Encryption is the process of obfuscating information so that it is unreadable without additional knowledge. Generally the special knowledge required to discover (decrypt) the original information is knowledge of which process was used to encrypt it, as well as knowledge of a specific piece of information, a ‘key,’ to unlock the encryption. When encryption is done well it is generally not possible to uncover both these pieces of information simply by examining the encrypted data.
Where Encryption is Effective
It is clear that a carrier would need to have at its disposal a means of decrypting the data. We recognize that CPNI data is used for legitimate business purposes, and so it is meaningless if it cannot be made readable. Some employees at the carrier must have access to a decryption device in order to perform their jobs.
Carriers also provide means of giving users access to their own CPNI. We do not dispute that these means should be available; we only note that CPNI cannot be disclosed to the user in encrypted form or they would not be able to read it. In order to provide such a service, carrier’s customer service representatives must have at their disposal a method of releasing decrypted CPNI data to the user to whom it belongs.
It follows that encryption is emphatically not a solution to the problems of pretexting and dishonest insiders. If someone has convinced a customer service representative that they should be given certain CPNI data, the data will be given to them in plain text. If a carrier employee is inclined to feed CPNI data to data brokers they will be able to do so if they have been given access to decrypted CPNI data in order to perform their job.
We believe that encryption of stored data is an effective counter-measure against two methods of acquiring CPNI data: cyberattack and physical theft of data.
Encryption and Cyberattack
In examining the effectiveness of encryption in countering cyberattack on carriers it is necessary to divide cyberattacks into two categories: attacks carried out by interacting with a carrier’s web site and attacks in which an attacker gains direct access to a carrier’s database.
EPIC notes that an attacker might crack a user’s online account with the carrier in order to obtain CPNI data. A carrier’s web site, like a customer service representative, must be able to give a user’s decrypted CPNI data to the legitimate customer. An attack on the web site might allow an attacker to bypass the authentication mechanisms of the web site in some way. Such attacks are analogous to deceiving a customer service representative by pretexting. Encryption of stored data is not effective against this sort of attack, as the web site, like the customer service agent, must display the decrypted CPNI data once convinced (falsely) of the user’s identity.
We do agree that encryption of stored data could help in mitigating the damage dealt by a cyberattack where an attacker fraudulently gains direct access to a carrier’s database. In such an attack the attacker would be forced to go to the additional trouble of figuring out which encryption scheme and which key were used.
While encrypting data can help against some forms of cyberattack, we are not in a position to comment on the prevalence of such forms of cyberattack as means of acquiring CPNI data relative to other methods like pretexting.
Encryption and Physical Theft
It is common practice for databases to be copied and stored for recovery in case of an accident or some need for older data. There is no doubt that, if backup copies were encrypted, physical theft of backups would be a pointless endeavor. We doubt, however, that physical theft is the primary method, or even a common method, of illegitimately acquiring CPNI data.
As noted above in the Introduction, we doubt that physical theft of records could allow data brokers the kind of on-demand access to CPNI that they apparently have. Mandating encryption to guard against physical theft might be a good idea, but if the Commission’s immediate goal is to counter on-demand sale of CPNI by data brokers then an encryption mandate would be mostly unrelated to the goal.
A (Slightly) Technical Review
As noted above, it is generally not possible for an outsider to determine both the ‘encryption key’ as well as the encryption method. However, that is not to say that the use of encryption is guaranteed to make a system secure. For example, SSL, which is a prominent security protocol used in nearly all secure online connections (https://), involves a public key exchange. A notable method of key exchange, Diffie-Hellman, is vulnerable to a “man-in-the-middle” attack in which someone receives and then re-sends all traffic involved in the exchange without ever being detected. Thus, a system of communication may be vulnerable, even in spite of the use of clever encryption methods.
It is also worth noting that, while encryption of stored data will not serve to counter attacks directly on a carrier's web site, there are encryption methods (like SSL) which can we used to secure the channel between the carrier's web site and the customer's computer. SSL and other methods are widely employed in Internet commerce and should certainly be encouraged where they are not already present.
We suggest that there be some incentive for carriers to employ industry standard security practices. Such practices might include the use of SSL for secure Internet data transfers as well as the physical separation of web server(s) from the computer(s) maintaining the database. Without good general security practices the encryption of stored data might gain nothing.
Carrier’s Reservations and Responses
Carriers have commented that data is already encrypted ‘where appropriate’ and that encrypting stored records would be costly. We find these two statements contradictory. If some data is currently encrypted, then infrastructure for the encryption and decryption of data must already be in place. We do not think it likely that it would be extremely costly use in place infrastructure to encrypt and decrypt additional data.
Carriers have also argued that encryption would slow legitimate inquiries for CPNI. We do not believe this to be true. There are varying types of encryption, but it is possible to choose a method that is both secure and fast. For example, the Advanced Encryption Standard (AES) mandated by NIST offers ample security and speed for this purpose. In the case of a customer interacting with a carrier’s web site we believe that the communication time between the web site and the customer’s computer will be far greater than the time required to decrypt the relevant CPNI data. As such, customers should not experience any noticeable slowdown, nor should carriers’ computer systems be burdened by the need to decrypt.
We believe that the most powerful criticism of encryption as a means of mitigating inappropriate disclosure of CPNI data is that encryption provides benefits largely unrelated to that goal. As discussed above, encryption cannot stop pretexting or dishonest insiders, and is only effective against some forms of cyberattack. This does not mean that such forms of cyberattack are not worth guarding against. Cyberattacks in which an data broker gains access to the carrier's database might be infrequent (we do not know). However, they will be devastating to the privacy of CPNI data if they do occur.
We find it somewhat troubling that CPNI data is encrypted ‘where appropriate,’ not because all CPNI data should be encrypted, but because this represents individual carriers’ understandings of which pieces of CPNI data are worth protecting. We believe that categories of CPNI data that must be encrypted should be established.
We suggest that any piece of CPNI data that might be used as personal identification of a customer (i.e. name, address, phone number, social security number) should be encrypted. In this way CPNI data that is acquired via cyberattack would not be valuable to data brokers as they would be unable to tie records to people without decrypting the data.
We also suggest that there be some effort to encourage strong technical security practices among the carriers. We are not experts in the field of computer security and so we are not in a position to describe what such practices should be, so we propose that some effort be made to discover what should be required of carriers in this respect.