page

Four years ago, the Pew Research Center, a US think tank, asked hundreds of cybersecurity experts to weigh in on a simple question: “By 2025, will a major cyber-attack have caused widespread harm to a nation’s security and capacity to defend itself and its people?” A majority of the respondents said yes(new window).

“Cyber attacks will become a pillar of warfare and terrorism,” said one tech executive.

“Current threats include economic transactions, power grid, and air traffic control,” said a NASA researcher who now runs a space robotics firm. “This will expand to include others such as self-driving cars, unmanned aerial vehicles, and building infrastructure.”

“Cyberwar just plain makes sense,” said a former general counsel for the NSA.

In the few years since that report came out, we have witnessed Britain’s National Health Service (NHS) crippled by stolen NSA ransomware(new window), the US power grid infiltrated by Russia(new window), and hundreds of millions of digital records exposed(new window) to hackers. In other words, the experts’ predictions are right on track.

Yet at the same time, governments around the world are pushing to weaken the very encryption that can help to keep our personal records, our infrastructure, and our democratic institutions safe from bad actors. Most recently, the Australian government has waged a campaign to promote encryption backdoors(new window), which would weaken the right to privacy and make us all less safe.

State security officials are sending two conflicting messages: On one hand, encryption (i.e. privacy) is dangerous; on the other, cybersecurity is the battlefield of the 21stcentury.

In fact, privacy and security go hand in hand. The widespread use of strong encryption both guarantees individuals’ right to privacy while hardening society against waves of data breaches and cyber-attacks.

Why governments don’t like encryption

In the United States(new window), Australia(new window), and elsewhere(new window), law enforcement agencies are pushing for legislation that would make it easier for them to weaken encryption in consumer devices and software.

For example, Australia’s Assistance and Access Bill(new window) would require tech companies to build vulnerabilities into their security systems that could be exploited by law enforcement. If the law passes, it could also be used by US agencies(new window) thanks to the Five Eyes intelligence-sharing agreement(new window), even though American legislators have so far refused to mandate encryption backdoors.

Proponents of these kinds of laws say encrypted services, like WhatsApp or Proton Mail, allow criminals to plan and carry out attacks beyond the reach of police.

Privacy vs. security is a false dichotomy

First of all, there is very little evidence(new window) that government surveillance prevents terrorism. For instance, in 2013, the White House reviewed the NSA’s mass phone surveillance program and determined it was “not essential to preventing attacks.” Police foiled most attacks the old-fashioned way: through informants and tips.

More importantly, it is impossible to create a backdoor that only the police can use. Last year’s WannaCry ransomware attack(new window), which hit over 300,000 computers in over 150 countries (including the UK’s National Health Services) is the perfect cautionary tale. The attack relied on a vulnerability in outdated versions of Microsoft Windows that was first discovered by the NSA. Instead of disclosing the discovery to Microsoft so it could be patched, the NSA kept it secret to be used as a future backdoor into computer systems. However, the NSA was itself hacked, and the exploit was stolen, weaponized, and ultimately unleashed on the public.

The WannaCry example shows how tools intended for “the good guys” can easily fall into the wrong hands. In the age of cyber-attacks, there is a more responsible way forward.

Privacy tools make us all safer

In the age of self-driving cars, it isn’t difficult to imagine a future cyber-attack that puts lives at risk. Although no one is known to have died as a result of the WannaCry attack, an attack targeting hospitals could have life and death consequences. So could an attack against aviation systems or a nuclear power plant. The only way to prevent these kinds of attacks is stronger cybersecurity.

Cybersecurity means many things, from enforcing good operational security within organizations to keeping software up to date with the latest security patches. Individual cybersecurity requires strong passwords and strong encryption. Every major data breach has involved unencrypted data pilfered from corporate or government servers, exposing people’s personal and financial information. In many cases, the use of end-to-end(new window) and zero-access encryption(new window), like the kind used at Proton Mail, would have drastically mitigated the damage caused by these attacks.

Privacy and security are not in opposition, despite what some politicians and law enforcement officials would have you believe. Rather, they are two sides of the same coin. A digital system that is built in a secure way is also necessarily private. By promoting cybersecurity, rather than weakening it, we can support both the right to privacy and public safety.

Best Regards,
The Proton Mail Team

Sign up and get a free secure email account from Proton Mail.

We also provide a free VPN service(new window) to protect your privacy.

Proton Mail and Proton VPN are funded by community contributions. If you would like to support our development efforts, you can upgrade to a paid plan. Thank you for your support!

Protect your privacy with Proton
Create a free account

Share this page

Ben Wolford(new window)

Ben Wolford is a writer and editor whose work has appeared in major newspapers and magazines around the world. Ben joined Proton in 2018 to help to explain technical concepts in privacy and make Proton products easy to use.

Related articles

What was your first pet’s name? In what city were you born?  We’ve all had to answer these questions to reset a long-forgotten password, but consider how that works. Much of this information is easy to find for others (or easily forgotten by you), m
In the early days when Proton started, we often received a question along the lines of “I love the product and what Proton stands for, but how do I know you will still be around to protect my data 10 years from now?”  Ten years and 100 million accou
Credential stuffing is a popular type of cyberattack where attackers take login credentials and use them on thousands of websites, hoping to fraudulently gain access to people’s accounts. It’s an effective attack, but fortunately, one that’s easy to
With Skiff abruptly shutting down operations, many people are on the lookout for alternatives that don’t compromise on privacy — and won’t suddenly disappear. People were attracted to Skiff because it promised privacy, no ads, end-to-end encryption,
Skiff is dead. On Feb. 9, the email company Skiff announced it was being bought by Notion. Many Skiff customers have been shocked by this news, as their inboxes have been sold out from under them. Skiff gave people six months to export their data be
Looking into the Dropbox privacy policy
Dropbox was the first mainstream cloud storage provider, and still the biggest player on the market, with 700 million users in 2022. We took a dive into Dropbox’s privacy policy to see how well the company protects the personal data of those millions