Note: this original blog post was published on Embedded.com; read it here.
The U.S. House of Representatives recently passed the USA Freedom Act that addresses the controversial surveillance of communications by the NSA. The legislation would prevent the government from issuing orders for bulk collection. Instead, law enforcement would have to request a “specific selection term” related to foreign terrorism from the data stored by phone companies.
This legislation seems to address individuals and corporations concerns that the NSA is storing large amounts of communications for unknown purposes. However, it doesn’t entirely protect our privacy, as it relies on the telecommunications companies to securely store bulk data.
While the phone companies have had a fairly solid track record in protecting themselves from hackers, the almost daily news of breaches of data shows that cyber-criminals can be relentless and creative in attacking corporations.
Further adding to the privacy danger is the looming threat of quantum computers. For those who are not aware, quantum computers with sufficient computing power (measured in Qubits) would be able to break the most popular asymmetric crypto algorithms , regardless of their security levels, using a method called Shor’s Algorithm. This means that RSA and ECC, which are the two primary crypto solutions enabling Public Key Infrastructure (PKI) and secure websites (HTTPS), are immediately rendered obsolete once quantum computers become powerful enough. How long that will be depends on which expert you listen to, but recent academic and corporate research announcements seem to indicate that they are years, not decades away.
There are some quantum-resistant asymmetric algorithms, including NTRU, which are available commercially, but the lack of awareness of quantum computing attacks (or the belief that they can be worried about later on) has kept the usage of RSA and ECC dominant. Recently there have been some organizations, such as the Cloud Security Alliance (CSA) and ETSI, who have formed Quantum Safe Security working groups to promote awareness to their members and recommend standards. This is a positive sign that the industry may take action before it is too late.
The USA Freedom Act requires data to be collected and stored, but the protection of that data is not specified. A breach of one of the telecommunications companies’ systems via a traditional hack or a quantum computing breakthrough could result in large amounts of stored data being stolen, and many innocent people’s private communications being exposed.