Pegasus shows no backdoor will be used only by good guys, Proton CEO say

Encrypted messaging services have moved the cybersecurity battlefield from communications to devises while making mass surveillance impossible, according to ProtonMail CEO Andy Yen.

Commenting on a recent cyber-surveillance scandal, a tech leader said encryption has made mass operations impossible and its integrity should be maintained at all costs, but he also pointed to Big Tech’s data collection practices as a major source of privacy vulnerabilities.

For Andy Yen, CEO of encrypted mailing service ProtonMail, the Pegasus allegations have shown the need to maintain encrypted messaging fully secured, rejecting the call from policymakers in Europe and the United States to provide exceptional access for public safety reasons.

“When it comes to security and privacy, it is very important that we consistently maintain very high standards, and we don’t artificially weaken encryption or create backdoors. History has shown over and over again that if you create weaknesses like these, the wrong people will use them for the wrong reasons,” Yen told EURACTIV.

Changing battlefield

In principle, communication services with end-to-end encryption cannot be accessed by third parties since the message can only be deciphered by the sender and the receiver.

Thus, this technology makes it impossible for service providers to access the content of the communication, because “the best way to protect data is not having it in the first place,” Yen stated.

As a result, Yen said, encryption has moved the cybersecurity battlefield from communications to devices. That is why spyware like Pegasus is designed to take control of mobile phones, which enables hackers to access the decrypted information at one of the two ‘ends’.

“Ten years ago, there wasn’t a need for programmes like Pegasus because all the information you wanted was not encrypted. Certain governments could force big tech companies to turn over that data,” Yen added.

For the tech entrepreneur, the hacking software illustrates that encryption is no ‘silver bullet’, but needs to be complemented with other security practices. Nonetheless, he noted that encrypted technologies have made mass surveillance impossible.

“They are not able to do that to thousands or even millions of people. These are very targeted attacks,” he said.

Security by device

Nonetheless, Yen said device manufacturers need to do more to ensure that devices are designed from a ‘privacy and security first’  point of view. That is the case even for Apple, which has made privacy one of the main features of its corporate identity and for this reason was singled out for not living up to expectations.

Ivan Krstić, head of Apple security engineering and architecture, said that “attacks like the ones described are highly sophisticated, they cost millions of dollars to develop, often have a short shelf life, and are used to target specific individuals. While that means they are not a threat to the overwhelming majority of our users, we continue to work tirelessly to defend all our customers”.

For Yen, while Apple still has a different business model than Google, its advertising revenue is already very significant through its app store and other services. Apple’s new privacy policy is also expected to boost its advertising business.

“Apple’s definition of privacy is basically: nobody can have access to your data, except for us. I would argue that the true definition of privacy and security is that no one can have access to my data and my privacy, period,” Yen said.

Conflicting priorities

Yen acknowledged that cybersecurity requires constant investments as threats are always changing in a continual ‘arms race’. However, he noted that while Big Tech does not lack the resources to invest in privacy and security, it lacks the financial incentive to do so.

“If your business model relies on mining, collecting and ultimately exploiting data, you need to design your software in such a way that is inherently more vulnerable,” Yen stated.

He pointed to the recurring argument from social networks like Facebook and LinkedIn, which justify data breaches saying the data was already publicly available on the platform. “They are data-sharing platforms. Data leaks are not a bug, they are a feature,” he added.

While acknowledging that, by definition, 100% security does not exist, the ProtonMail CEO stressed that many tech companies are not taking that extra step because prioritising advertising and data collection can at times be fundamentally at odds with privacy and security.

“These companies will claim they collect data, while still protecting your privacy and security. But there are always tradeoffs.”

“Do they take the more secure approach, or do they pick the more profitable approach for their advertisers? I would argue that more often than not, they probably prioritise the need to advertise over the practical needs of the actual users,” he concluded.

[Edited by Zoran Radosavljevic]

Subscribe to our newsletters

Subscribe