Back Doors to encryption
Running head: ENCRYPTION BACKDOORS AND PRIVACY
End-to-End Encryption, Backdoors, and Privacy
by
Robert E. Endeley
A Dissertation Presented in Partial Fulfillment
of the Requirements for the Degree
Doctor of Science in Cybersecurity
CAPITOL TECHNOLOGY UNIVERSITY
June 27, 2019
© 2019 by Robert E. Endeley ALL RIGHTS RESERVED
ProQuest Number:
All rights reserved
INFORMATION TO ALL USERS The quality of this reproduction is dependent upon the quality of the copy submitted.
In the unlikely event that the author did not send a complete manuscript and there are missing pages, these will be noted. Also, if material had to be removed,
a note will indicate the deletion.
ProQuest
Published by ProQuest LLC ( ). Copyright of the Dissertation is held by the Author.
All rights reserved. This work is protected against unauthorized copying under Title 17, United States Code
Microform Edition © ProQuest LLC.
ProQuest LLC. 789 East Eisenhower Parkway
P.O. Box 1346 Ann Arbor, MI 48106 - 1346
22624057
22624057
2019
ENCRYPTION BACKDOORS AND PRIVACY
End-to-End Encryption, Backdoors, and Privacy
Approved:
Sondria Miller, Ph.D., Chair
Ian McAndrew, Ph.D., Committee Member
Donovan Wright, Ed.D., Committee Member
___________________________________________________________ Ian McAndrew, Ph.D Date Dean of Doctoral Studies Capitol Technology University
ENCRYPTION BACKDOORS AND PRIVACY
Abstract
A qualitative analysis study that examined the views and opinions of non-technology
professionals in the U.S. regarding government and law enforcement agencies’ demand for
legislation that will allow them to snoop on online private communications of smartphone users.
Governments would prefer exclusive access to encryption technologies, called a backdoor, to use
in accessing messages. Technology professionals have, however, argued against a backdoor; they
claim a backdoor would not only be an infringement of their privacy but that hackers could also
take advantage of it. In light of this security and privacy conflict between technology
professionals and government’s need to access messages in order to thwart potential terror
attacks, this study presents the views and opinions of non-technology professionals in the U.S.
on the ensuing encryption debate. Using qualitative descriptive design methodology, a survey of
26 participants was conducted and data was analyzed using Braun and Clarke’s six-step process
of inductive thematic analysis. Results from this research study showed that non-technology
professionals are willing to allow the government to infringe on their privacy if that will
guarantee them safety.
Keywords: instant messaging, WhatsApp, end-to-end encryption, privacy, government
ENCRYPTION BACKDOORS AND PRIVACY iii
Dedication
I dedicate this doctoral study first to the glory and honor of God, and then to my three
lovely children, Prince Herbie, Princess Dianne, and Princess Bellafannie. These three little
giants kept the joie de vivre in me as I navigated the rough seas of doctoral study. I also dedicate
this study to my late father Dr. E.M.L Endeley and late mother Fanny E. Endeley, not leaving out
my late brother and friend Professor Herbie Nganjo Endeley. The last three people have been the
bedrock of my life.
ENCRYPTION BACKDOORS AND PRIVACY iv
Acknowledgments
I want to acknowledge the steadfast support of my aunt, Enanga Catherine Ndima, a
beautiful and kind-hearted lady, who graciously took care of my kids throughout the grueling
process of doctoral study. I acknowledge the meticulous supervision of my chair, Dr. Sondria
Miller, who guided me throughout this dissertation and taught me how to write consciously. I
also acknowledge the immense editing help I got from my sister Princess Grace N.N. Endeley
and my brother Dr. Isaac N. Endeley.
ENCRYPTION BACKDOORS AND PRIVACY v
TABLE OF CONTENTS
Abstract ........................................................................................................................................... 3
Dedication ...................................................................................................................................... iii
Acknowledgments.......................................................................................................................... iv
TABLE OF CONTENTS .................................................................................................. … …….v
List of Tables ................................................................................................................................. ix
List of Figures ................................................................................................................................. x
CHAPTER 1: INTRODUCTION ..................................................................................... … …….1
Background of Study ...................................................................................................................... 2
Problem Statement .......................................................................................................................... 5
Purpose of Dissertation Study ......................................................................................................... 8
Significance of the Study ................................................................................................................ 8
Nature of Study ............................................................................................................................... 9
Research Questions ....................................................................................................................... 12
Conceptual or Theoretical Framework ......................................................................................... 14
Definitions..................................................................................................................................... 17
Assumptions .................................................................................................................................. 19
Scope, Limitations, and Delimitations .......................................................................................... 20
Chapter Summary ......................................................................................................................... 21
CHAPTER 2: LITERATURE REVIEW ............................................................................ .. ……23
Overview ....................................................................................................................................... 25
The Evolution of Encryption ........................................................................................................ 26
Private and Public Key Encryption .......................................................................................... 27
ENCRYPTION BACKDOORS AND PRIVACY vi
Governments’ and Law Enforcement’s Encroachment on Encryption Technology .................... 29
Encryption Backdoors ................................................................................................................... 36
E2EE implementation in Mobile Applications Today .................................................................. 38
Security Fundamentals of WhatsApp....................................................................................... 45
The Worldwide Impact of the Use of WhatsApp..................................................................... 47
WhatsApp Privacy Concerns on the Youth ............................................................................. 48
Overview of Proposed Historical Solutions .................................................................................. 50
Conclusion .................................................................................................................................... 56
Chapter Summary ......................................................................................................................... 57
CHAPTER 3: METHOD .................................................................................................... .. ……59
Research Method and Design Appropriateness ............................................................................ 60
Research Design ....................................................................................................................... 61
Population, Sampling, and Data Collection Procedures and Rationale ........................................ 62
Sampling .................................................................................................................................. 63
Informed Consent ..................................................................................................................... 65
Confidentiality and Anonymity................................................................................................ 65
Data Collection and Data Sources ........................................................................................... 66
Pilot Study ................................................................................................................................ 67
Reliability ................................................................................................................................. 67
Validity: Internal ........................................................................................................................... 68
Transferability .......................................................................................................................... 69
Data Analysis ................................................................................................................................ 69
Phase 1: Familiarization with Collected Data .......................................................................... 71
ENCRYPTION BACKDOORS AND PRIVACY vii
Phase 2: Generating Initial Codes ............................................................................................ 71
Phase 3: Searching for Themes ................................................................................................ 71
Phase 4: Reviewing Themes .................................................................................................... 72
Phase 5: Defining and Naming Themes ................................................................................... 72
Phase 6: Producing the Report ................................................................................................. 73
Chapter Summary ......................................................................................................................... 73
CHAPTER 4: RESULTS ................................................................................................. …. ……75
Pilot Study ..................................................................................................................................... 76
Threats to validity and reliability .................................................................................................. 78
Findings......................................................................................................................................... 79
Demographics .......................................................................................................................... 80
Data Analysis Procedures ........................................................................................................ 81
Results ...................................................................................................................................... 86
Research Question 1 ............................................................................................................ 87
Theme 1. Government and Privacy. .............................................................................. 88
Figure 6. An explore diagram showing codes for the government theme .......................... 89
Research question 2 ............................................................................................................. 90
Theme 1. Information ..................................................................................................... 90
Theme 2. Activities ........................................................................................................ 91
Theme 3. Communications ............................................................................................. 92
Research question 3 ............................................................................................................. 92
Theme 1. Social Media ................................................................................................... 92
Theme 2. Encryption ...................................................................................................... 92
ENCRYPTION BACKDOORS AND PRIVACY viii
Significance of results ................................................................................................................... 94
Chapter Summary ......................................................................................................................... 95
CHAPTER 5: Findings and recommendations ............................................................... ….. ……98
Limitations .................................................................................................................................... 99
Findings and Interpretations ....................................................................................................... 100
Comparing Findings to Theoretical Framework and Literature ................................................. 102
Implications of Findings ............................................................................................................. 104
Strengths and Weaknesses .......................................................................................................... 105
Recommendations ....................................................................................................................... 106
Recommendations for Future Research ...................................................................................... 107
Chapter Summary ....................................................................................................................... 108
References ................................................................................................................................... 111
APPENDIX A ................................................................................................................... … …..123
APPENDIX B ................................................................................................................... … …..125
Human Subjects Participant Consent .......................................................................................... 125
APPENDIX C ................................................................................................................... … …..128
Literature Review Map ............................................................................................................... 128
APPENDIX D ................................................................................................................... … …..129
Literature Search ......................................................................................................................... 129
APPENDIX E ...................................................................................................................... . …..130
Research Methodology Map ....................................................................................................... 130
ENCRYPTION BACKDOORS AND PRIVACY ix
List of Tables
Table 1 Demographic Summary of Research Study Participants..................................................81
Table 2 Research Questions, their Corresponding Themes, and Survey Questions......................87
Table 3 How much the survey information had increased participant’s knowledge
of the benefits E2EE to ……………………………………………………………………….....94
ENCRYPTION BACKDOORS AND PRIVACY x
List of Figures
Figure 1. A bar chart showing the age distribution of participants..............................................80
Figure 2. A pie chart of the six themes generated from the research study.................................84
Figure 3. A thematic map of the major themes generated in the research study.........................85
Figure 4. The relationship between research questions, codes, and themes................................86
Figure 5. Word cloud of the most used words in the open-ended survey questions....................88
Figure 6. An explore diagram showing codes for the government theme...................................89
Figure 7. An explore diagram showing the child themes that make up the information theme..90
Figure 8. An explore diagram showing the child themes that make up the activities theme.......91
Figure 9. Distribution graph showing participants knowledge on whether or not they knew.....93
ENCRYPTION BACKDOORS AND PRIVACY 1
CHAPTER 1: INTRODUCTION
The world is always changing, due in part to advancements in the domains of science and
technology (Yeboah & Ewur, 2014). What is more, nowadays it appears difficult to escape the
presence of technology in our daily lives (Endeley, 2018; Yeboah & Ewur, 2014). Since
smartphones became popular, many instant messaging (IM) services have been launched
(Yeboah & Ewur, 2014). Some governments have become concerned about the ubiquity of IM
services on mobile phones and their use of end-to-end encryption (E2EE) in safeguarding users’
privacy, as it makes eavesdropping harder for them (Endeley, 2018; Michalas, 2017). E2EE
ensures messages between communicating parties are secure, free from snooping, and hard to
crack (Brantly, 2017). E2EE offers peace of mind to end users as it secures their data in transit
and from third parties (Endeley, 2018). The service provider cannot access the messages, which
can only be decrypted by the intended recipient (Michalas, 2017; “WhatsApp,” 2017).
While E2EE ensures integrity, security, and privacy, it removes opportunities for
government surveillance and the capacity to keep the nation secure by intercepting terrorist
communications (Rastogi & Hendler, 2017). Governments would prefer special access to
encryption technologies, called a backdoor, to use in accessing messages (Michalas, 2017). They
have emphasized they will only use the backdoor if there is a credible threat to national security
(Brantly, 2017). In opposition to governments’ proposals for a backdoor, Kern (2012) argued the
promise of privacy guaranteed by modern encryption techniques, is, to a great extent, what has
expounded the broad use of the internet. Kern further stated common online practices, such as
online shopping, banking, and remote terminal services, would largely be impossible without the
guarantee of the privacy and confidentiality provided by encryption.
ENCRYPTION BACKDOORS AND PRIVACY 2
This study aimed to gain the attention of everyday users to the benefits of E2EE on their
instant messaging (IM) communications and to demonstrate why users should be concerned with
governments’ requests for backdoors into these encryption systems. A survey was used to collect
data from research participants, who were recruited using the snowball sampling methodology.
Background of Study
According to McCarthy (2016), the Federal Bureau of Investigation (FBI) has been
voicing concern; due to barriers such as strong encryption, government’s security apparatus has
been going dark in its attempt to monitor certain electronic communications and suspected
terrorists. McCarthy revealed an increasing awareness of data-related privacy concerns in the
aftermath of the Edward Snowden revelations made from 2013 onwards. These revelations
purported to show the wide-reaching extent of bulk government surveillance by the U.S. and
U.K. security agencies (McCarthy, 2016). McCarthy further stated the world’s leading internet
communication services providers such as Apple, Google, Facebook, WhatsApp, and
Blackberry, have rushed to announce a renewed commitment to customer privacy. These
companies all announced plans to implement E2EE on a default basis.
Inserra, Rosenzweig, Stimson, Shedd, and Bucci (2015) examined the raging debate
between the former FBI Director James Comey and most of the technology community, over
whether law enforcement should have exclusive access to phones and end-to-end encrypted
messaging applications. In what Inserra et al. termed a Crypto War, the FBI has contended
exclusive access is needed to the communications and data of criminals and terrorists on the
internet, an example of the ongoing dispute arose after a terrorist attack in 2015. A California
man named Syed Farook, together with his wife, killed 14 people and injured 22 others at the
Department of Public Health in San Bernardino, California (Steven, 2018). In an attempt to
ENCRYPTION BACKDOORS AND PRIVACY 3
understand Farook’s motivations, and to get the fullest possible sense of his network and
contacts, the FBI sought access to the contacts and messages on Farook’s iPhone 5c. However,
there was a problem (Steven, 2018).
According to Steven (2018), Farook’s iPhone 5c, which was protected by Apple’s default
encryption system, was impossible to access. Even when served with a warrant, Apple could not
extract information from its own product (Steven, 2018). Apple’s FileVault disk encryption
secures the device’s entire content at the disk level, basically rendering it inaccessible for anyone
without the passcode to access data on the disk, unlike the regular password-protected computer
which leaves the hard drive’s content accessible to anyone who can access it directly (Hern,
2014). According to Schulze (2017), in early 2016, the government filed a court order to compel
Apple to unlock the encrypted iPhone 5c of the San Bernardino attacker. The FBI wanted Apple
to rewrite its operating system software (iOS), to disable encryption security features which
would enable the FBI to access the data (Schulze, 2017). In effect, the FBI wanted a backdoor to
ensure everyone’s iPhone can be decrypted on demand so the FBI can access the phones of the
few users under FBI investigation (Schneier, Seidel, and Vijayakumar, 2016). Apple, however,
refused and defended itself by claiming such an action would be a threat and infringement on
personal liberty (Schulze, 2017).
The court order was ultimately moot as the FBI found a third party to unlock the phone.
Calls for backdoors into popular messaging applications using E2EE have become a ritual in the
wake of terrorist attacks in Western nations (Brantly, 2017). Following the terrorist attacks of
March 2017 in London and the bombing attacks of May 2017 in Manchester, authorities found
out terrorists used the favored messaging application WhatsApp before the attacks (Brantly,
2017). Calls were made within the United Kingdom and the United States to leave no hiding
ENCRYPTION BACKDOORS AND PRIVACY 4
places for terrorists (Brantly, 2017). Endeley (2018) stated the WhatsApp messaging service has
emerged as the most popular messaging service today and it uses E2EE in transmitting user data.
E2EE makes governments’ and secret services’ efforts to combat organized crime, terrorists, and
child pornographers technically impossible (Barr, 2016). Governments contend that if the
messages of these criminals can be accessed, then their criminal actions can be prevented
(Brantly, 2017). Conflicting concerns about privacy and national security are not the only issues
associated with E2EE. Many people are also concerned about infringements on free speech
(Barr, 2016).
Barr (2016) examined law enforcement’s push for legislation compelling companies to
create encryption backdoors, tools which will provide government access to encrypted
communication, and issues such legislation would raise concerning the First Amendment.
According to Barr, as far back as 1990, several court cases challenged the export control of
strong encryption claiming such restrictions were unconstitutional restraints on free speech. Barr
argued against these claims, saying sweeping encryption regimes suggested by law enforcement
would not satisfy the First Amendment’s prohibition against compelled speech. Barr examined
how current proposals for encryption backdoors implicate compelled speech issues in a way past
attempts to regulate encryption did not. Barr also analyzed the arguments for and against
protecting source code and argued source code might only be compelled in the presence of a
clear and present danger. Regardless of how E2EE impacts the principles of privacy, free speech
and national security, the practical limitations of implementing backdoors all but guarantee
personal communications can indeed be kept private if the user so chooses (Schneier, Seidel, &
Vijayakumar, 2016).
ENCRYPTION BACKDOORS AND PRIVACY 5
Schneier et al., (2016) have pointed out countries such as the U.S., the U.K., and France
seem very interested in mandating backdoors. The impetus to mandate backdoors in encryption
products for the countries mentioned above is coming from law enforcement. Security
researchers, according to Schneier et al. have, however, argued backdoors are impossible to
implement securely and will result in reduced security for everyone. A practical limitation to
mandating backdoors as a way of reducing crime is because encryption products come from
different parts of the world (Schneier et al., 2016). Anyone attempting to evade encryption
backdoors in the U.S., the U.K., or France has a wide variety of foreign encryption products to
pick from which can encrypt hard drives, voice and text conversations, virtual private networks
(VPN) links and everything else (Schneier et al., 2016). Schneier et al. identified 865 hardware
or software encryption products from 55 countries: 546 of these products, or two-thirds, were
from outside the United States. Schneier et al. outlined that most common non-U.S. countries for
encryption products were Germany, followed respectively by the United Kingdom, Canada,
France, and Sweden. Germany and the Netherlands have publicly disavowed backdoors in all
their encryption products.
Problem Statement
The general problem is law enforcement’s advocacy for a backdoor into E2EE in IM
services, thus undermining privacy and security (McCarthy, 2016). The New York County
District Attorney, Cyrus Vance, in a written testimony to the U.S. Senate Judiciary Committee
said Apple and Google smartphones should be configured to allow data on these devices to be
accessed by law enforcement when it has judicial authorization to do so (“U.S. Department of
Homeland Security,” 2015). Law enforcement agencies such as the FBI have argued to the U.S.
ENCRYPTION BACKDOORS AND PRIVACY 6
Congress the only way to compel smartphone manufacturers to comply with their request for a
backdoor will be through legislation (Barr, 2016).
The specific problem is non-technology professionals do not understand the impact of
creating backdoors into encryption technologies (Sagers, Hosack, & Rowley, 2015; Wei et al.,
2016). Non-technology professionals may not think of encryption very much, but it is
fundamental to all our lives. Almost everything we do today on the internet uses a secret code,
including internet banking, or logging on to Twitter or Facebook; encryption protects all such
information. While E2EE protects users’ IM from eavesdropping by third parties, full-disk
encryption protects data such as photos, texts, emails, contacts, and bank account information
from access by rogue individuals who may either steal your device or lay hands on a lost one
(Herzberg & Leibowitz, 2016). Encryption backdoor, which was the focus of this study, is an
intentionally designed weakness into a cryptosystem (Schulze, 2017). An encryption backdoor
may allow third parties to gain access to unencrypted data using certain keys (Abelson et al.,
2015). The same backdoor used by an authorized third party such as a government agency
authorized by court order may also be vulnerable to an unauthorized attacker who should not
have access to the data (Abelson et al., 2015).
Much of the literature regarding the effects of E2EE on society has centered on the points
of view of cryptographers and law enforcement agencies (Brantly, 2017). An in-depth review of
the literature on this debate, however, showed no study had been done before in the U.S. to seek
the opinions and views of non-technology professionals. Brantly, 2017 stated the former NSA
and CIA Director, General (Ret.) Michael Hayden said, “we will only go as far as the American
people allow us, but we will go all the way to that line” (p. 29). General (Ret.) Michael Hayden
did not give any details following his statement on the view of the American people regarding
ENCRYPTION BACKDOORS AND PRIVACY 7
encryption backdoors; he left it to anyone's imagination (Brantly, 2017). According to the “U.S.
Census Bureau” (2016), technology professionals represent only 2.9 percent of the U.S. labor
force. Non-technology professionals, therefore, represent the largest segment of the labor force,
and by inference the largest group of smartphone users (“U.S. Department of Labor,” 2019;
“U.S. Census Bureau,” 2016). This study sought to understand the lengths at which non-
technology professionals would want the government to go regarding reading their private
messages as a tradeoff for more security.
Encryption technology is not a new technology; it is rather a century-old technique to
scramble readable text, using mathematical algorithms, into unreadable cipher-text (Schulze,
2017). The sender and recipient involved in an encrypted communication require a correct key or
password to make the encrypted text intelligible again (Schulze, 2017). Encryption was created
to avoid eavesdropping from third parties (Schulze, 2017). According to Human Rights Watch
(2015), when words and actions can be monitored or intercepted, it has a discouraging effect on
what people feel free to do or say or where they feel free to go. Secure encryption offers an
opportunity for internet users to reclaim a portion of the privacy they have lost in an era where
they cannot shield their affairs from the prying eyes of some governments (McCarthy, 2016).
This study was a qualitative study, and it used a qualitative descriptive design
methodology to seek the opinions and views of non-technology professional on the ensuing
encryption debate. The population of this study were users of mobile phones running the end-to-
end encrypted IM service, WhatsApp, and are located in the U.S. In 2018, WhatsApp was named
the most popular messaging service endowed with E2EE (Rastogi & Hendler, 2017). This
research was, therefore, focused on WhatsApp.
ENCRYPTION BACKDOORS AND PRIVACY 8
Purpose of Dissertation Study
The purpose of this qualitative descriptive study is to raise awareness for non-technology
professional users of mobile devices on the benefits of encryption for privacy. With the use of
smartphones on the rise, instant messaging (IM) applications have become all but a necessity
(Sutikno et al., 2016). Without encrypted communication between IM servers and end users, all
conversations, pictures, attached files, and voice messages could be exposed to the Internet
should the servers be hacked (Swire & Ahmad, 2012). High-value personal information such as
passport numbers, medical information, or credit card information could also be intercepted and
exposed without the use of E2EE (Swire & Ahmad, 2012).
This study used qualitative analysis to gain insights into the views and opinions of non-
technology professionals regarding their privacy and encryption capabilities on public
communication platforms, particularly IM platforms. Specifically, the research methodology was
founded on qualitative descriptive design, which does not emphasize the formation of new theory
by the end of the analysis, as would be required if this study was to use the grounded theory
approach. Instead, qualitative descriptive analysis is the method of choice when straightforward
descriptions of a phenomenon are desired (Dews-Farrar, 2018). This study involved U.S.
subjects who were users of the WhatsApp IM service. Data was collected through an online and
a paper-based survey from the sample population.
Significance of the Study
The results of this study will contribute significantly to the benefit of a society mostly
unaware of their right to privacy on the internet as a human right. In March 2015, the United
Nations Human Rights Council resolved privacy is a gateway right which affects an individual’s
ability to exercise almost every other right, particularly freedom of assembly, freedom of
ENCRYPTION BACKDOORS AND PRIVACY 9
association and freedom of expression (“Human Rights Watch,” 2015). The results of this study
will help create an awareness of the benefits of encryption to the non-technology user of the
internet. It may also amplify the voices of privacy advocates who will increase the pressure on
Congress not to yield to the demand from law enforcement on legislation mandating the creation
of secret backdoors into encryption services by technology companies.
The results of this study may also help educate the everyday user of the internet on the
benefits of E2EE in their daily communications on mobile devices. This creation of awareness
and expectation of privacy guaranteed by strong encryption for the everyday user of the internet
may also drive more technology companies to adopt E2EE, as was the case after the Edward
Snowden leaks in 2013 (McCarthy, 2016). The revelation of backdoors into Microsoft’s
Outlook.com and SkyDrive services led to a number of protests by Microsoft customers
(Thompson, 2013). These applications eventually lost credibility, and according to McCarthy,
there has been an industry-wide rush to announce a renewed commitment to customer privacy by
the world’s leading internet communication services providers such as Apple, Google, Facebook,
WhatsApp, and Blackberry. These major internet companies have all promised E2EE by default
in all their IM tools (McCarthy, 2016). Another benefit this study may bring is, non-technology
professionals may increase their adoption of using the internet for personal transactions such as
paying bills, online banking, and money transfers once they are aware and understand the
benefits of strong encryption on the internet.
Nature of Study
Descriptive research allows the researcher to obtain a comprehensive picture of the
central phenomenon under study. The central phenomenon in this research was encryption and
backdoors, specifically E2EE. The sample population for this study was users of the end-to-end
ENCRYPTION BACKDOORS AND PRIVACY 10
encrypted IM application, WhatsApp. According to Jisha and Jebakumar (2014), WhatsApp is
the fastest growing IM application and was selected for this study because of its global
favorability, with a user base of over 1.5 billion subscribers (Jisha & Jebakumar, 2014).
WhatsApp has attracted a lot of attention recently because of its large-scale use of E2EE, the first
application to ever implement E2EE to this scale (Rastogi & Hendler, 2017). In 2009, Brian
Acton and Jan Koum created WhatsApp purposely to make communication and the distribution
of multimedia messaging easier and faster (Sarker, 2015). WhatsApp works with internet
connectivity and helps its users to stay in touch with friends and relatives on their contact lists
(Yeboah & Ewur, 2014). Apart from making its users connect and stay connected, it also helps
them to create groups, send images, videos, documents and audios (Jisha & Jebakumar, 2014).
Given the usage of WhatsApp as one of the criteria for which survey participants were selected,
the researcher also looked at the most appropriate qualitative study approach to use in achieving
the best results.
The researcher looked at a good number of qualitative study approaches to use for this
study and concluded a qualitative descriptive study would best fit this research. The researcher
was seeking to gain insight into the views and opinions of non-technology professionals about
their privacy on public communication platforms. The qualitative descriptive approach would
yield the best results in answering the research questions posed in this study.
This study could not be carried out using an ethnographic research approach because it
was not a cultural study. Also, ethnographic research requires the researcher to be immersed in
the culture, often for years (Creswell, 2015). To accomplish the purpose of this research, such a
long duration of study will not be necessary. This study could not be similarly carried out with a
narrative research approach. A narrative research approach according to Creswell (2015) weaves
ENCRYPTION BACKDOORS AND PRIVACY 11
together a sequence of events, usually just from one or two individuals to form a cohesive story.
In this study, the researcher was seeking to draw the attention of non-technology professionals to
the benefits of strong encryption in their daily use of the internet. Therefore, a narrative research
approach using just one or two individuals would not have been able to provide successful
results for this study. Another research approach the researcher examined was a
phenomenological study; this research approach is used when trying to describe an event,
activity, or a phenomenon (Creswell, 2015). It involves visiting sites and events or watching
videos to gain an understanding of the phenomenon under research. This approach also would
not have enabled us to answer the research questions posed by this research on encryption
backdoors and its implication on privacy. Thus, it was not chosen as the appropriate research
approach. This study looked at other research approaches for appropriateness.
Another vital research approach the researcher examined was the grounded theory
approach. According to Creswell (2015), whereas a phenomenological study looks to describe
the essence of an activity or event, the grounded theory looks to provide an explanation or theory
behind the events. Our intended study was not seeking to build a research theory. Therefore, this
approach was not appropriate for our research. Lastly, the researcher also reviewed the case
study approach. Case study designs, according to Creswell, are a variation of the ethnographic
design, also known as an ethnographic case study. The researcher did not choose the case study
design because the study primarily involved events occurring in the present (Salkind, 2012).
Due to the limited understanding of the central phenomenon, E2EE, and backdoors to
non-technology individuals, snowball sampling according to Creswell (2015) was the most
appropriate sampling methodology. Also called chain referral sampling, snowball sampling has
the advantage, after observation of the initial subjects, the researcher asks for assistance from the
ENCRYPTION BACKDOORS AND PRIVACY 12
subjects to help identify participants with similar traits. Snowball sampling typically proceeds
after the start of the study (Creswell, 2015). The snowball sampling methodology was also
selected for this study because it has been used in similar studies on privacy concerns and IM,
such as the study by Rashidi, Vaniea, and Camp (2016). To uncover whether participants meet
the requirement of non-technological professionals, they were asked about their general
computer knowledge and their computer security skills. The study also evaluated participants on
their familiarity with encryption in general and E2EE, specifically. Participants did not receive
any compensation; they were informed of the purpose of the study and Institutional Review
Board (IRB) approval for the research study.
Research Questions
In the FBI v. Apple case of 2016 in San Bernardino, a survey conducted by the Pew Research
Center found in December 2015, the public sided with the FBI initially, with around 51%
arguing Apple should help the FBI (Elmer-Dewitt, 2016). However, later polls in February 2016,
with diverse methodologies, showed the public sided with Apple (Elmer-Dewitt, 2016). The
passionate discourse about encryption lasted until March 2016, when in a separate case in New
York State, a Brooklyn court ruled in Apple's favor saying the All Writs Act of 1789 used by a
U.S. Magistrate to compel Apple to comply, did not govern the unlocking of an iPhone
(Lichtblau & Goldstein, 2016). Before the ruling of the Brooklyn court, the FBI had succeeded in
accessing the phone’s content in the San Bernardino case with the help of a third-party company
(Zapotosky, 2016). The split in public opinion in both court cases between the FBI v. Apple led
the researcher to arrive at some research questions which served as the primary focal points in
performing this research study:
ENCRYPTION BACKDOORS AND PRIVACY 13
• Do non-technology professionals in the U.S. understand the impact of creating backdoors
into end-to-end encrypted technologies?
The WhatsApp application does an excellent job in displaying a message at the top of
each new chat session saying all messages to this chat and calls are secured with E2EE. This
information to users is a guarantee of privacy, but non-technology professionals would
seldom use terms like E2EE in their daily lives, even though E2EE is part of our daily digital
lives. E2EE encapsulates our private data online like credit card numbers during a transaction
or Voice-Over-Internet Protocol (VOIP) phone conversation which may be wiretapped
(Shirvanian, Saxena, & George, 2017). Creating an awareness of the value E2EE to the
ordinary men and women who use the internet for daily activities and routine tasks, is one of
the objectives this research sought to accomplish.
• What are the perspectives of non-technology professional users of IM applications
regarding the argument security comes at a price, namely at the expense of privacy?
A study carried out by Beckmeyer in 2017 showed non-information security
professionals placed more emphasis on privacy than security when surveyed on balancing the
U.S. government’s Post-9/11 domestic electronic surveillance program with U.S. citizens’
privacy rights and expectations (Beckmeyer, 2017). While the study by Beckmeyer had a
more stringent definition as to who was considered an information security professional or
not, it failed to investigate the value placed on privacy by simple everyday non-technological
users of the internet.
• To what extent does the knowledge of encryption as a technology in safeguarding
consumer privacy affect the use of the internet by non-technology professionals in the
U.S.?
ENCRYPTION BACKDOORS AND PRIVACY 14
This research was also seeking to understand the outcome of creating an awareness of
encryption, usage and behavior patterns of non-technology professionals on the internet. The
results of this study will show whether or not creating such awareness drives users towards
more end-to-end encrypted applications to safeguard their conversations from the prying eyes
of governments and hackers.
Conceptual or Theoretical Framework
This study built on the broader conceptual framework of securitization of technology,
which provides a link to Science and Technology Studies (Barnard-Wills & Ashenden, 2012;
Deibert & Rohozinski, 2010; Hansen & Nissenbaum, 2009). Studies on the crypto-wars debate
tend to be either technical (Abelson et al., 2015) or historical (Kehl, Wilson, & Bankston, 2015).
Empirical securitization studies, which focus on digital technologies, tend to ignore the potential
material impact of discourses, as Dunn Cavelty argued (Dunn Cavelty, 2015). According to
Schulze (2017), the securitization framework, which is understood as the social construction of
security/insecurity in the digital realm, has rarely been adopted in cryptography discourses.
Governmental access to otherwise secure cryptography could, in the worst case, substantially
weaken these systems, thus threatening the safety of the billions of cell phones used by people
today (Schulze, 2017).
In the recent years after the Edward Snowden leaks in 2013, there has been an evolving
trend towards the application, by default, of encryption to a range of online communications such
as emails and IM applications, which result in only the sender and the recipient being able to
read the messages (McCarthy, 2016). Governments’ request for a means to listen to some private
communications of U.S. residents is not new (Schulze, 2017). Schulze (2017) stated the looming
digital age of the 1990s got the National Security Agency (NSA) worried. In 1992 the American
ENCRYPTION BACKDOORS AND PRIVACY 15
Telephone and Telegraph Company (AT&T) began the development of consumer phones which
could encrypt voice communication between parties (Schulze, 2017). These consumer phones
with the capability to encrypt voice communications made the NSA recognize that encrypted
digital communication could replace ordinarily interceptable audio calls (Schulze, 2017). This
new development in cell phone technology led the NSA in a rush to develop the Clipper
technology, which was a key-escrow enabling law enforcement access to otherwise secure
technology (Schulze, 2017). This development later termed the Clipper chip, according to
Schulze, theoretically allowed user-friendly encryption based on a hardware chip called the
Clipper chip. This chip would be attached to devices, cell phones, and computers and would
allow a copy of the encryption keys to be stored in government databases, thus giving the
government unrestricted access to otherwise secure technology (Schulze, 2017). The FBI and
NSA could then easily eavesdrop on any Clipper-based cell phone with a warrant (Schulze,
2017). This proposed technology did not win the heart of the public; there was a strong public
reaction from a broad spectrum of society (Rid, 2016). Most computer experts and social
movements of digital natives opposed it (Rid, 2016). In early 1994, the Clipper program
officially started, yet it never saw any widespread adoption. Law enforcement and national
security agencies today claim they are losing surveillance capabilities they previously had; they
are therefore strongly opposed to strong encryption in electronic communication (Swire &
Ahmad, 2012).
Questions coming to mind which are analogous to the difficult trade-offs posed by many
debaters over domestic counterterrorism measures since 9/11 include: should companies be
compelled to weaken their products so the government can have a way to read users’ messages?
Does the Fourth Amendment’s balance require law enforcement to retain the ability to access
ENCRYPTION BACKDOORS AND PRIVACY 16
data covered by a search warrant? Does law enforcement need such a mandate to investigate
crime effectively? The government needs to investigate and prosecute serious crimes and protect
the country against organized crime, terrorists, and child pornographers. However, the liberty,
privacy, and cybersecurity of American citizens and companies are at risk (Klein, 2016).
According to Klein (2016), what has arguably made the present encryption debate
different from previous brawls over national security and civil rights is the degree and
significance to which the international consequences have been echoed and contested. Opponents
have contended if the U.S. government imposes a decryption mandate, dictatorial regimes in
other parts of the world will follow suit; they will use it as a means to oppress their citizens and
increase their grip on power (Klein, 2016). According to Klein, opponents have also argued the
government’s efforts to undermine anonymization and encryption goes against the U.S.
government’s own internet freedom agenda. This encryption debate on whether to have a
backdoor or not illustrates well the tension between the U.S. government’s internal law-
enforcement, counterterrorism needs, and its global values of democracy, freedom of expression
and communication (Klein, 2016). In authoritarian regimes with a weak commitment to the rule
of law, journalists, activists, and dissidents have a real need for such encrypted technologies
which hide their communication and online activities from prying eyes (Klein, 2016). According
to Klein, authoritarian regimes with technological sophistication like Russia and China have built
their surveillance systems to monitor opposition groups, dissidents and some members of
disfavored minorities. Against this backdrop of the use of surveillance and hacking tools as an
instrument of repression in some countries, the U.S. government has integrated internet freedom
as part of its broader human rights agenda (Klein, 2016). Through the State Department’s Bureau
of Democracy, Human Rights and Labor (DRL), the U.S. government now annually funds the
ENCRYPTION BACKDOORS AND PRIVACY 17
development of secure communication technologies for use by dissidents overseas (Klein, 2016).
The most famous contribution of the U.S. government in this space is the development of Tor, a
free and widely used software allowing its users to browse the internet anonymously and create
invisible Uniform Resource Locators (URLs) (Klein, 2016). Klein also stated a less well-known
fact is the U.S. government contributed several millions of dollars to develop the encryption
protocol used today by Signal and WhatsApp messaging services. In the wake of the debate over
the democratic values of the U.S. and whether to impose a decryption mandate, a new bipartisan
bill has been introduced to the U.S. Congress preventing any agency or court order from forcing
any company to build backdoors into its products (Ruiz, 2018).
The Electronic Frontier Foundation (EFF), a leading nonprofit organization defending
civil liberties in the digital world, reported in its May 10, 2018, online publication a new bill
introduced in the U.S. Congress called the Secure Data Act. See APPENDIX A (Ruiz, 2018).
This bill prevents any government agency or court order from forcing any company to build
backdoors into encrypted devices or communications (Ruiz, 2018). According to the EFF, this
bill will protect companies such as Apple and Google who make encrypted smartphones, tablets,
desktops and laptop computers, as well as developers of favorite E2EE IM applications such as
Signal and WhatsApp, from being forced to alter their products in a manner likely to weaken
encryption (Ruiz, 2018).
Definitions
The following terms were used throughout this study; therefore, these are defined for this
research study.
Backdoor. An intentionally engineered gateway into the encryption system to provide an
alternative means of accessing the encrypted content (McCarthy, 2016).
ENCRYPTION BACKDOORS AND PRIVACY 18
Encryption. This is the process of converting information in plain text into an
unintelligible form so it cannot be read without a secret decryption key (McCarthy, 2016). The
plain text once encrypted is called a cipher. Encryption technology generally consists of three
mathematical algorithms: one to generate the secret key, one to encrypt the plaintext information,
and one to decrypt the cipher
E2EE. In recent years, a trend has evolved towards the application, by default, of
encryption to a range of electronic communications, such as emails and online chat services, with
the effect of only the sender and recipient being able to read the message (McCarthy, 2016). This
is end-to-end encryption.
Instant Messaging (IM). It is a social media tool frequently used nowadays. It allows
people to communicate with friends using texts, phone calls, videos, shared files, individually or
in groups, and to maintain contact with them even internationally, in real time communications
(Sutikno et al., 2016).
Non-technology professionals. These are working professionals who do not have a
technology background nor are working in the field of technology (Beckmeyer, 2017). These are
everyday blue- and white-collar professionals who are not technology-savvy (Beckmeyer, 2017).
Privacy. Privacy includes the right of the individual to have one’s personal information
protected from the undue prying eyes of government without the consent of the individual, save
in exceptional circumstances dictated by the law. (Pavone & Esposti, 2010)
Security. It refers to the right and duty of national governments to ensure citizens’ safety
(Pavone & Esposti, 2010).
Surveillance. It includes “a non-disruptive and surreptitious data collection and
categorization process, centrally organized and monitored by private or public actors to control
ENCRYPTION BACKDOORS AND PRIVACY 19
individuals and influence their behavior” (Casemajor, Couture, Delfin, Goerzen, & Delfanti,
2015).
WhatsApp. It is a popular mobile instant messaging (MIM) application which allows
users to send text messages easily, videos, links, photos and make voice calls (Rashidi, Vaniea,
& Camp, 2016). It is also used to maintain online communities through the use of groups and
multi-party chat features
Assumptions
The assumptions outlined in this qualitative descriptive research study depict elements
which may be out of the control of the researcher but are, however, very important to the validity
of the research. This research study assumed non-technology professionals in the U.S. do not
understand the impact of encryption backdoors demanded by law enforcement. The limited
understanding of the effects of encryption is partly because non-technology professional users of
the internet lack knowledge on the proper use of encryption (Sagers et al., 2015). The research
study also assumed there is a lack of awareness of the benefits of encrypted communication
about privacy for non-technology professionals living in the U.S. This research study, therefore,
theorized that the survey participants would have their own unique and educated insights into the
national security versus privacy debate on encryption, where they might place more emphasis on
the aspects of privacy rather than national security.
The study further assumed the sample population would comprise non-technology
professionals who do not understand the concept of encryption. The poll conducted by the Pew
Research Foundation on the FBI v. Apple case in 2016 validated this assumption (Elmer-Dewitt,
2016). An initial survey showed 51% of the population sided with the FBI’s request for Apple to
comply, but as the case progressed and more debates ensued, the population became a little more
ENCRYPTION BACKDOORS AND PRIVACY 20
educated on the fundamental issues of the debate, which was privacy (Elmer-Dewitt, 2016).
Subsequent polls showed the population siding with Apple (Elmer-Dewitt, 2016).
Scope, Limitations, and Delimitations
The scope of this research study pertained to the boundaries within which this research
was performed, with guidance on how the research problem would be solved. The research study
was limited to a sample of non-technology professionals who used WhatsApp and did not know
much or anything about encrypted communications and the U.S. government’s insistence for a
cryptographic backdoor. The population was U.S. residents. The research study did not delve
into some of the weaknesses inherent with E2EE communications, as was uncovered recently in
WhatsApp and Signal by the FBI in their prosecution of Paul Manafort, former manager of 2016
Trump election campaign (Mak, 2018)
The limitations of a research dissertation or study are viewed as potential weaknesses out
of the control of the researcher (Simon, 2011). The research study was to obtain the opinions and
views of non-technology professionals about the U.S. government’s infringement on privacy by
requesting for encryption backdoors either by legislation through Congress, or by petitioning the
Foreign Intelligence Surveillance Court (FISC) to compel technology companies to comply.
Based on this objective, the researcher understood the limitations on the varying depths of
knowledge around privacy laws by the participants of the survey, such as the U.S. Citizen’s
Privacy Rights. This research study was also limited to the survey participant’s level of
knowledge in the field of information technology. The participant’s level of education may have
also limited the researcher's intention to create an awareness of the benefits of encryption.
Simon (2011) defined delimitations as those elements restricting a study’s scope and
serve to clarify its research boundaries were under the control of the researcher. For this research
ENCRYPTION BACKDOORS AND PRIVACY 21
study, the procedures used for handling and storing completed questionnaires and data ensured
maximum practical confidentiality for participants. The survey announcement and introduction
communicated the assurance of confidentiality. This research study was also limited to
WhatsApp instant messenger because E2EE is turned on by default unlike in Facebook
messenger where E2EE is optional.
Chapter Summary
Chapter 1 delivered a synopsis of this research study regarding privacy concerns of
introducing mandatory backdoors into end-to-end encrypted systems. The chapter introduced the
discussion on the security and privacy conflict between the end users of E2EE applications and
government’s need to access messages to thwart potential terror attacks. It also examined law
enforcement’s push for legislation which would compel companies to create encryption
backdoors and issues such legislation would raise concerning the First Amendment. This chapter
also examined the emerging debate on privacy on the internet as a human right, following the
United Nations Human Rights Council resolutions of March 2015, where it was resolved privacy
is a gateway right affecting an individual’s ability to exercise almost every other right. Chapter 1
also reviewed the type of research which was carried out for this research study, methodology
and research questions. A survey instrument was used in collecting relevant data to address the
identified research gap which was, non-technology professionals’ limited understanding of the
consequences of allowing governments to create a backdoor into encryption technologies. The
snowball sampling methodology was reviewed as the sampling method of choice, given the
expectations of the research study.
In Chapter 2, this research study will explore the current and historical literature of
predominant encryption and its rapid emergence on mobile platforms. Chapter 2 will also
ENCRYPTION BACKDOORS AND PRIVACY 22
investigate concepts presented in Chapter 1 and examine the design and implementation details
of a secure chatting application with E2EE for Android operating system (OS) smartphones.
Chapter 2 will further provide a germinal conversation on how advancements in mobile phone
technologies have also brought about ubiquity in IM services, amongst which the most popular
are WhatsApp, Viber, and Telegram messengers.
ENCRYPTION BACKDOORS AND PRIVACY 23
CHAPTER 2: LITERATURE REVIEW
This literature review on the topic end-to-end encryption (E2EE), backdoors, and
consumer privacy utilized the thematic literature review approach. According to Creswell
(2015), in a thematic review of literature, the researcher identifies a theme, and briefly discusses
theoretical concepts and topics important to the understanding of the main topic, citing literature
to document the chosen theme. According to Alhojailan (2012) thematic analysis allows the
researcher to determine precisely the relationship between concepts and compare them with data
between ideas. The thematic review approach was chosen for this study because it involves the
identification of prominent or recurrent themes, which were summarized under each thematic
heading. This approach helped the researcher to identify overreaching thematic categories in
encryption and privacy leading to a greater understanding of each topic. Thematic analysis was
the most appropriate approach because its identification of themes confers greater accuracy and
enhances the researcher’s whole meaning (Alhojailan, 2012).
This review was guided in scope by the research question: do non-technology
professionals understand the impact of creating backdoors into end-to-end encrypted
technologies? This question was posited because everyday users of the internet lack awareness of
the benefits of encrypted communication to user privacy (Sagers, Hosack, & Rowley, 2015;
Vaziripour et al., 2018). There were two reasons why the topic E2EE, backdoors, and privacy
was selected as the focus of this dissertation. First, there is increasing pressure from governments
to technology companies, to be able to access encrypted data through a cryptographic backdoor
(Castro & McQuinn, 2016). Governments are contending modern encryption such as E2EE,
removes opportunities for government surveillance and the capacity to keep the nation secure by
intercepting terrorist communications. Governments would like a backdoor into the encryption
ENCRYPTION BACKDOORS AND PRIVACY 24
technologies for them to use in accessing messages; they have stressed they would only use the
backdoor if there was a credible threat to national security (Brantly, 2017). Second, non-
technology professionals do not understand the impact of creating backdoors into encryption
technologies (Sagers et al., 2015; Wei et al., 2016). According to Sagers et al. non-technology
professionals in addition to not understanding the benefits of encryption, do not also know
applications using modern encryption techniques such as E2EE and also how to use them. The
results of this research will benefit a society mostly unaware of the right to privacy on the
internet as a human right.
This research should be of interest to technology as well as non-technology professionals
as it strives to educate everyday users without much in-depth knowledge of computers, to
understand the importance of encryption in their daily lives. This study will help create an
awareness of the benefits of encryption to the non-technology user of the internet, and the
challenges backdoors pose to encryption. The rationale for limiting the research question to non-
technology professionals was because of the dramatic shift in public opinion shown in a previous
study by Elmer-Dewitt (2016). In the FBI v. Apple case of 2016, the FBI wanted Apple to
rewrite its operating system software (iOS), to disable encryption security features so the FBI
could access the data (Elmer-Dewitt, 2016). A Pew survey showed in December 2015, the public
sided with the FBI initially, with around 51% arguing Apple should help the FBI unlock the
phone, 38% supporting Apple, and 11% not knowing enough about the dispute to form an
opinion (Elmer-Dewitt, 2016). However, later polls in February 2016, with diverse
methodologies, showed the public sided with Apple (Elmer-Dewitt, 2016). This demonstrated
that by Apple making a strong public case in protecting the privacy of its users through the use of
encryption, it also educated its user-base on their role in preserving user-privacy (Elmer-Dewitt,
ENCRYPTION BACKDOORS AND PRIVACY 25
2016). Apple’s vigorous defense of its software shifted public opinion to its favor (Elmer-Dewitt,
2016). This literature review was, therefore, conducted on the foundation of raising public
awareness of the advantages of E2EE.
Overview
In this chapter, the researcher reviewed and analyzed the intensifying debate on the
proliferation of robust encryption technologies on mobile devices across the globe. Also, a
review was performed of law enforcements’ response to E2EE which included the request to
create a backdoor into encryption systems, allowing them special access to read communications
between people suspected of criminal activity. This research study also reviewed policies certain
governments were implementing to safeguard national security at the expense of individual
privacy and cybersecurity, strengthened by modern encryption technologies.
Modern encryption systems are quite structured and robust in such a manner that not even
the service providers who engineered them can break them to access the encrypted content
(McCarthy, 2016). The debate on the mixed blessings of strong encryption has become a
worldwide issue; a pitched battle between law enforcement and much of the technology industry
is brewing (Perry, 2016). The literature in this chapter showed no single country can claim a
monopoly on the knowledge to create strong encryption technologies because cryptography is a
worldwide academic discipline (Schneier et al., 2016). This can be confirmed by the quantity and
quality of research and conference papers emanating from countries other than the U.S.
(Schneier et al., 2016). This chapter also reviewed different encryption technologies used to
preserve the privacy and confidentiality of online communications and examples of modern-day
IM systems using E2EE such as Apple’s iMessage, WhatsApp, and Signal.
ENCRYPTION BACKDOORS AND PRIVACY 26
The Evolution of Encryption
The proliferation of new devices, applications, and modes of communication is affecting
the way we store and communicate personal data. Due to this digitization of our lives, devices on
the internet and our data have become targets for hackers and criminals. Most technology
companies are therefore adopting encryption for storage and communication merely as a
response to market demand by consumers for more security and privacy (McCarthy, 2016).
Security professionals and researchers all agree encryption guarantees integrity, safety, and
confidentiality of consumers whether when sending an email or communicating with a family
member on an IM chat (Rastogi & Hendler, 2017). According to Castro and McQuinn (2016),
there has been a stream of advancements in encryption in the last few decades, and many
companies have integrated these security improvements into their products to improve the
security of consumers and businesses. The Edward Snowden revelations in 2013, for example,
showed how widely our personal information and lives could be compromised by hackers and
security agencies having access to our emails, which may sometimes contain personal and family
pictures, medical information, books we read, or the politics we practice (McCarthy, 2016). Most
people expect a private email to remain private and would not appreciate anyone in between
reading it without their knowledge. Some government agencies have, however, pushed back
against these improvements in technology which usher in encryption, citing national security
concerns (Swire & Ahmad, 2012).
Encryption is the process by which data, words, or photographs are coded into an
unreadable format so anyone who acquires the data without knowledge of the algorithm and key
used to encode it, is unable to read it (Inserra, Rosenzweig, Stimson, Shedd, & Bucci, 2015).
Encryption is not new to the technology world. It has been used since ancient times (Inserra
ENCRYPTION BACKDOORS AND PRIVACY 27
et.al., 2015). Samuel Morse in 1840 developed a code assigning a set of dots and dashes to letters
of the alphabet (Inserra et.al., 2015). This series of dots and dashes were then transmitted over
phone lines so anyone intercepting them might not understand the message if they do not know
how Morse code works (Inserra et.al., 2015). This was done due to the numerous intervening
parties between the sender and the receiver of the message over a phone line. The advancements
in computer science have also led to rapid progress in the development of more complex
encryption algorithms, effectively surpassing decryption techniques used to break encryption
(Inserra et.al., 2015). A modern cryptosystem is generally composed of three mathematical
algorithms: one to generate the encryption keys, one to encrypt the message, and one to decrypt
the encryption message (McCarthy, 2016). The length of the algorithm, measured in bit-lengths,
determines the strength of the encryption (McCarthy, 2016). McCarthy uses the analogy of a
combination lock in explaining the strength of the algorithm; the longer the combination, the
more difficult it is to break.
Private and Public Key Encryption
Over the years since cryptosystems were developed, private key encryption, also known
as symmetric encryption, was the most widely used encryption method until the 1970s when a
new and more secure encryption method known as public key encryption or asymmetric
encryption was developed (Sayler, 2016). In private key encryption, both communicating parties
use the same key to encrypt and decrypt every message (Sayler, 2016). The crucial part of
private key encryption is to generate and transmit the encryption key securely from one party to
the other. This key, as its name suggests, has to be kept a secret between the communicating
parties (Sayler, 2016). If intercepted, the key could be used by a third party to decrypt messages
(Sayler, 2016). According to Sayler (2016), the security of symmetric encryption cipher is
ENCRYPTION BACKDOORS AND PRIVACY 28
proportional to the length of the key; the longer the key, the more secure the data encrypted with
it. Symmetric cryptography algorithms are quite useful in situations where a single user will both
encrypt and decrypt a piece of data such as the case with data stored on our smartphones. An
Android phone running Android 6.0 (or later) or an iPhone running iOS 8 (or later) by default
will encrypt all data stored on it (Cipriani, 2016). The PIN codes (of numbers, letters, or a
combination of the two) and fingerprints are used to unlock an encrypted device (Cipriani, 2016).
Symmetric cryptography has practical limitations where multiple parties wish to communicate or
exchange data securely (Sayler, 2016). In multiple party communications such as group
messages in IM applications using symmetric cryptography, the parties must find a means to
communicate their private key and authentication keys out-of-band securely (Sayler, 2016). In
the absence of other cryptographic methods such as Diffie-Helman key exchange protocol, the
only alternative method to securely communicate keys while avoiding interception is to meet in
person and exchange the keys manually (Sayler, 2016). This is not only a cumbersome task to
accomplish, but it is impractical for all but the simplest situations, especially given the current
cyber landscape where parties could be continents apart (Sayler, 2016). These challenges with
symmetric cryptographic systems led researchers to find alternative methods for secure data
exchange such as public key encryption (Sayler, 2016).
In public key encryption on the other hand, instead of both parties sharing a common
secret key, each party has a public key, which is shared with every other party who wishes to
send each party a message (Sayler, 2016). However, in addition to the public key which is used
to encrypt messages, each party holds a private key it shares with no other party, and this private
key is used to decrypt all messages sent to the receiving party (Sayler, 2016). If the cryptosystem
is designed correctly, it is computationally infeasible to calculate one of the keys from the other.
ENCRYPTION BACKDOORS AND PRIVACY 29
This mathematical certainty gives each party the confidence to publish one of the keys to the
public while keeping the corresponding key private (Sayler, 2016). Asymmetric cryptography
works on the principles of a trapdoor function (Sayler, 2016). A trapdoor function is a
mathematical function which is easy to compute in one direction, yet infeasible to calculate in
the reverse direction without particular information (e.g., the key) (Sayler, 2016). Even though
Diffie and Hellman had proposed a theoretical implementation of a public key cryptography
system, the first practical public key cryptography system came a few years later with the
publication of the RSA (Rivest, Shamir, & Adleman, 1978). Even though asymmetric
cryptography is generally preferred nowadays and considered more secure, symmetric
algorithms are more performant (and for a given key length, more secure) (Sayler, 2016). Thus,
asymmetric cryptography schemes such as RSA and Diffie-Hellman can be used to bootstrap
secure communications across an insecure channel by allowing two parties to derive or exchange
a mutual secret to be used to facilitate further secure communication using symmetric key
encryption and authentication algorithm, making such split-type cryptography systems desirable
(Sayler, 2016).
Governments’ and Law Enforcement’s Encroachment on Encryption Technology
According to a report published by the “U.S. Department of Homeland Security” (2015),
the U.S. Senate held a hearing on whether recent technological changes have upset the balance
between public safety and privacy. Law enforcement officials are becoming increasingly
concerned that even after obtaining a warrant from a judge to search for evidence of a crime,
they lack the technical means to do so (“U.S. Department of Homeland Security,” 2015). This is
due to companies increasingly choosing to encrypt devices in such a way the companies
themselves are unable to unlock them, even when presented with a valid search warrant (“U.S.
ENCRYPTION BACKDOORS AND PRIVACY 30
Department of Homeland Security,” 2015). First, law enforcement agencies are reporting a
decreasing ability to intercept real-time communications such as phone calls, text, email, and
other types of data-in-transit (“U.S. Department of Homeland Security,” 2015). Second, they
relate a similar concern about their inability to execute search warrants on encrypted phones,
laptops and other devices which contain data-at-rest (“U.S. Department of Homeland Security,”
2015). Given this technological evolution, there is a potential impact on the fair and impartial
application of the laws to everyone, as certain people are effectively placed outside the law
(“U.S. Department of Homeland Security,” 2015). The “U.S. Department of Homeland Security”
report concluded mandated technological weaknesses in encryption as proposed by some law
enforcement agencies as a means of solving the problem of having exclusive access to these
encrypted devices, are both futile and counterproductive. The report concluded Congress was
open to reviewing ways to provide law enforcement with judicially-sanctioned access to these
platforms without compromising overall security (“U.S. Department of Homeland Security,”
2015).
According to Castro and McQuinn (2016), the government’s efforts to limit the use of
public encryption technology has seen various levels of success. One example is the NSAs
efforts to manipulate specific cryptographic standards by sometimes introducing encryption
backdoors and not making it known to the public, or finding security vulnerabilities in
commercial systems and not announcing it, but instead, allowing the government to exploit those
weaknesses (Castro & McQuinn, 2016). These secretive actions by the government have not
only weakened data security for U.S. firms but have also sowed seeds of distrust around the
world, thus damaging U.S. information technology competitiveness (Castro & McQuinn, 2016).
According to McCarthy (2018), the International Standards Organization (ISO) rejected two
ENCRYPTION BACKDOORS AND PRIVACY 31
symmetric encryption algorithms, SIMON and SPECK, submitted by the NSA amid concerns
they contained NSA-designed backdoors which would allow U.S. spies to break the encryption.
The ISO had for long been debating on which cryptographic algorithms to include as standards
for the Internet of Things (IoT) devices (McCarthy, 2018). The NSA submitted SIMON and
SPECK block ciphers to the ISO as optimized algorithms best fit for small and low-cost
processor devices such as IoT devices, they were both rejected by the ISO (Schneier, 2018).
According to Schneier, the NSA officials refused to provide the required level of technical
documentation for such a submission to proceed. The U.S. government had restricted the export
of strong encryption (with keys above 40 bits) in the 1990s for the same reason they are being
suspected today of including cryptographic backdoors; they encouraged weak encryption so they
could intercept and spy on all communications (Swire & Ahmad, 2012).
According to Swire and Ahmad (2012), after the U.S. government shifted position in
1999 to allow the export of strong encryption, encryption laws and policies largely faded away.
However, encryption has once again become a major policy debate due in part to laws in some
individual countries such as India and China (Swire & Ahmad, 2012). Specific regulations in
these countries regarding encryption technologies on trade, secure communications, and national
security will have enormous implications for the nature of the global internet and
telecommunications infrastructure (Swire & Ahmad, 2012). The 2008 terrorist attacks in
Mumbai changed India’s approach and policy to encryption technology (Swire & Ahmad, 2012).
The licensing regime of the department of telecommunications in India, developed in the 1990s
prohibits the deployment of E2EE for wired and wireless international and national service
providers as well as for internet service providers (Swire & Ahmad, 2012). It also restricts end
users from using encryption algorithms with greater than 40-bit key length (Swire & Ahmad,
ENCRYPTION BACKDOORS AND PRIVACY 32
2012). These rules were started to be enforced widely only after the Mumbai terrorist attacks
(Swire & Ahmad, 2012). According to Swire and Ahmad (2012), conflicts between India’s
security policy and international commercial practices have led to disputes with companies like
Google, Skype, Research in Motion, and others.
China’s approach to gaining traction on the encryption market and to becoming a great
technological leader has been a departure from international best practices which promote open,
peer-review encryption standards (Swire & Ahmad, 2012). Swire and Ahmad (2012) stated
China treats encryption as a national policy, subject to government direction and authority. In its
policy of indigenous innovation, China hopes to gain expertise in the areas of cybersecurity and
encryption (Swire & Ahmad, 2012). China regulates the sale, import, and development of
commercial encryption (Swire & Ahmad, 2012). China has outlawed the sale, and use of foreign
encryption on its territory (Swire & Ahmad, 2012; Castro & McQuinn 2016). Research shows
restrictions on the distribution, sale, and use of strong encryption by some foreign governments
do not prevent or reduce the availability of strong encryption around the world.
Schneier, Seidel, and Vijayakumar (2016) examined all the possible encryption solutions
available worldwide in today’s market. While most of the products available today are developed
and sold by for-profit organizations, some are created as free, open-source products available for
free download and use (Schneier et al., 2016). According to Schneier et al., a group of
researchers from George Washington University in 1999 first attempted to survey the worldwide
market for encryption products. The impetus of the research at the time was the embargo on U.S.
companies to export strong encryption (above 40-bit keys) (Schneier et al., 2016). The
researchers collected information on 805 hardware and software encryption products from over
35 countries (Schneier et al., 2016). Their research showed the prevention by the U.S.
ENCRYPTION BACKDOORS AND PRIVACY 33
government from exporting strong encryption products was to the detriment of American
companies only, as this embargo did not prevent or reduce the availability of strong encryption
around the world (Schneier et al., 2016).
Schneier et al. (2016) in their follow-up study 17 years later, identified 865 hardware or
software products incorporating encryption, from 55 countries. Some 546 of these products,
which represented two-thirds of the total, were from outside the U.S. (Schneier et al., 2016). The
U.S. thus, produces the most and widely used encryption products (Schneier et al., 2016).
According to Schneier et al., any U.S. laws mandating backdoors into encryption systems will
primarily affect U.S. users of the product or people who are unconcerned about government
surveillance, or at least indifferent about making a switch to an alternative non-U.S. product not
having a backdoor. The literature review conducted for this research study found out the most
common non-U.S. country for encryption products was Germany, followed by the United
Kingdom, Canada, France, and Sweden respectively. With regards to backdoors, both Germany
and the Netherlands have publicly disavowed them in all their encryption products. The U.K. and
France seem very interested in mandating backdoors (Schneier et al., 2016).
According to Klein (2016), efforts at reconciling the U.S. government’s interest in
accessing the contents of some encrypted data with its historical position of supporting dissident
movements and individual freedoms in some authoritarian regimes around the world puts the
U.S. at the crossroads of enforcing domestic laws of the United States. This request for a
backdoor also puts the U.S. at the crossroads of playing interest-driven politics which may
sometimes include espionage, waging an intense and unrelenting campaign against terrorism,
and at the same time promoting civil liberties and democratic movements in illiberal countries
(Klein, 2016). According to Klein, the case of San Bernardino shooter Syed Farook is the most
ENCRYPTION BACKDOORS AND PRIVACY 34
prominent example of law enforcement challenges with encryption technologies. Law
enforcement agencies in the U.S. and around the world are continually accumulating piles of
smartphones containing evidence of serious crime, but neither the device manufacturer nor law
enforcement can open them even with a judicial order (“U.S. Department of Homeland
Security,” 2015). According to the FBI Director, Christopher Wray, in 11 months, the FBI could
not gain access to over 7,000 phones because of encryption (Locklear, 2017). Device encryption
and E2EE which protect messages at rest and messages in transit, respectively, raise the stakes
for access to these devices by law enforcement (“U.S. Department of Homeland Security,”
2015). Law enforcement can only read end-to-end encrypted messages on the end device, and it
would mean placing itself as the user of the device. If the user is still actively using the phone,
the government can get a warrant to place spyware on the phone such as a keylogger to spy on
the passcode to use in eventually opening the phone or by seizing the phone from the user when
it is unlocked. However, in the San Bernardino case, the user was dead, making the phone
effectively a brick. As law enforcement and governments push to have more authority to read
encrypted messages, technology companies are equally reacting by adding encryption to their
suite of communication applications (Shah, 2016).
Shah (2016) looked at the ramifications of the Edward Snowden leak on U.S. tech
companies. Privacy concerns which emerged as a result of the Snowden leak have had ripple
effects beyond the national security context, as private companies, NGOs, and foreign
governments are now implementing new laws and policies meant to shield them from the NSA
(Shah, 2016). Foreign companies which were clients of giant U.S. tech companies such as
Google and Microsoft have threatened to switch to local internet providers in light of the
suspicious relationship between U.S. tech companies and the U.S. government (Shah, 2016).
ENCRYPTION BACKDOORS AND PRIVACY 35
Considering certain companies are opting for full E2EE on client data, the government is left
with several options allowing law enforcement have full access to such data in light of suspected
criminal or terrorist actions (Shah, 2016). According to Shah, options available to the
government are: compelled decryption, or passing legislation requiring companies to retain
decryption ability to be responsive to law enforcement requests.
Shah (2016) stated advances in cloud storage services and encryption would soon render
the current legal framework of the U.S. government outdated. Preserving the balance between
security and privacy would require updating the warrant regime to better align the incentives of
governments, technology companies, and individual consumers. For example, in December
2013, federal prosecutors obtained a warrant for an email linked to a Microsoft account (Shah,
2016). Microsoft challenged the warrant arguing it could not be applied extraterritorially because
the server hosting the email was located in Ireland, which is out of U.S. territory (Shah, 2016).
Microsoft pointed to the Federal Rules of Criminal Procedure and also made a case for the
statutory presumption against extraterritoriality (Shah, 2016). It contended in order to obtain the
content of the email account, the U.S. government had to go through the bilateral process
established by the Mutual Legal Assistance Treaty (MLAT) between the U.S. and Ireland, an
extraordinarily slow and challenging process (Shah, 2016). According to Shah, regardless of the
outcome, the case highlights the limitations of the current legal framework of the U.S., with a
quickly evolving technology world of cloud computing. Given the need to revisit the current
U.S. legal framework about advances in technology, Barr (2016) examined how current
proposals for encryption backdoors implicate compelled speech issues in a way past attempts to
regulate encryption did not. Barr also analyzed the arguments for and against protecting source
code, he argued source code might only be compelled in the presence of clear and present
ENCRYPTION BACKDOORS AND PRIVACY 36
danger. While law enforcement and governments have been wrangling over policies and
technologies enabling them to intercept and read messages from terrorists and other organized
crime groups, on the one hand, security researchers have, on the other hand, been examining
different implementations of E2EE in the most popular IM applications (Abelson et al., 2015).
Encryption Backdoors
Law enforcement agencies such as the FBI are getting increasingly concerned about their
inability to access private communications and smartphone data (Castro & McQuinn, 2016). The
FBI director Christopher Wray earlier in 2018 declared the situation intolerable (Levy, 2018).
Director Wray said the FBI was locked out of 7,775 devices in 2017 (Levy, 2018). Government
officials such as the U.S. Deputy Attorney-General Rod Rosenstein have expressed the need for
responsible encryption such as backdoors allowing access only with judicial authorization (Levy,
2018). Security experts have contended the global nature of internet services makes compliance
with backdoor requests hard to define and enforce (Abelson et al., 2015).
In an article published by WIRED magazine in April 2018, former Microsoft Chief
Software Architect and creator of Lotus Notes, Ray Ozzie, made a proposal at Columbia
University on how to solve the impasse over secure backdoors between technology companies
and law enforcement agencies (Levy, 2018). In his idea named CLEAR, Ozzie stated his scheme
would give law enforcement agencies access to encrypted data without significantly elevating the
risks for billions of people who use encrypted devices such as mobile phones (Levy, 2018).
Ozzie added the scheme works by technology companies such as Google or Apple generating
two complementary keys: one called the vendor’s public key, stored in every Android phone or
tablet, and the other is called the vendor’s private key (Levy, 2018). The private key is stored
with Google and protected with the same tamper-proof care Google uses to certify its operating
ENCRYPTION BACKDOORS AND PRIVACY 37
system updates (Levy, 2018). A combination of the private and public key pair can be used to
encrypt and decrypt a secret PIN which each user’s device automatically generates upon
activation. It should be noted Ozzie’s scheme attempts to solve the impasse with stored data
(data at rest) and not the interception of real-time communications (data in transit) (Levy, 2018).
According to Abelson et al. (2015), if law enforcement wants to assure itself access to real-time
communications with backdoors, then intruders will also have an easier time getting access to
real-time data.
Renowned cryptographers such as Bruce Schneier were quick to criticize Ozzie’s idea as
barely a proposal and not ground-breaking (Schneier, 2018). According to Schneier, this idea is
no different from the key escrow scheme the government had proposed in the early 1990s.
Schneier contented Ozzie’s idea also suffers from the same shortcomings as the government-
proposed key escrow scheme, namely: (a) the security from hackers of the database for storing
private keys cannot be guaranteed; (b) the scheme requires technology companies to build a co-
processor no one knows how to build yet; and (c) the scheme does not solve any of the policy
problems around the whole system (Schneier, 2018). Ozzie’s proposal requires when a device is
unlocked with CLEAR, a special chip inside the phone blows itself up, effectively freezing the
contents of the phone. This prevents tampering with the contents of the phone (Levy, 2018).
Cryptographers have generally agreed building a backdoor is easy; the tricky part is how to
secure it (Abelson et al., 2015). According to Abelson et al. (2015) law enforcements’ push for
backdoors could potentially cause more damage to the security of the internet today than it
would have done 20 years ago. The storage vault proposed by Ozzie would certainly become the
target of organized criminals and well-funded foreign intelligence agencies (Schneier, 2018).
ENCRYPTION BACKDOORS AND PRIVACY 38
Centralized key repositories, as was proposed by the U.S. government for the Clipper chip, are
basically a magnet for all sorts of attackers (Schneier, 2018).
Exceptional access, also known as a backdoor, would force internet system developers to
reverse some of the great privacy features of strong encryption such as Forward Secrecy, a
design practice seeking to reduce the impact on user privacy when systems are breached
(Abelson et al., 2015). There are also unsolved challenges of guaranteeing access to multiple law
enforcement agencies in multiple countries around the world (Abelson et al., 2015). This is likely
to be an enormously complex, expensive, and unattractive foreign affairs offer (Abelson et al.,
2015). Opponents to backdoors, according to Klein (2016), have referenced the Vodaphone
Greece backdoor incident as an example of the huge risks involved in creating them. According
to Klein (2016), an unknown intruder hacked into Greece’s lawful-wiretap (backdoor) and spied
on phone calls of the president, prime minister, and other Greek politicians before the breach was
discovered. Abelson et al. (2015) stated the spying went on for ten months in 2004 and 2005.
Communications technologies specifically designed to comply with requirements from law
enforcement agencies for backdoors for legal access have turned out to be insecure (Abelson et
al., 2015). For example, in 2010 a researcher from IBM noticed a Cisco architecture designed to
enable compliance for lawful interception in IP networks was found to be insecure and several
carriers in Europe had implemented this flawed architecture since it had been public for several
years, making a significant portion of their network vulnerable to attacks (Abelson et al., 2015).
E2EE implementation in Mobile Applications Today
Herzberg and Leibowitz (2016) examined the implementation of E2EE in popular IM
applications such as WhatsApp, Viber, Telegram, and Signal. IM applications, while used by
billions of people worldwide, have inherent challenges in providing usable encryption. Some of
ENCRYPTION BACKDOORS AND PRIVACY 39
these challenges include E2EE in group chats and multiple device support (portability) (Herzberg
& Leibowitz, 2016). According to Herzberg and Leibowitz, supporting E2EE in group chats on
multiple devices linked to the same account such as on a smartphone and desktop goes beyond
trivial. While WhatsApp and Viber, both proprietary, have implemented E2EE by default for all
conversations, Telegram, on the other hand, is an open-source cloud-based service and by
default, all Telegram messages are client-server encrypted (Herzberg & Leibowitz, 2016). Users
of Telegram, however, can create secret chats in which all messages are end-to-end encrypted
(Herzberg & Leibowitz, 2016). The implementation of E2EE in both WhatsApp and Viber is
based on Signal’s security protocol (Herzberg & Leibowitz, 2016). According to Rastogi and
Hendler (2017), Signal Protocol supports forward secrecy which prevents previously transmitted
messages from being decrypted and read if the communication channel is compromised. Forward
secrecy requires a fresh ephemeral key to be generated for every message issued (Rastogi &
Hendler, 2017). Signal Protocol uses the following key types (Rastogi & Hendler, 2017):
Identity key pair, a long-term Curve25519 key pair generated at install time for all
asymmetric cryptographic operations.
Signed pre Key, a medium-term Curve25519 key pair.
Pre Keys, also Curve25519 keys but for one-time use. These are used actually to encrypt
the message.
The goal of usable encryption is to provide every standard user with the ability to encrypt
messages over a secure channel (Herzberg & Leibowitz, 2016). All four applications examined
by Herzberg and Leibowitz (2016) used two modes of E2EE: opportunistic E2EE mode, which
requires almost no user interaction, and authenticated E2EE mode, which requires considerable
user interaction. Herzberg and Leibowitz in their research mentioned the classical definition of
ENCRYPTION BACKDOORS AND PRIVACY 40
E2EE as contained in security and cryptographic literature, E2EE is used only for encryption
offering a defense against a rogue Man-in-the-Middle (MitM) operator as provided in
authenticated mode only. This study by Herzberg and Leibowitz focused on the authenticated
E2EE mode. This mode alone represents the classical definition of E2EE, and it ensures
confidentiality even against a rogue operator (Herzberg & Leibowitz, 2016). This mode,
therefore, is required to protect against privacy breaches even from potent adversaries who may
coerce and manipulate the operator. This paper examined how the advancements in mobile
phone technologies have also brought about the ubiquity of IM services, amongst which the most
popular are WhatsApp, Viber and Telegram messengers (Herzberg & Leibowitz, 2016). These
messaging services allow users to communicate with friends and family through text, video,
phone calls, and shared files. Communications could also be in groups (Herzberg & Leibowitz,
2016).
Sutikno, Handayani, Stiawan, Riyadi, and Subroto (2016) compared WhatsApp, Viber,
and Telegram based on features such as ease of use, confidentiality and privacy through E2EE,
the total number of users on each platform, and how feature-rich each application is. Sutikno et
al. revealed, WhatsApp, which was acquired by Facebook Inc. in 2014, is the most popular
messaging application with over one billion users. WhatsApp provides services for text and
audio messaging, free voice calls and exchanges of photos and videos (Sutikno et al., 2016).
WhatsApp has become the top-of-mind brand name in the IM market because it has also enjoyed
a lot of word-of-mouth publicity (Sutikno et al., 2016). Sutikno et al. also stated WhatsApp is ads
free and has a web-based application which runs on the Chrome browser, and a desktop version
for Windows, too.
ENCRYPTION BACKDOORS AND PRIVACY 41
Viber, on the other hand, is the most feature-rich app of the three (Sutikno et al., 2016). It
has a high-quality video call feature and also provides voice services allowing users to dial any
mobile number, independent of whether the receiver has Viber installed or not (Sutikno et al.,
2016). Viber like WhatsApp also allows its users to send photos; users can use their fingers to
draw pictures they can send. Of the three IM services, Viber was the first to offer voice and
video calls. It also offers better voice quality with less noise through all bandwidths than the
other two apps (Sutikno et al., 2016).
Telegram, initialized in August 2013 by the Russian-born entrepreneur Pavel Durov is a
free and favored service like the other three and is based on open-source platform (Sutikno et al.,
2016). It also offers an ad-free environment with a clean and fast interface, Sutikno et al.
asserted. Telegram is the Russian version of WhatsApp (Sutikno et al., 2016). Telegram has
earned the status as the most popular social network in more than 40 countries; it is also the most
downloaded application in the Google Play Store (Sutikno et al., 2016). In conclusion, Sutikno et
al. (2016) asserted the three applications boast of strong E2EE. WhatsApp is favored for its
simple interface and ease of use, while Telegram is reputable for being the most secure. Viber,
on the other hand, is the most functional messenger of the three, and it owes this superiority to its
abundance of features and call options (Sutikno et al., 2016). WhatsApp and Viber use
authenticated mode of encryption as described by Herzberg and Leibowitz (2016).
Ali and Sagheer (2017) investigated the security and confidentiality of users’ information
on IM applications by building a secure chatting application with E2EE for Android OS
smartphones. Smartphones and tablets have become more than communication devices, they
have become an incorporated portion of our lives (Ali & Sagheer, 2017). It is, therefore,
important for security to be a key consideration in the design of all software put on the phones,
ENCRYPTION BACKDOORS AND PRIVACY 42
most especially, communication applications, as governments and malicious individuals are
always trying to hack servers and reveal personal information of their users (Ali & Sagheer,
2017). In their research, Ali and Sagheer outlined the problem they were investigating by saying
a large number of applications in the app markets claim they provide security, integrity, and
confidentiality to users’ information. However, hacked information proves many developers do
not give primary consideration to security when designing their applications (Ali & Sagheer,
2017).
In their implementation of E2EE protocol, Ali and Sagheer (2017) used Elliptical Curve
Diffie Hellman (ECDH) key agreement protocol for sharing the secret encryption key between
the communicating parties. To guarantee confidentiality, the authors used the symmetric key
algorithms, Advanced Encryption Standard (AES) and Rivest Cipher 4 (RC4), to encrypt all
messages between communicating parties (Ali & Sagheer, 2017). The authors used the RC4
stream cipher specifically for encrypting voice and image messages, and AES 128 block cipher
for text message encryptions (Ali & Sagheer, 2017). To test the usability of their research on
E2EE in real life, Ali and Sagheer tested the encryption and decryption algorithms on some
Android OS smartphones, with different processor speeds and Random Access Memory (RAM).
The results showed acceptable execution speeds for mobile phones, even for ones constrained in
resources such as processing power and memory (Ali & Sagheer, 2017). The authors also
observed and concluded the AES algorithm is a slower block cipher compared to others, but it
provides the highest security (Ali & Sagheer, 2017).
Contrary to the view of most security professionals contending backdoors are a bad idea
and may actually make the system vulnerable to unauthorized attackers (Hawkins, 2018), Ho,
Nistala, and Tu (2016) proposed an E2EE design for the favored messaging application Tinder,
ENCRYPTION BACKDOORS AND PRIVACY 43
with a secure backdoor to access and read messages if necessary. Tinder, founded in 2012, is a
rapidly growing dating startup bringing people together via a mutual opt-in system with over 10
million daily active users (Ho et al., 2016). Message security was largely lacking in Tinder, and
for a platform where people shared a lot of personal information including but not limited to
phone numbers and addresses, it was important to guarantee privacy with the addition of E2EE
(Ho et al., 2016).
Ho et al. (2016) noted prior to their design proposal for adding E2EE to Tinder, the
application used a fairly simple data-at-rest encryption scheme for its users’ messages. This
means data was only encrypted at the servers of Tinder, where users’ messages are stored (Ho et
al., 2016). All transmitted messages were therefore open to eavesdropping as they were all
transmitted in plain text (Ho et al., 2016). In their design of E2EE of a backdoor in Tinder, one
of the steps in their consideration was Tinder should always be able to decrypt messages even
after two users have been unmatched (Ho et al., 2016). Tinder claims this backdoor ability to be
able to decrypt messages was part of their business model of responding to users’ complaints as
requested by law enforcement (Ho et al., 2016). Ho et al., however, concluded a possible
weakness in their design was they could not prevent messages from being read by an active
adversary who previously had access to the messages.
Another study on E2EE authentication but specifically on critical weaknesses in the
security and usability of the code verification methods employed in remote end-to-end encrypted
applications was carried out by Shirvanian, Saxena, and George (2017). The study by Shirvanian
et al. showed most code verification methods offer poor security and low usability in the remote
setting. The study covered several remote/proximity code verification methods deployed by
popular E2EE applications including, WhatsApp, Viber, Telegram, Signal, and a host of others
ENCRYPTION BACKDOORS AND PRIVACY 44
(Shirvanian et al., 2017). The hypothesis for the study was to show remote code verification will
be highly error-prone for end users to implement due to the challenges associated with remote
setting outlines (Shirvanian et al., 2017). WhatsApp Viber, Telegram, and Signal have all
implemented E2EE to hide all communication from attackers as well as the service provider
itself. In the implementation of E2EE, a secret key only known to the communicating parties is
used to encrypt/authenticate all communication between the parties involved in the conversation
(Shirvanian et al., 2017). To share the private key, the end users run a key-exchange protocol
over the insecure public internet (Shirvanian et al., 2017). The result of this initial key exchange
is a master key which is used subsequently to generate session keys used for encrypting all the
messages including text, data, and voice (Shirvanian et al., 2017). The initial key exchange is run
over an unauthenticated and insecure channel which makes it susceptible to MitM attacks
(Shirvanian et al., 2017). To prevent potential MitM attacks against this key-exchange protocol,
E2EE applications compute a readable/exchangeable security code (Shirvanian et al., 2017). This
security code is used to provide end-to-end authentication (Shirvanian et al., 2017).
The results of this study by Shirvanian et al. (2017) showed the code verification methods
deployed in E2EE applications suffer from several issues with respect to security and usability,
arising from human errors in verifying the codes in the remote settings. While the
implementation of security in E2EE used in WhatsApp and other favored IM applications has
been reviewed and analyzed by security experts around the world, other studies have been
carried out specifically on the potential impact of E2EE on WhatsApp and how it affects national
security (Endeley, 2018).
Endeley (2018) presented the benefits of E2EE on consumer privacy and security, and
also outlined some of the challenges it poses to public safety and national security. According to
ENCRYPTION BACKDOORS AND PRIVACY 45
Endeley, WhatsApp has emerged as the most popular messaging service today, and it uses E2EE
in transmitting user data. According to Constine (2018), the CEO of the parent company of
WhatsApp, Facebook, announced in a meeting held in the fourth quarter of 2017 WhatsApp
messaging platform had 1.5 billion users and transmitted over 60 billion messages per day. With
so many subscribers worldwide, WhatsApp is the first application to implement E2EE to this
scale (Rastogi & Hendler, 2017). This feature has led to strong complaints from law enforcement
agencies arguing the addition of E2EE will deprive them of critical evidence (Castro &
McQuinn, 2016). Governments would want a backdoor to the encryption in such apps to access
messages but have emphasized the backdoor would only be used in circumstances where there is
a credible threat to national security (Brantly, 2017).
Security Fundamentals of WhatsApp
Prior to WhatsApp’s implementation of E2EE in 2016, the application had come under
intense pressure for multiple security lapses from security professionals (Rastogi & Hendler,
2017). According to Rastogi and Hendler (2017) WhatsApp’s negligence towards making its
platform secure made it an easy target for attackers. In 2011 for example, the application
verification process used for authenticating users was found to be insecure; experts were able to
perform session hijacking attacks on the application (Rastogi & Hendler 2017). Session
hijacking is a vulnerability in the application where experts can exploit valid user sessions by
successfully hijacking several user accounts and impersonating them (Rastogi & Hendler, 2017).
E2EE not only makes it theoretically impossible for an eavesdropper to access messages
in a conversation, but it also makes it theoretically impossible to access transmitted data even
after the traffic has been intercepted (Rastogi & Hendler 2017). According to a security
whitepaper by WhatsApp (2017), even if encryption keys on a user’s device are compromised,
ENCRYPTION BACKDOORS AND PRIVACY 46
the intruder cannot go back in time to decrypt previously transmitted messages; this feature in
WhatsApp’s implementation of E2EE is called Perfect Forward Secrecy or sometimes simply
called Forward Secrecy. WhatsApp E2EE was built using the Signal Protocol; this protocol was
chosen because it offers forward secrecy, plausible deniability, and repudiation (Rastogi &
Hendler 2017). Repudiation means a message receiver can be sure where a message came from.
However, repudiation cannot prove to anyone else the sender is the person who is the originator
of the message; the inability to prove the originator of the message in encryption is called
deniability (“Open Whisper Systems,” 2013). Repudiation is possible through the Signal
Protocol because each member in a participating WhatsApp conversation has a long-term key
which they use to sign an ephemeral key (Rastogi & Hendler, 2017). This ephemeral key is
exchanged among members to calculate the shared secret key using the Diffie-Hellman key
exchange protocol (Rastogi & Hendler 2017). This established shared key is what is used to
encrypt subsequent messages (Rastogi & Hendler 2017).
Message authenticity and integrity is guaranteed in WhatsApp conversations by each
participant generating three keys from the shared secrets obtained during the exchange of the
ephemeral keys (Rastogi & Hendler 2017). The first and second keys are a sending and receiving
cipher key, and the third is a set of Message Authentication Code (MAC) keys also called
ephemeral keys (Rastogi & Hendler, 2017). It is these MAC keys which confirm message
authenticity and integrity as they are transmitted with every message. Authenticity cannot be
denied because each receiver is capable of producing a sender’s MAC key (Rastogi & Hendler,
2017).
ENCRYPTION BACKDOORS AND PRIVACY 47
The Worldwide Impact of the Use of WhatsApp
Rashidi, Vaniea, and Camp (2016) carried out a study in Saudi Arabia on privacy
concerns using the WhatsApp application. According to Rashidi et al., the flood of Mobile
Instant Messaging (MIM) applications such as WhatsApp, Google Hangouts, Snapchat and
Facebook messenger on the application markets today have also come with the visibility and
unexpected exposure of personal information. While most applications provide settings to users
allowing them to limit the amount of information visible to intended and unintended audiences,
these controls do not always match the users’ expectations and needs (Rashidi et al., 2016).
Rashidi et al., in reviewing literature prior to their research, found out the definition and extent of
privacy concerns vary with different cultures. In their research in the Kingdom of Saudi Arabia
(KSA), Rashidi et al. explored the effectiveness of coarse-grained privacy settings in WhatsApp,
in managing the privacy of users in the KSA.
Rashidi et al. (2016) through an administered survey discovered WhatsApp users enjoyed
the simplicity of the application but would prefer the ability to limit the visibility of information
to specific people. Participants who responded to the survey were recruited using the snowball
sampling methodology through WhatsApp itself (Rashidi et al., 2016). Respondents were also
concerned about strangers being able to contact them through WhatsApp (Rashidi et al., 2016).
WhatsApp uses phone numbers as the unique identifier of its users. When a new user joins
WhatsApp, the user is prompted to provide their phone number, and the application also takes
the user through a verification process (Rashidi et al., 2016). Further, all the contacts in the
user’s cell phone contact list are automatically added to the user’s WhatsApp contacts if these
contacts already have a WhatsApp account (Rashidi et al., 2016).
ENCRYPTION BACKDOORS AND PRIVACY 48
WhatsApp Privacy Concerns on the Youth
According to Rashidi et al. (2016), users of MIM have three areas of concern for privacy
• privacy of people not on your contact list,
• privacy regarding availability, and
• privacy regarding the content of MIM communications.
WhatsApp displays profile information such as when a person last logged in, their current status,
profile picture (display photo), and current location (Rashidi et al., 2016). While some people
may be inclined to hide this for privacy concerns, Rashidi et al. argued sharing it also enables
improved coordination with other people. In the study carried out by Patil and Lai, office
workers found sharing status information during work hours was beneficial to work coordination
and also acceptable from a privacy perspective (as cited in Rashidi et al., 2016).
Privacy and security have been ongoing work for the WhatsApp team (Rashidi et al.,
2016). WhatsApp has been continuously altering the way privacy is managed on the application
(Rashidi et al., 2016). The Office of the Privacy Commissioner of Canada (OPC) in 2013
determined WhatsApp was breaching privacy laws (Rashidi et al., 2016). WhatsApp was
violating certain internationally accepted privacy principles, mainly in relation to the retention,
safeguard, and disclosure of personal data. WhatsApp has so far addressed a good number of the
privacy and security concerns since then by including encryption in 2016 and sharing of status
messages. (Rashidi et al., 2016)
In a separate study to examine the use of WhatsApp messenger amongst students in
tertiary institutions in Ghana, Yeboah and Ewur (2014) looked at the intensity of usage and how
WhatsApp affected their academic performance. The study’s objectives were to assess the
impact of the use of WhatsApp messenger on students as well as to also determine the
ENCRYPTION BACKDOORS AND PRIVACY 49
relationship between the use of the application and academic performance (Yeboah & Ewur,
2014).
Yeboah and Ewur (2014) reviewed the literature examining social media and the various
definitions of social media in public and academic use. Yeboah and Ewur argued social media
accounted for nearly one-quarter of all internet activity, with LinkedIn having over eighty
million users in over 200 countries. For this study, the researchers made use of primary and
secondary data (Yeboah & Ewur, 2014). Primary data was obtained using a questionnaire pilot-
tested for 30 students, 25 from Accra Polytechnic and five from Kumasi Polytechnic using
online, postal and telephone surveys (Yeboah & Ewur, 2014). A total of 550 representatives
from five tertiary institutions were surveyed. Students were asked why they most often used
WhatsApp on their mobile phones (Yeboah & Ewur, 2014). The respondents reported the
number of hours each of them spent on WhatsApp per day (Yeboah & Ewur, 2014). While only
4 % spent 1-2 hours, 17% spent 3-5 hours per day, 31% spent 6-7 hours and 48% spent more
than 8 hours per day (Yeboah & Ewur, 2014). The study showed an average student spends over
8 hours every day engaged in using WhatsApp on their mobile phone (Yeboah & Ewur, 2014).
Yeboah and Ewur (2014) concluded WhatsApp is a necessary evil for students of tertiary
institutions in Ghana. If negatively used, WhatsApp can seriously affect a student’s performance;
areas of such negative impact included reducing a student’s study time, procrastination of related
problems, destruction of students’ grammar and spelling abilities, amongst others.
In a similar study in India, Jisha and Jebakumar (2014) investigated the usage of
WhatsApp mobile application among youth, aged between 18 and 23 years in Chennai, India.
Jisha and Jebakumar sought to: (a) investigate the intensity of usage of WhatsApp amongst youth
in the Chennai region; (b) explore the various ways WhatsApp is used, and (c) find out the
ENCRYPTION BACKDOORS AND PRIVACY 50
frequency and interactivity of WhatsApp amongst its users. Jisha and Jebakumar went ahead to
review the literature on some of the previous studies on WhatsApp and the youth both locally in
India and internationally. The review included previously cited research conducted in Ghana on
the negative impact of WhatsApp on student performance (Jisha & Jebakumar, 2014). Other
studies reviewed were ones done in India, on Indian youth preference of WhatsApp and
Facebook over SMS (Jisha & Jebakumar, 2014).
Jisha and Jebakumar (2014) conducted this study using online questionnaires to assess
the demographics of youngsters, their smartphone details, a ranking of WhatsApp usage, among
other parameters. The sample size was limited to 100 college students in the Chennai region who
possessed smartphones and were users of WhatsApp (Jisha & Jebakumar, 2014). Results from
data collected indicated young people from Chennai use WhatsApp mainly for communication
and to update their social media status on a regular basis (Jisha & Jebakumar, 2014). The various
features available and the great speed in sending and receiving messages were added advantages
to the widespread use of WhatsApp amongst college students in Chennai (Jisha & Jebakumar,
2014). The paper concluded WhatsApp had created a sense of belonging, proximity, and
intimacy with friends and relatives (Jisha & Jebakumar, 2014). WhatsApp has become one of the
reasons for smartphone penetration in India and has developed the tagline of being simple,
personal, and real time (Jisha & Jebakumar, 2014).
Overview of Proposed Historical Solutions
According to Endeley (2018) and Lewis, Zheng, and Carter (2017), the risks to public
safety presented by encryption have not reached the level justifying restrictions or a design
mandate. The encryption issues law enforcement faces today may be frustrating, but they are
quite manageable (Lewis et al., 2017). In a survey of 100 security experts published by Hawkins
ENCRYPTION BACKDOORS AND PRIVACY 51
(2018) in the Washington Post, 72% said the inability of the FBI to access encrypted cell phones
during an investigation does not leave the country less safe. On the contrary security experts
agree Americans would be just as safe, if not more so, without a backdoor (Hawkins, 2018).
Removing E2EE in WhatsApp will not be a lasting solution because criminals would create their
own E2EE software allowing them to communicate securely while ordinary users will lose the
ability to send genuinely private messages on WhatsApp (Lewis et al., 2017).
Lewis et al. (2017) analyzed the debate on making strong, unrecoverable encryption, over
recoverable encryption available to the public. According to Lewis et al., encryption helps
protect data from cybercriminals and spies; national interest is, therefore, best served by the
increased use of encryption. Lewis et al. further stated no law enforcement or intelligence
community personnel they interviewed in their research disputed the need to encourage strong
encryption. At the same time, there is a growing risk to public safety as terrorists, child
pornographers and organized crime are all drawn to the use of unrecoverable encryption
platforms which are technically impossible to access by law enforcement (Lewis et al., 2017).
Lewis et al. (2017) further revealed even with the rapid growth of encryption, the share of
traffic of interest to law enforcement and unrecoverable due to E2EE is very small. Currently,
only 18% of global communication traffic is end-to-end encrypted. It is estimated this number
would rise to 22% by 2019. Lewis et al. also stated it is unclear how damaging increased
encryption use is for law enforcement, nor is it clear if increased encryption use leads to an
increase in crime. The researchers concluded publicly available data on major terrorist attacks
reveals terrorists’ distrust Western encryption. They rely more on burner phones and prearranged
codes to evade surveillance (Lewis et al., 2017).
ENCRYPTION BACKDOORS AND PRIVACY 52
According to Inserra et al. (2015), giving the FBI special access to a master encryption
key would undermine the security of technology systems; either cybersecurity is of paramount
importance or law enforcement gets exclusive access to catch the criminals and terrorists, thus,
compromising cybersecurity. Some scholars have, however, contended, Google, for example,
decrypts Gmail and Gchat for its business reasons, and there has been no reported security
incident as a result of this, nor has Google ever taken a position, saying the system is insecure
because of this feature (Inserra et al., 2015). Therefore, decryption by law enforcement may not
necessarily lead to poor online security (Inserra et al., 2015). Inserra et al. also proposed a
number of possible solutions which would make a backdoor feasible. Amongst the possible
solutions were the use of biometrics. Inserra et al. suggested encryption with biometric locks
might solve the inherent security problem of backdoors. However, with a biometric encryption
lock, decryption will also only be possible with the same biometric lock (Inserra et al., 2015).
Therefore, law enforcement would require direct interaction with the individual being
investigated or charged to decrypt his or her phone or listen in on their communications (Inserra
et al., 2015). The Director of the NSA had also proposed a possible solution which was to ensure
the decryption key is not held by a single agency but rather distributed amongst a number of
agencies (Inserra et al., 2015). In this disposition, no single individual or agency will be able to
decrypt messages single-handedly (Inserra et al., 2015). Opponents of this solution have argued
while breaking up keys might improve security and privacy, it may invariably introduce other
vulnerabilities and complexities to the encryption process itself (Inserra et al., 2015). For
example, how will communication across different countries work? Inserra et al. concluded,
therefore, Congress should not support special access for law enforcement, as it will weaken
cybersecurity and incent criminals and terrorists to switch from U.S. applications to foreign ones.
ENCRYPTION BACKDOORS AND PRIVACY 53
Brantly (2017) analyzed calls from liberal democracies around the world to ban
encryption or create backdoors into encrypted messaging applications due to terrorist groups’
increasing use of encryption to plan and coordinate terrorist attacks. Calls for backdoors into
favorite messaging applications using E2EE have become a ritual in the wake of terrorist attacks
in the West (Brantly, 2017). According to Brantley, following the terrorist attacks of March 2017
in London, and the bombing attacks in Manchester in May 2017, it was revealed the terrorists
used the favorite messaging application WhatsApp before the attacks. Following these
revelations, calls were made within the United Kingdom and the United States to make
WhatsApp no hiding place for terrorists.
Brantly (2017) argued there is no significant evidence suggesting any of the attacks
perpetrated against the U.S. would have been prevented had encryption been weakened.
According to Brantly, providing backdoors into favorite messaging applications or weakening
encryption would fail to stop terrorists because the marketplace for messaging applications is
diverse with over 180 different applications on different platforms with 31 of these applications
having general public licenses. This means the code for E2EE is available to terrorist groups,
hence, an easy adaptation of the source code by terrorist groups (Brantly, 2017). Brantly
concluded, even with encryption backdoors, there will still be terrorist attacks because not all
terrorists use encryption to communicate their plans.
Perry (2016) focused on the transformational leadership and idealized influence of Apple
Chief Executive Officer (CEO) Tim Cook on the debate on encryption and privacy. According to
Perry, Cook’s approach was to ensure the U.S. government does not go against the legal
framework by forcing companies to compromise the security of their products or invade the
privacy of their customers. Following the tragic incident of 2015 where two attackers killed 14
ENCRYPTION BACKDOORS AND PRIVACY 54
people in San Bernardino, California, a federal judge ordered Apple to help the FBI unlock the
attacker’s iPhone 5c (Perry, 2016). Tim Cook responded with a 1,100-word document, posted on
the Apple website (Perry, 2016). According to Perry, Cook pointed out granting access to
encrypted customer data would set a legal precedent to expand the powers of government. This
could also lead to other means of uncontrolled electronic surveillance such as location tracking,
accessing phone camera and microphone without the customer’s knowledge, and intercepting
customer data transmissions (Perry, 2016). Cook made a strong argument saying unfettered
access to customer data would undermine not just Apple security, but also global security, as the
legal precedent would be set and other companies would have to comply (Perry, 2016).
According to Sayler (2016), a possible solution to the privacy concerns raised by a court
order forcing a cell phone maker such as Apple to decrypt its iPhone for FBI access, is through a
secure data storage model called Secret Storage as a Service (SSaaS), as a means of securing
consumer data stored in the cloud. As users’ transition from storing data on local storage devices
to third-party cloud storage, they face some undesirable consequences, from increased risk of
data being compromised by hackers, to reduced legal protection from government surveillance
(Sayler, 2016). The model proposed by Sayler relies on users placing limits on the degree to
which they must trust a single third party while still allowing them to leverage the desirable
features of such third party organizations. According to Sayler, in an SSaaS ecosystem, a user
designates one or more trusted Secret Storage Providers (SSPs) with storing and regulating
access to their private secrets (encryption keys, etc.) on their behalf. Existing technologies such
as third-party cloud storage services can then interact with these SSPs via standard interfaces to
access their secrets. Sayler outlined some benefits provided by the SSaaS model over granting
ENCRYPTION BACKDOORS AND PRIVACY 55
the traditional third-party services full and unfettered access to our data. Such benefits include no
single trusted party, separation of duties, and support for existing use cases.
While Ozzie’s proposal to backdoors as described by Levy (2018) only addresses one
aspect of encrypted data, namely encrypted phone storage; it, however, addresses an important
issue which has kept the law enforcement community very concerned. According to the FBI
director, his agency has over 7,000 phones in its possession unable to be unlocked, impeding
investigations (Locklear, 2017). Ozzie’s proposal effectively puts phone manufacturers and law
enforcement agencies in a complementary position to unlock and decrypt data in phones under
investigation (Levy, 2018).
Abelson et al. (2015) have proposed backdoor solutions to encrypted real-time
communication streams namely, phone calls or video calls through an E2EE messaging
application such as WhatsApp. The real-time intercept backdoor proposed by Abelson et al. calls
for public key escrow to be kept by either law enforcement agencies or trusted third parties,
similar to the Clipper chip escrow. According to Abelson et al. the most obvious approach to
allow for law enforcement access would require for example, traffic between Alice in Nigeria
and Bob in Brazil to have their session key also encrypted under the public keys in the police key
escrow in both Nigeria and Brazil. This approach, however, raises serious issues given the global
nature of internet services (Abelson et al., 2015). If an E2EE software sold or used in Brazil will
copy all its keys to its government’s key escrow storage, criminals might buy their software from
vendors not cooperating with the government (Abelson et al., 2015). Criminals in the U.S. might
buy their software from Russia, for example (Abelson et al., 2015).
ENCRYPTION BACKDOORS AND PRIVACY 56
Conclusion
In a closed-door meeting at the U.S. Capitol convened by the Electronic Frontier
Foundation (EFF) in 2018, Erik Neuenschwander, Apple’s manager of user privacy spoke to
Senate staff on the realities of device encryption (Crocker & Cardozo, 2018). In an analogy
similar to the dangers of service providers or government agencies storing encryption keys,
Neuenschwander said even though the days of the Wild-Wild-West are over, there were still
4,200 bank robberies in 2016 (Crocker & Cardozo, 2018). Neuenschwander’s analogy was
drawn from the tradeoffs Apple has had to make between functionality and user privacy (Crocker
& Cardozo, 2018). Apple determined the best way for it to guarantee user privacy was to
completely take itself off the equation of maintaining control of any device encryption keys
(Croker & Cordozo, 2018). If Apple were to maintain any encryption keys on its servers, those
would immediately become the target of attackers, no matter what precautions Apple took to
protect them (Croker & Cordozo, 2018). Apple has therefore set user privacy as a priority in its
security plan (Crocker & Cardozo, 2018).
Castro and McQuinn (2016) concluded the U.S. government should not limit the
commercialization of cybersecurity innovations, especially on encryption. The researchers
contended doing so is unlikely to have a significant effect on the ability of terrorists and
cybercriminals to engage in encrypted communications but will make communications by the
average user and business less secure (Castro and McQuinn, 2016). Barr (2016) offered some
possible solutions to enable law enforcement access encrypted information in narrowly tailored
circumstances. One of such solutions would be custom-crafted updates (Barr, 2016). Since Apple
and other cell phone vendors have privileged control over what is included in updates to their
operating system software (OS), Apple or other cell phone vendors could easily include a
ENCRYPTION BACKDOORS AND PRIVACY 57
spyware or special backdoor access as part of the OS update without the user’s knowledge or as
an innocuous update obfuscating the true intention of the update (Barr, 2016). Barr contended if
this is done specifically for an individual with information linking the individual to terrorist or
criminal communications sufficient to allow a warrant, such an approach will not raise
overbreadth concerns. According to Barr, this would be compelled speech sufficiently narrowly
tailored.
According to Gaynor, Omer, and Turner (2017), a basic understanding of encryption and
how it safeguards the privacy of individuals is vital to the safety of personal information such as
health records. Gaynor et al. further stated data security and privacy are complex concepts and
remain foreign to a lot of non-technical professionals. Non-technical professionals do not only
have limited knowledge of encryption and its benefits to safeguarding personal information, but
they also have a limited understanding of what a backdoor would do to existing encrypted
communication (Gaynor et al., 2017).
Chapter Summary
In this chapter (Literature Review) a thorough review of the issues of encryption,
backdoors and civil liberties was conducted. This chapter highlighted research on the
understanding and evolution of the debate on encryption and backdoors, both from the viewpoint
of security experts and legal experts. Additionally, this chapter included a comprehensive review
of the popular messaging applications, and how their spread on smartphones is also an increasing
concern of governments and some government agencies around the world such as the FBI and
the NSA in the U.S. Also, a review of policies certain governments are implementing to
safeguard national security at the expense of individual privacy and cybersecurity was done.
ENCRYPTION BACKDOORS AND PRIVACY 58
Research on the implementation details of E2EE was also reviewed including the weaknesses
and benefits of certain protocols.
Chapter 3 follows, presenting a detailed discussion of the research methodology and the
design appropriateness. The methodology chapter includes a detailed discussion of the survey
population, description of the data collection method using an online survey, data collection
procedures and instruments used to collect the data to show their appropriateness and reliability.
All the information presented in Chapter 3 serves to answer the questions posed by the general
and specific problems statements as cited in Chapter 1. Subsequent chapters will address the
results and conclusions of this study.
ENCRYPTION BACKDOORS AND PRIVACY 59
CHAPTER 3: METHOD
The purpose of this qualitative descriptive research study is to raise awareness for non-
technology professional users of mobile devices on the benefits of encryption for privacy. The
encryption and privacy debate heated up more recently following the prosecution of President
Donald Trump’s former campaign manager, Paul Manafort: United States v. Manafort, District
Court, District of Columbia (Novak, 2018). According to Novak (2018), Manafort was indicted
and convicted amongst other crimes for money laundering and tax evasion. The federal
prosecutors also accused him of witness tampering using end-to-end encrypted messaging
applications WhatsApp and Telegram (Novak, 2018). This research, which was focused on end-
to-end encryption (E2EE), backdoors, and privacy, was accomplished using a qualitative
descriptive design approach. This design method was the most appropriate for this research
because it sought to gain insight into the views and opinions of non-technology professionals
regarding their privacy on public communication platforms. Such an approach was especially
useful for researchers wanting to know the “what” and “how” of events (Dews-Farrar, 2018).
The qualitative descriptive study design, therefore, yielded the right results in answering the
research questions posed in this research study.
This chapter includes a discussion of the research method chosen and the appropriateness
of the design, identification of the research questions, and specific details of the implementation
of the current study. In this chapter, the researcher also discussed the characteristics of
qualitative and quantitative research, and why a qualitative study was selected rather than a
quantitative study. This discussion was used as a framework to evaluate the research design in
relation to the research questions. The results of this study are reported in subsequent chapters.
ENCRYPTION BACKDOORS AND PRIVACY 60
Research Method and Design Appropriateness
This research study used a qualitative analysis methodology. The rationale for selecting a
qualitative analysis for this research was based on the diagnosis of the purpose statement.
According to Creswell (2015), while quantitative research involves analyzing relationships or
predicting variables, qualitative research begins with a single idea or concept called the central
phenomenon; it consists in developing a detailed understanding of the central phenomenon. In
qualitative research according to Creswell, literature review plays a less substantive role than in
quantitative research, but it needs to justify the problem. Based on the purpose statement of this
study, the central phenomenon is encryption and privacy. The researcher examined several
qualitative and quantitative study approaches for their appropriateness to use in this study. The
researcher concluded quantitative focused-studies reduced their findings to numerical
interpretations, the center of which are variables (Dews-Farrar, 2018). This researcher
determined based on the central phenomenon in the purpose statement and on the principles of
qualitative methodology as described by Creswell (2015) and Salkind (2012), a qualitative
approach will be the best way to conduct this research.
Additionally, the researcher did not want to quantify the views and opinions of non-
technology professionals on the impact of the government wanting to create backdoors into
encryption technologies, but rather to acknowledge their expectations of privacy on IM
applications and how this has influenced and created their personal experiences. Such
individuals, per this study would be everyday users of IM applications who do not have an in-
depth knowledge of computers. A qualitative research method would, therefore, seek and capture
their views and opinions about their use of encryption in conserving privacy. A qualitative
analysis methodology would enable research participants to present a more informed account of
ENCRYPTION BACKDOORS AND PRIVACY 61
their lived experiences and to construct their appreciation of the impact of backdoors into
encryption technologies.
Research Design
A qualitative descriptive design was the design methodology selected for this study.
According to Bradshaw, Atkinson, and Doody (2017), qualitative descriptive design represents
the characteristics of qualitative research. Rather than focusing on culture as does ethnography,
the lived experience as in phenomenology or the building of theory as with grounded theory, the
qualitative descriptive design seeks to discover and understand a phenomenon, a process, or the
perspectives, views and opinions of the people involved in the experience (Bradshaw et al.,
2017). The qualitative descriptive design does not emphasize the formation of theory as in the
grounded research theory approach. Instead, qualitative descriptive analysis is the method of
choice when straight descriptions of a phenomenon are desired (Dews-Farrar, 2018). The
selection of a qualitative descriptive design for this study was in alignment with the research
questions in this study which centered on creating awareness and understanding how non-
technology professionals would interpret the impact of government-mandated backdoors into
encryption technologies. The use of a qualitative descriptive design is particularly important
where information is required directly from individuals experiencing the phenomenon under
investigation and where time and resources are limited (Bradshaw et al., 2017). This study was
concerned with understanding how non-technology professionals respond to events affecting
their online activities such as law enforcement advocating for a backdoor into E2EE in IM
services, thus undermining their privacy and security (McCarthy, 2016).
The qualitative descriptive inquiry yielded insightful responses which would not have
been obtainable in a quantitative approach. Within the qualitative descriptive design approach,
ENCRYPTION BACKDOORS AND PRIVACY 62
the central phenomenon of interest is explored with participants in a particular situation and from
a specific conceptual framework with the research question related to the meaning of the
experience. The participants for this study were a purposeful sample of individuals who had the
requisite exposure and experience of the research phenomena being investigated (Bradshaw et
al., 2017). The interactions of a given social unit are investigated, and the participant group is
selected from the population the researcher wishes to engage in the study (Bradshaw et al.,
2017).
Population, Sampling, and Data Collection Procedures and Rationale
This research study posited non-technology professionals have a limited understanding of
the consequences of a government-mandated backdoor into encryption technologies. The general
population of the study were adult users of mobile phones located in the U.S. and running the
end-to-end encrypted IM service, WhatsApp, on their mobile phones. The IM application
WhatsApp was selected for this study because according to Sutikno, Handayani, Stiawan,
Riyadi, and Subroto (2016), it is amongst the most favored IM applications endowed with E2EE.
Jisha and Jebakumar (2014) stated WhatsApp is the fastest growing IM application as most
young people are moving away from Facebook. WhatsApp enjoys global favorability with a user
base of over 1.5 billion subscribers. It is also the first application ever to implement E2EE to this
scale (Rastogi & Hendler, 2017). From the target population, the researcher chose a research
sample of 26 participants who met the criteria for participation.
Qualitative researchers have over the years recommended different ranges with regards to
sample size for qualitative inquiry. There are, therefore, no specific rules when determining the
appropriate sample size in qualitative research. It is, however, typical to study a few individuals
or a few cases (Creswell, 2015). According to Salkind (2012), the magic number for qualitative
ENCRYPTION BACKDOORS AND PRIVACY 63
research is around 30, while Latham (2014) asserted 15 participants as a minimum for most
qualitative studies works well. Latham (2014) further stated a sample size of between 15 and 20
participants is a “sweet spot” for a homogenous group. In accordance with the aforementioned,
the research will engage with a sample size of 26 participants. The sample size of 26 for this
research study meets the saturation limit in qualitative descriptive research as shown in similar
research carried out by Dews-Farrar (2018) using the same design. The participants had to meet
the following criteria: (a) Participants had to be owners of a mobile phone running the latest
version of the WhatsApp application. (b) They had to be willing to participate in an online
survey, or a face-to-face interview with the researcher. (c) They had to be non-technology
professionals who at the time of this study did not have any experience working in technology or
hold any diploma or certification in computer science, computer security or computer
networking. (d) Participants had to be willing to give honest accounts of their views and opinions
about privacy and national security.
Sampling
After obtaining Institutional Review Board/Academic Review Board (IRB/ARB)
approval, the researcher initiated the participant recruitment process. Purposeful sampling,
specifically the snowball sampling methodology, was used for the selection of the 26
participants. Purposeful sampling involves the selection of individuals who are qualified to
provide in-depth information about the phenomenon being researched. Snowball sampling is a
sub-category of purposeful sampling and has the advantage that after observing the initial
participants, the researcher asks for assistance from the participants to help identify people with a
similar trait (Creswell, 2015). Non-technology professionals like themselves who meet the
requirements for the sample population (Creswell, 2015). Snowball sampling is a non-probability
ENCRYPTION BACKDOORS AND PRIVACY 64
sampling methodology. Rashidi, Vaniea, and Camp (2016) used snowball sampling in a study on
privacy setting usage in WhatsApp application to recruit participants. The study by Rashidi et al.
yielded relevant results which have contributed to the body of literature on how users manage
privacy settings on IM applications. Snowball sampling generally consists of two steps:
1. The researcher identifies the potential participants in the population. Often, only a
handful.
2. The researcher asks the identified participants to recruit other participants. The chain
continues until the sample size is reached.
According to the Bureau of Labor Statistics of the “U.S. Department of Labor” (2017),
States or jurisdictions with the highest location quotient for information technology experts are
Virginia with 4.71, Maryland with 2.50, and the District of Columbia with 2.25. The location
quotient is a way of quantifying how concentrated a particular industry or occupation is in a
particular region or State, in reference to the entire nation. The States ranking with the lowest
location quotient for information security experts are New Mexico, Missouri, and Colorado
ranking 1.33, 1.37, and 1.41 respectively. The State of Minnesota falls in the middle of the
rankings with 1.65 as its location quotient for information security experts. The average rankings
in the distribution of technology professionals in Minnesota in relation to the rest of the country
make it an ideal candidate for the target population of this study. In technologically dense states
there is a higher likelihood that more people will be working for a technology company even
though they do not work directly with technology. The selection of the state of Minnesota
eliminated possible biases of participants from technologically dense states such as Virginia or
sparsely dense technology states such as New Mexico.
ENCRYPTION BACKDOORS AND PRIVACY 65
In addition to the above, the “U.S. Department of Labor” (2017) data showed that the
state of Minnesota also had a diverse labor force in non-technology professional jobs such as
medical device technology, healthcare, and hospitality industries amongst others. Since the
interest of the researcher was in non-technology professionals, a state with such rich, and
balanced diversity made a good sample state. Further, the researcher resided in Minnesota which
significantly reduced the cost of the research. The selected participants in this research did not
include children, minors, or convicts. All participants were 18 years or older.
Informed Consent
All prospective participants were informed of the purpose of the study and were required
to sign an informed consent form (Appendix B) recording their acceptance to participate in the
study. Participants in the paper-based survey signed a printed copy of the informed consent form
while those taking the survey online signed an online version. The researcher created special
folders named P1 – P26 (representing the 26 participants) in the Capitol Technology University-
provided secure cloud storage drive, OneDrive, where each participant’s completed surveys were
securely stored after the analysis is completed. The paper copies were destroyed after scanning.
Confidentiality and Anonymity
Participants were assured of the anonymity and confidentiality of the process in the
informed consent agreement; no identifying values were linking the information to the
participant, and not even the researcher was able to identify a specific participant. All agreements
between the researcher and the participants, including pilot test participants were safely stored on
the secure drive in folders. This storage drive guaranteed the confidentiality of all participants in
the study.
ENCRYPTION BACKDOORS AND PRIVACY 66
Data Collection and Data Sources
Data was collected through an online or a paper-based survey. Since the research study
was designed for non-technology professionals, it was possible that not all of the participants
will have access to the internet or own a computer. Hence, the need for a paper-based version of
the survey. Data from the survey provided answers to open-ended questions so that the
participants could best voice their experiences unrestricted by the influence or perspectives of the
researcher or past research findings (Creswell, 2015). Data from the online survey was collected
using the online survey tool called SurveyMonkey. SurveyMonkey is an online web tool that
allows you to launch any kind of professional online survey project, be it for market research, a
quick poll, competitive analysis, customer or the employee feedback (“SurveyMonkey Inc,”
2019). This easy-to-use platform allows you to tailor your surveys according to your defined
target audience. Advanced features in SurveyMonkey help all kinds of professionals to conduct
different types of surveys online and get real-time results by reaching out to millions of
respondents (“SurveyMonkey Inc,” 2019). The vast amount of data collected can easily be
analyzed through data analysis and reporting features offered by SurveyMonkey
(“SurveyMonkey Inc,” 2019). Moreover, for further collaborative purposes, the data and report
analysis can be exported into different formats and shared across teams. It also has a paid version
that includes programs that can perform data analysis, bias elimination, and more. This study
used the paid version. The paper-based questionnaires were conversations between the researcher
and each participant; they were designed to elicit the interviewee’s knowledge or perspective on
the phenomenon under study. (“The Open University,” 2017). Questions were mostly open-
ended.
ENCRYPTION BACKDOORS AND PRIVACY 67
Participants were contacted at local libraries, coffee shops, and other social gatherings.
Online participants were contacted via the professional online tool LinkedIn and also via
WhatsApp chat groups where the survey link was advertised. The variability of the responses to
the questions during the pilot phase helped in deciding whether a question was well-worded,
understandable, if it should be open-ended or not, and if it should be included in the
questionnaire or not.
Pilot Study
Prior to collecting data for this study, a pilot study was conducted with five participants
recruited from the study population. This was to establish the validity, functionality, and
comprehensibility of the questions contained therein. According to Fink (2018), the rule of
thumb is to start with five participants and continue with small groups until no new information
is being gained from the pilot study. Participants in the pilot study were not included in the actual
survey. An informed consent agreement was be signed by both the pilot study participants and
the study participants. This pilot group provided feedback and concerns about the survey that
was used to make changes to the instrument. The researcher asked the pilot participants to mark
any poorly-worded questions or responses that did not make sense or seemed to be taking a lot of
time to complete. To help bolster the validity of the survey, all relevant questions regarding the
central phenomenon of this study were included; a range of possible responses were also tested
to try and capture the different views and feelings of the participants. Feedback from the pilot
study was used to revise questions towards more clarity and usefulness.
Reliability
According to Fink (2018), a reliable qualitative survey instrument provides a consistent
measure of the important characteristics of the study despite background fluctuations. A survey
ENCRYPTION BACKDOORS AND PRIVACY 68
instrument that yields consistent results under the same survey conditions is said to be reliable.
The survey instrument for this research was built to be reliable after a successful pilot test. The
survey instrument was also validated using the pilot study to ensure that the information it
provided was an accurate reflection of the participants’ knowledge, attitudes, values, and
opinions. The survey had content validity; the questions accurately represented the
characteristics, opinions, or attitudes they were intended to measure. According to Fink (2018),
the content of the survey instrument could be validated by asking experts of the central
phenomenon of the study whether the questions are representative samples of the opinions and
views the research intends to survey. Alternatively, the researcher could be sure the survey
instrument is reliable and valid by using already tested and published questions. These are
questions which have been carefully tested by other surveyors and researchers in similar
scientific studies and are sometimes found in published peer-reviewed articles.
Validity: Internal
There are two very important concepts in the measurement of internal survey instrument
validity: measurement validity and design validity (Fink, 2018). Measurement validity comes
from the validity and reliability of the survey instrument; it refers to the characteristics of the
survey instrument; whereas design validity refers to the selection of the survey participants
(Fink, 2018). Because surveys work in an imperfect world, even the most carefully designed
studies are influenced by factors over which the surveyors have no control. Participants may
promise to take the survey but may fail to do so in the end. Such risks and others have the effect
of biasing or prejudicing the results of the survey and consequently affecting the accuracy of the
survey.
ENCRYPTION BACKDOORS AND PRIVACY 69
According to Fink (2018), a study has internal validity if its outcome is as a result of or is
caused by the variables that are controlled and manipulated in the study. There are a number of
items that can pose a threat to the internal validity of this survey such as a biased selection of
participants for the survey, the sampling procedure, and the effect of a terrorist attack in the U.S.
while the survey is being conducted (Fink, 2018). The threat of bias in the selection of
participants in this research study were mitigated by the researcher using the snowball sampling
technique for participant selection. Snowball sampling is a tested and proven survey
methodology that has been used in other studies similar to this one such as the study carried out
by Rashidi, Vaniea, and Camp (2016). Sampling errors were minimized for this study by the fact
that the researcher did not have a direct influence on the selection of participants. This is
because, in snowball sampling, the participants are selected by their peers.
Transferability
Transferability in qualitative research is the ability to generalize, or the extent to which
the results of the research apply to other contexts or settings. The context and methods of the
current study such as the characteristics of the participants, including geographic location, age
group, and information technology experience, were thoroughly described in this research to
assist readers who may want to apply the findings to other contexts or settings, do so
appropriately.
Data Analysis
The researcher accumulated ample amounts of data as a result of surveying 26
participants. Qualitative data analysis typically relies on the researcher’s impressions and
interpretations; the researcher, therefore, found it important to recognize the need for a
transparent, thorough, and systematic analysis of the data to ensure the validity of the research.
ENCRYPTION BACKDOORS AND PRIVACY 70
The research questions guiding this data analysis were designed to investigate the phenomenon
of backdoors and privacy in modern IM applications amongst Americans. These research
questions were:
• Do non-technology professionals in the U.S. understand the impact of creating backdoors
into end-to-end encrypted technologies?
• What are the perspectives of everyday users of IM applications regarding the argument
security comes with a price, namely at the expense of privacy?
• To what extent does the knowledge of encryption as technology in safeguarding
consumer privacy affect the use of the internet by non-technology professionals in the
U.S.?
This research utilized the thematic data analysis approach in analyzing data. This
approach is exploratory and requires all the data to be coded, allowing for new impressions to
shape the interpretation of the data in different directions (“The Open University,” 2017). A code
is a word or short phrase descriptively capturing the essence of elements of the data (“The Open
University,” 2017). Thematic analysis involves the researcher searching across the range of data
sources used for the analysis to find repeated patterns of meaning. For this research study, the
researcher searched through interview transcripts and survey responses. Before applying the
thematic analysis, the researcher read the data in its entirety in order to familiarize himself with
it. The researcher took notes and prepared written summaries as he analyzed each survey
response. This enabled the researcher to condense the data into key themes and topics which
shed light on the research question. The researcher then developed a coding framework, which
was a list of codes the researcher used to index and divide the material into descriptive topics and
ENCRYPTION BACKDOORS AND PRIVACY 71
themes. The thematic approach which was used for this research study allowed the researcher to
add new codes to the list as coding and analysis progressed, in an iterative process.
The thematic analysis comprises six discrete steps (Braun & Clarke, 2006). It is worth
mentioning the analysis of data using this approach is not a linear process that progresses from
one step to the other (Braun & Clarke, 2006). Instead, it is a recursive process where the
researcher moves back and forth throughout the phases (Braun & Clarke, 2006).
Phase 1: Familiarization with Collected Data
As mentioned in the data analysis section above, the researcher began data analysis by
the process of familiarization with collected data. This process involved the repeated reading of
the data actively and searching for meanings and patterns (“The Open University,” 2017). This
process of reading over the data several times is time-consuming and justifies why qualitative
research tends to use a smaller sample size, 26 participants in the case of this study
Phase 2: Generating Initial Codes
This phase involved the production of initial codes from the data. Coding is considered
part of the data analysis as the data is being organized into meaningful groups. The entire content
of the data set was coded using the software program NVivo. Qualitative analysis depends to a
good extent on the subjective interpretations of the researcher. Therefore, a combination of
personal judgment and software was used to bring objectivity to the coding process. The end
product of this phase was an identified list of codes.
Phase 3: Searching for Themes
This phase began after phase two was completed; implying all the data had been initially
coded. During this phase, the researcher re-focused the analysis on the broader level of themes.
This involved sorting the different potential codes obtained in phase two into potential themes.
ENCRYPTION BACKDOORS AND PRIVACY 72
During this phase, the researcher was essentially analyzing the codes, categorizing different
codes into overarching themes. The researcher used tables and mind maps to construct a visual
representation to help organize the themes into groups. Some initial codes were used to form
themes; others were used for sub-themes, while others were discarded. This phase ended with a
collection of themes and sub-themes and gave the researcher a sense of the significance of
individual themes.
Phase 4: Reviewing Themes
This phase involved the two-step process of review and refinement of themes put
together in phase three. During this phase, the researcher eliminated some candidate themes after
having observed there was not much data to support them or the data were too diverse. Internal
homogeneity and external heterogeneity defined by Patton (1990) for judging categories were
considered in this phase; data within the themes were checked to make sure they were coherent
and meaningful while maintaining clear and identifiable distinctions between them. Themes
appearing to form a coherent pattern were moved to the second level, which was refinement. The
outcome of the refinement process was a thematic map, which captured all the contours of the
coded data. At this stage, the researcher considered the validity of the captured themes about the
data set. The researcher also evaluated if the thematic map accurately reflects the meanings
evident in the data set as a whole.
Phase 5: Defining and Naming Themes
This phase began after a satisfactory thematic map had been developed; the researcher
then proceeded to define and refine the themes to be presented for analysis. The essence of the
specific and overall meaning of each theme was identified, and the researcher used this
ENCRYPTION BACKDOORS AND PRIVACY 73
information to determine what aspect of data each theme captured. For each theme, the
researcher conducted and wrote a detailed analysis.
Phase 6: Producing the Report
During this last phase, the researcher performed the final analysis of the themes and
produced a final report. According to “The Open University” (2017), writing up a thematic
analysis requires the researcher to tell and convince the reader of the validity of the analysis. The
report provides concise, coherent, logical, and a non-repetitive account of the story the data told,
within the confines of the themes and research questions.
Chapter Summary
This chapter reviewed both qualitative and quantitative research methodologies and
selected qualitative as the most appropriate methodology for conducting this research. This is
because unlike quantitative research which seeks to measure variables, this research centers on a
single idea. The central phenomenon or main idea for this research was end-to-end encryption,
backdoor, and how it affected the privacy of non-technology professionals. The goal of this
research was to analyze the views and opinions of non-technology professionals in the U.S. on
this idea or central phenomenon.
This chapter also reviewed and selected the most appropriate research design for this
study. The researcher reviewed the various qualitative designs such as the grounded theory
approach, the ethnographic approach, the phenomenal approach, the case study, and the
descriptive approach. The researcher selected the descriptive design approach because it strives
to gain insight into the views and opinions of non-technology professionals regarding their
privacy on public communication platforms. The qualitative descriptive study design was
deemed the most appropriate for this research because it is known to yield the best results in
ENCRYPTION BACKDOORS AND PRIVACY 74
answering the type of questions posed in this research and has also been used in similar studies
in the past. This chapter also reviewed sampling techniques and selected snowball sampling as
the most appropriate technique to use in selecting research participants. The internal and external
validity of the survey instrument were also evaluated as well as content validity.
Lastly, the researcher selected thematic data analysis as the choice of methodology to be
used to analyze the data from the survey. The six steps involved in thematic data analysis were
also reviewed, including how the coding of research data was carried out. The results of this
study are presented in Chapter 4.
ENCRYPTION BACKDOORS AND PRIVACY 75
CHAPTER 4: RESULTS
The main objective of this qualitative descriptive research study was to gain insight into
the views and opinions of non-technology professionals regarding their privacy on public
communication platforms. This chapter presents an overview of the population and sample for
this study, including demographic data and criteria for participation. A narrative of collected data
and a summary regarding the number of surveys collected are discussed. Additionally, data
collection, data analysis procedures, and identification of codes and themes are reviewed. The
researcher also recapitulates reliability and validity and presents results from data analysis. This
research study’s results include the presentation of the various themes and their alignment with
the research questions as well as a descriptive narrative in which selective quotes from
participants are embedded.
The researcher established in Chapters 1 and 2, the raging debate between law
enforcement agencies and most of the technology community, over whether law enforcement
should have exclusive access to phones and end-to-end encrypted messaging applications (Perry,
2016). In 2018, an alliance of five countries known as the Five Eyes, which includes the U.S.,
UK, Canada, Australia, and New Zealand, issued a memo demanding that technology companies
create specialized solutions, tailored to their individual systems that are capable of meeting
statutory access requirements (Mark, 2018). According to Max (2016), governments and security
agencies are wrong due to their unfounded belief that strong encryption that protects information
on the internet, can at the same time be made weak in order to grant the government access to
information.
Vaziripour et al. (2018) asserted that non-technology professionals lack understanding of
what an encrypted chat means and does to guarantee security. This research study was, therefore,
ENCRYPTION BACKDOORS AND PRIVACY 76
posited on the central question of whether non-technology professionals understood the impact
of government-mandated backdoors on encrypted public messaging services. A qualitative
descriptive study enabled accurate depictions of participants’ views on the impact of
government-mandated encryption backdoors (Dews-Farrar, 2018). Additionally, the researcher
sought to augment the sparse number of scholarly qualitative descriptive studies concerning end-
to-end encryption (E2EE), backdoors, and privacy.
The survey questions for this research study were formulated to elicit responses that
would unveil the participants’ views and opinions regarding government and law enforcement
agencies’ demand for legislation that will allow them to snoop on online private communications
of smartphone users. The research questions were as follows:
RQ1: Do non-technology professionals in the U.S. understand the impact of creating
backdoors into end-to-end encrypted technologies?
RQ2: What are the perspectives of non-technology professional users of IM applications
regarding the argument security comes at a price, namely at the expense of
privacy?
RQ3: To what extent does the knowledge of encryption as a technology in safeguarding
consumer privacy affect the use of the internet by non-technology professionals?
The qualitative descriptive nature of this study required that the researcher focus not so
much on generating new theory, but on illuminating the lived experiences of the research
participants (Dews-Farrar, 2018).
Pilot Study
The pilot study established the comprehensibility, validity, and reliability of the survey
questions. In a study on the importance of piloting in qualitative research, Abdul, Othman,
ENCRYPTION BACKDOORS AND PRIVACY 77
Mohamad, Lim, and Yusof (2017) mentioned the imperativeness of pilot studies in preparation
for a major study. According to Adul et al., pilot studies can be applied to address potential
practical issues following research procedures. Such studies are distinctly helpful in testing
interview questions and adjusting them accordingly prior to the full study (Adul et al., 2017).
The pilot study for this research consisted of five preliminary participants. The informed consent
agreement was given to each participant, and the researcher obtained approval from all five
participants. The participants were then served with the survey, three with the paper-based
surveys while two participants took it online. Both groups of participants did this with the
researcher present for clarifications and discussions. This allowed the researcher to interact
directly with participants and know if the questions on the questionnaire were clear enough as
well as if participants understood the purpose of the research.
The pilot study revealed that the participants would be better served by defining key
terms such as encryption, end-to-end encryption, and backdoors in the participant consent form
before they got to the survey questions. Participants remarked an early definition of key terms
used in the survey would enable them to fully understand the purpose of the research before
agreeing to participate. The researcher, therefore, defined key terms included in the title of the
research in the consent form. This pilot study also helped the researcher improve the questions in
the survey. Feedback from the pilot study was used to revise the final wording in the survey
questions.
The findings of this pilot study demonstrated the functionality of the survey instrument
and the interest in the research by the target population. Thus, after adjustments to the survey
from recommendations of the pilot study participants, the researcher concluded that the survey
instrument was valid for this study’s topic and served to answer the specific problems posited.
ENCRYPTION BACKDOORS AND PRIVACY 78
Threats to validity and reliability
According to Fink (2018), there are a number of items that can pose a threat to the
internal validity of a survey; these include a biased selection of participants for the survey,
sampling procedure, or as it could be in the case of this research, the effect of a terrorist attack in
the U.S. just before, or while the survey is being conducted. Creswell (2015) recommended that
qualitative researchers select at least two procedures listed below to confirm the validity of the
findings. Creswell’s proposition was as follows: (a) prolonged involvement with research
subjects; (b) triangulation; (c) external review of the research process and results; (d)
acknowledging possible researcher bias at the outset of the project; (e) participant validation of
research results and descriptions; (f) in-depth descriptions, which will enable transferability and
substantiate authenticity; and (g) use computer programs for coding data.
The following guidelines to address threats to validity and reliability were employed in
this qualitative research:
1. The researcher utilized more than one source to substantiate the research. The sources of
data included the paper-based questionnaire and an online survey.
2. To ensure validity and reliability, NVivo Pro 12 qualitative data analysis software was
employed for data coding and finalization of themes.
3. The survey instrument was validated using the pilot study to ensure that the information it
provided was an accurate reflection of the participants’ knowledge, attitudes, values, and
opinions. The survey also had content validity because the questions accurately
represented the characteristics, opinions, or attitudes they intended to measure.
4. The threat of bias in the selection of participants in this research study was mitigated
because the researcher used the snowball sampling technique for participant selection.
ENCRYPTION BACKDOORS AND PRIVACY 79
Snowball sampling is a tested and proven survey methodology that has been used in other
studies similar to this one, such as the study carried out by Rashidi, Vaniea, and Camp
(2016). Sampling errors are minimized by the fact that the researcher does not have a
direct influence on the selection of participants. This is because, in snowball sampling,
the participants are selected by their peers.
5. Transferability in qualitative research is the ability to generalize, or the extent to which
the results of the research apply to other contexts or settings. The context and methods of
the current study such as the characteristics of the participants, including geographic
location, age group, and information technology experience, have been thoroughly
described in this research to assist readers who may want to apply the findings to other
contexts or settings, do so appropriately.
Findings
Forty-six participants in total responded to the survey between May 1, 2019, and May 10,
2019. Twenty of the 46 participants who responded to the survey were eliminated during the data
analysis phase because they did not meet the survey criteria. The participants had to meet the
following criteria: (a) Be the owner of a mobile phone running the latest version of the
WhatsApp application. (b) Be willing to participate in an online survey or a face-to-face
interview with the researcher. (c) Be a non-technology professional who at the time of this study
did not have any experience working in technology or hold any diploma or certification in
computer science, computer security, or computer networking. (d) Be willing to give honest
accounts of their views and opinions about privacy and national security. (e) Be a resident of the
state of Minnesota. Eight of the participants did not reside in the state of Minnesota, one
participant was the holder of an information security certification, five participants had a job that
ENCRYPTION BACKDOORS AND PRIVACY 80
included information technology related activities, and six participants were eliminated due to
the fact they did not complete the full survey. Twenty-six participants completed all the survey
questions. The researcher has, therefore, only included responses of survey participants who met
the survey criteria and completed all the questions.
Ten (38%) of the 26 retained participants completed the survey on paper, while 16 (62%)
completed online. The 10 paper surveys were manually entered into SurveyMonkey for
preliminary analysis before further importing the entire dataset into NVivo data analysis software
for full analysis.
Demographics
Out of the 26 participants who completed the survey, 12 (46.15%) were female, while 14
(53.85%) were male. Participants ranged in age from 25 – 70 years. The largest group of
participants were between the ages of 45 - 54 years (46.15%), with the smallest between the ages
24 – 35 (7.69%) and 65 – 74 (7.69%). Figure 1 below shows the age distribution of participants.
All 26 participants (100%) resided in the state of Minnesota, held no degree or certification in
computer science, and their jobs did not include information technology related activities. Table
1 displays a demographic summary of the participants.
Figure 1. A bar chart showing the age distribution of participants
ENCRYPTION BACKDOORS AND PRIVACY 81
Table 1
Demographic Summary of Research Study Participants
Participant Reside in Minnesota?
Hold computer certification?
Does your job include information technology related activities?
Age Group
Gender
P1 Yes No No 55 to 64 Male P2 Yes No No 55 to 64 Female P3 Yes No No 35 to 44 Male P4 Yes No No 35 to 44 Male P5 Yes No No 45 to 54 Male P6 Yes No No 45 to 54 Male P7 Yes No No 45 to 54 Male P8 Yes No No 45 to 54 Male P9 Yes No No 45 to 54 Female P10 Yes No No 55 to 64 Male P11 Yes No No 45 to 54 Male P12 Yes No No 35 to 44 Male P13 Yes No No 45 to 54 Male P14 Yes No No 25 to 34 Female P15 Yes No No 45 to 54 Female P16 Yes No No 65 to 74 Female P17 Yes No No 45 to 54 Male P18 Yes No No 35 to 44 Female P19 Yes No No 35 to 44 Female P20 Yes No No 45 to 54 Female P21 Yes No No 45 to 54 Female P22 Yes No No 65 to 74 Male P23 Yes No No 35 to 44 Female P24 Yes No No 45 to 54 Male P25 Yes No No 35 to 44 Female P26 Yes No No 25 to 34 Female
Data Analysis Procedures
The analytical approach used for this research study was the thematic analysis. Thematic
analysis is the classification, examination, and description of themes within qualitative data
(Braun & Clarke, 2006). Braun and Clarke’s six-phase process for inductive thematic analysis
ENCRYPTION BACKDOORS AND PRIVACY 82
was implemented in this study. The steps were as follows: (a) familiarize yourself with the data;
(b) generate initial codes; (c) search for themes; (d) review the themes; (e) define and name
themes; (f) produce the report. According to Braun and Clarke, the identification of themes
across the data set is key to analyzing and understanding the relationships between the data and
the research questions.
The first phase of data analysis in this research study involved reading the survey
submissions several times. This resulted in familiarity with the data in preparation for initial
identification of codes. There were a total of 14 questions in the survey and these were divided
into two sections. The first section, which consisted of seven questions was to ensure participants
met the survey criteria and also to gather demographic data. The second section contained seven
open-ended questions on end-to-end encryption, backdoors, and privacy.
The second phase in the thematic analysis involved generating initial codes or coding.
According to Creswell (2015), coding is the process of segmenting and labeling text to make
sense out of the text data from your survey. Coding is an inductive process of narrowing data
down into a few themes (Creswell, 2015). Codes are applied to words, sentences, and paragraphs
to recognize and categorize important concepts in the data that are related to the research
questions (Creswell, 2015). Qualitative analysis depends to a good extent on the subjective
interpretations of the researcher (Creswell, 2015). Therefore, a combination of personal
judgment and software was used to bring objectivity to the coding process. After several
readings of the submitted data, various words, sentences, and paragraphs were highlighted, and a
mark-up was created from each survey in which initial codes were affixed. Individual surveys
were first manually coded to determine preliminary codes and probable themes. Multiple
readings of the survey submissions and initial manual coding presented the opportunity to be
ENCRYPTION BACKDOORS AND PRIVACY 83
fully engaged with the data and gain an unquestionable understanding of the phenomenon. After
this was completed, all the survey submissions were then exported from SurveyMonkey into
NVivo 12 Plus data analysis software program for auto-coding. NVivo 12 Plus for Windows was
the software tool selected to assist in the process of coding and analyzing the data for this study.
NVivo 12 Plus is a qualitative data analysis software developed by QSR International; it assists
with managing and analyzing unstructured data by breaking that data into nodes that help
describe the larger emerging pattern (Hilal & Alabri, 2013). For this research study, the units of
analysis were the words, phrases, and sentences conveyed by non-technology professionals.
Employment of data analysis software enabled a thorough in-text query of recurrent
words in the submissions and scrutiny of the contexts in which the words were used. Utilization
of NVivo software provided the opportunity to perform another round of coding to confirm the
findings from manual coding. This process allowed for the finalization of codes and eventual
development of a codebook. The development of the codebook involved the creation of a list of
initial codes for each survey submission. NVivo identified 186 initial codes in the data for 1,266
references.
The third phase in the thematic analysis involved the identification of themes (Braun &
Clarke, 2006). Vaismoradi, Jones, Turunen, & Snelgrove (2016) defined a theme as an
inferential topic formed by recurring ideas and patterns in the recounts of participants’
experiences. Themes are related to codes (Creswell, 2015). Themes (also called categories) are
similar codes aggregated together to form a major idea in the dataset (Creswell, 2015).
Vaismoradi et al. posited that the primary criterion for the identification of a theme is its
appositeness to the overarching research problem and research questions, and as such, relevance
is not necessarily quantifiable. NVivo 12 Plus data analysis software aided in clustering
ENCRYPTION BACKDOORS AND PRIVACY 84
comparable codes and establishing themes. Six themes emerged from the data analysis, namely:
government and privacy, information, encryption, activities, communications, and social media.
The themes were representative of participant-generated conceptualizations regarding the
phenomenon encryption, backdoors, and privacy. Figure 1 below gives a visual representation of
the six major themes generated from the refinement of the initial codes through the process of
eliminating redundancies and analysis (Creswell, 2015).
Figure 2. A pie chart of the six themes generated from the research study
Major and minor themes were generated for this study using NVivo software. According to
Creswell (2015), major themes represent the important ideas in the dataset, while minor themes
represent secondary ideas. Twenty-eight minor or subthemes were identified in this study. Figure
Government and Privacy
25%
Information 19%
Encryption 16%
Activities 16%
Communicati on
12%
Social Media 12%
ENCRYPTION BACKDOORS AND PRIVACY 85
3 below shows a thematic map of the major and minor themes. The size of each area reflects the
number of coding references; a larger area indicates more coding references.
Figure 3. A thematic map of the major themes generated in the research study
The researcher validated phase four in the thematic analysis approach, as suggested by
Braun and Clerke (2006) by rereading the survey submissions and reassessing the codes and
themes generated by the NVivo data analysis software. Some candidate themes were merged to
form a more coherent and meaningful theme; government and privacy themes were merged to
form a single theme. The themes were validated as having a connection to the research questions
and the overall research problem. The finalization of phase four led to phase five, which was to
refine the themes and present them for data analysis. Braun and Clarke (2006) asserted that the
ENCRYPTION BACKDOORS AND PRIVACY 86
researcher should not only be able to explain the relationship between the themes and the
research questions but should additionally be prepared to construct an analysis of each theme.
Each theme should portray the participants’ collective perceptions of the phenomenon under
research Braun and Clarke (2006). Figure 4 below shows the relationship between the research
questions, codes, and themes.
Figure 4. The relationship between research questions, codes, and themes
Results
The presentation of results in this section marks phase six of the thematic data analysis
process (Braun & Clerke, 2006). There were three research questions for which the 26 survey
participants fully responded. The three research questions mentioned earlier above are addressed
according to their related theme. Six themes emerged from the data analysis. These themes
represent the survey participants’ conceptualization regarding the phenomenon of the
Research Questions
Theme 1 Theme 2 Theme 3
Codes Codes
Codes Codes Codes
CodesCodesCodes
Codes
Codes
ENCRYPTION BACKDOORS AND PRIVACY 87
government exploring ways to implement encryption backdoors in popular messaging
applications such as WhatsApp. Table 3 below presents the research questions and the
corresponding themes that emerged from data analysis.
Table 2
Research Questions, their Corresponding Themes, and Survey Questions
Research Questions Related Themes and Survey Questions
RQ1: Do non-technology professionals in the U.S. understand the impact of creating backdoors into end-to-end encrypted technologies?
1) Government and Privacy Corresponding survey questions 11, 13, 15
RQ2: What are the perspectives of non- technology professional users of IM applications regarding the argument security comes at a price, namely at the expense of privacy?
1) Information, 2) Activities, and 3) Communication Corresponding survey questions 10, 11, 12
RQ3: To what extent does the knowledge of encryption as a technology in safeguarding consumer privacy affect the use of the internet by non-technology professionals in the U.S.?
1) Social media, 2) Encryption Corresponding survey question 14
Total Number of Research Questions: 3 Total Number of Themes: 6
Research Question 1: Do non-technology professionals in the U.S. understand the
impact of creating backdoors into end-to-end encrypted technologies? One theme emerged from
participant responses to this question, and it was government and privacy.
ENCRYPTION BACKDOORS AND PRIVACY 88
Theme 1. Government and Privacy. The most prevalent theme for the entire survey was
government and privacy. This theme of government and privacy also occurred as the most used
words by all the 26 participants (see figure 5 below).
Figure 5. Word cloud of the most used words in the open-ended survey questions
Twenty-three participants (88%) responded positively or negatively to survey questions which
were directly related to RQ1. Three participants (12%) said they had no opinion. Eight
participants (31%) expressed opinions against the government, exploring the idea of wanting to
read private messages. Participant 5 (P5) who was amongst the eight who expressed opinions
against government reading their private messages, stated, “No! The government should not have
such broad powers to surveil citizens without proper safeguards.” Four participants (15%) said
the government was infringing on their privacy by wanting backdoors. P17 stated, “Privacy is
tempered with. The government should look for other enforceable ways of trapping those
ENCRYPTION BACKDOORS AND PRIVACY 89
criminals.” Privacy was a major concern to these participants; participants used words associated
with privacy such as “violates,” “personal,” “rights,” and “breach” to describe their perceptions.
Some participants stated they do not trust the government, as it has abused such privileges
before. Eleven of the participants (42%) were either leaning towards or in full support of the
government obtaining exclusive access to their messages. P2 stated, “I trust the judicial system in
the US. So any government official who uses my communications for any purpose other than
security can be identified and punished.” Others within this 11 stated they believed in free speech
and freedom from prying eyes; they added that because they are free of criminal activities, they
have no problem with the government wanting to read their private messages. Figure 6 below is
an explore diagram that shows how codes merge to form a theme in NVivo software.
Figure 6. An explore diagram showing codes for the government theme
ENCRYPTION BACKDOORS AND PRIVACY 90
Research question 2. What are the perspectives of non-technology professional users of
IM applications regarding the argument security comes at a price, namely at the expense of
privacy? Three themes emerged from participant responses: 1) Information, 2) Activities, and 3)
Communication.
Theme 1. Information. The child themes that summed up to this main theme were
public information, private information, bank information, evil information, valuable
information, and specific information (see figure 7). The sentiments expressed by 18 participants
(69%) on this theme was neutral or mixed. Participants who gave a neutral or mixed sentiment
agreed private information should remain private; however, they also said they would not mind
the government stepping into their private information in order to keep the country safe.
Figure 7. An explore diagram showing the child themes that make up the information theme
ENCRYPTION BACKDOORS AND PRIVACY 91
Five of the participants (19%) expressed outright negative sentiments about giving up
their private information in exchange for more security. Three participants (12%) had a positive
sentiment about the government accessing private information in order to keep the country safe.
Some participants said they would rather all information be made public; others like P16 said,
“But if the bad actors access the same information, especially my bank information then I will be
screwed up.” P14 said, “This can be achieved through the government finding out through a
survey what kind of private information Americans are willing to let the government know about
for the sake of security.”
Theme 2. Activities. Participants who coded for this theme coded for three child themes:
unlawful activities, electronic activities, and hacker activities. Five participants (19%) coded for
the activities theme. These participants all expressed comfort in letting their security be of a
higher priority than privacy; for example, P16 said, “It would not affect my behavior in any way
since I do not engage in any unlawful activity.” P7 said, “I support the government to monitor all
electronic activities.”
Figure 8. An explore diagram showing the child themes that make up the activities theme
ENCRYPTION BACKDOORS AND PRIVACY 92
Theme 3. Communications. There were four participants (15%) who coded for this
theme. Unlike participants who coded for the activities theme by expressing their comfort with
government surveillance in exchange for security, participants who coded for communications
were decisively against giving up their private communications in exchange for more security.
P25 was very categorical with his/her position on this matter; “Government has no right to
monitor all messages/communications online because not all are sensitive.” Other participants
expressed similar strong sentiments against giving up privacy for more security, saying the
government needed special courts to allow them to have permissions to go into citizen’s private
communications. P24 added to the debate saying, “Privacy is privacy, and the government
should stay out of people's private communications.”
Research question 3. To what extent does the knowledge of encryption as a technology
in safeguarding consumer privacy affect the use of the internet by non-technology professionals
in the U.S.? Two themes emerged from the participant's responses: 1) Social media and 2)
Encryption.
Theme 1. Social Media. Four participants (15%) expressed their views and opinions on
how their knowledge of encryption will affect their use of social media applications such as
WhatsApp. P1 said, “Limit what I share on social media, which I already do.” P6 stated that “I
will have more confidence when chatting on social media.” P22 stated, “A lot of people do
business even on social media like WhatsApp. Families discuss family matters that the
government has no business listening to. Lobbyists may use their financial power to lobby
information from their rivals.”
Theme 2. Encryption. Five participants (19%) coded for encryption. Three of the five
participants were concerned that terrorists could master encryption technology and use it to cause
ENCRYPTION BACKDOORS AND PRIVACY 93
harm to society. P24, who was amongst the three, stated, “Mastery of encryption technology by
criminals is certainly dangerous since it could be used to target vulnerable populations.” Two of
the five participants who coded for the encryption theme said their knowledge of encryption in
apps makes them more comfortable using these apps. P5 said, “I will try to always use internet
sites that can give me end-to-end encryption.”
In addition to the two themes that emerged regarding RQ3, participants were given a
layman’s definition of encryption technology in the survey and asked in question 9 if they were
aware that popular websites such as Twitter, Facebook, or even their banking operations are all
protected from hackers by encryption. Twenty-one participants (81%) answered yes, while 5
participants (19%) answered no. See figure 5 below.
Figure 9. A distribution graph showing participants knowledge on whether or not they knew
encryption was used in protecting their data on popular websites such as Facebook and Twitter.
At the end of the survey, participants were asked if the information provided in the
survey regarding encryption and the U.S. government's demand for a backdoor had increased
ENCRYPTION BACKDOORS AND PRIVACY 94
their knowledge or awareness of the benefits of E2EE to their privacy. Table 3 below tabulates
their responses.
Table 3
How much the survey information had increased participant’s knowledge of the benefits E2EE to
privacy
Answer Choices Responses
A great deal 46.15% 12 A lot 23.08% 6 A moderate amount 19.23% 5 A little 11.54% 3 None at all 0.00% 0
Total 26
Significance of results
The objective of chapter four was to present the findings of 26 qualitative descriptive
research survey participants on their views and opinions of end-to-end encryption, backdoors,
and privacy. Thematic examination and data analysis of the 26 surveys revealed six themes:
1. Government and Privacy
2. Information
3. Encryption
4. Activities
5. Social Media
6. Communications
The themes above revealed the views and perspectives of the survey participants. The six
themes showed that non-technology professionals who contributed to this study were concerned
ENCRYPTION BACKDOORS AND PRIVACY 95
about their activities and communications on social media, and what the government is
proposing to do with their private information. The themes showed that participants knew about
the benefits of encryption technology and its presence on websites in which sensitive information
is given out by users.
Chapter Summary
Chapter four presented validity, reliability, results, and data analysis of 26 qualitative
descriptive design survey of non-technology professionals in the state of Minnesota, USA. Data
analysis provided results for the three research questions which guided the research study.
Each participant recounted their unique perspectives about E2EE and government
proposed encryption backdoors on privacy. Preliminary coding was done manually by writing-
down keywords for each transcript during the first few readings of the survey submissions as
recommended by Braun and Clarke (2006), to create familiarity with the data. Due to the ample
amount of qualitative data from open-ended questions, NVivo 12 Plus software for qualitative
analysis was used to assist in confirming the manual coding and the eventual identification of
themes.
Three research questions guided this study. The first question (RQ1) was, do non-
technology professionals in the U.S. understand the impact of creating backdoors into end-to-end
encrypted technologies? Analysis of the qualitative survey data revealed two themes for RQ1,
which were government and privacy. Further analysis of data led the researcher to merge both
themes under a single theme. The words government and privacy were also the most used words
by survey participants in the entire survey. Except for three participants who responded as
having no opinion to survey questions related to RQ1, 23 other participants respondent with
strong views on one side or the other of the encryption debate.
ENCRYPTION BACKDOORS AND PRIVACY 96
The second research question (RQ2) was, what are the perspectives of non-technology
professional users of IM applications regarding the argument security comes at a price, namely at
the expense of privacy? Three themes emerged from participant responses to RQ2: 1)
Information, 2) Activities, and 3) Communication. The first theme was information. Majority of
the participants expressed neutral or mixed sentiments on this theme; generally agreeing that
private information should remain private. The second theme for RQ2 was activities. Participants
expressed their sentiment for activities by associating it with words such as “unlawful,”
“electronic,” and “hacker.” Participants who coded for activities all expressed comfort in letting
their security be of a higher priority than privacy. The third theme that emerged from the analysis
of data for RQ2 was communications. Participants who coded for the communication were
against giving up their private communications in exchange for more security.
The third research question (RQ3) was, to what extent does the knowledge of encryption
as a technology in safeguarding consumer privacy affect the use of the internet by non-
technology professionals in the U.S.? Two themes emerged from the participants’ responses: 1)
Social media and 2) Encryption. On the theme on social media, four participants said they were
limiting what they share on social media today, but with the knowledge of the advantages of
strong encryption their confidence on the privacy of the information on social media has
increased. On the second theme related to RQ2, encryption, three of the five participants who
coded for this theme were concerned that terrorists could master encryption technology and use it
to cause harm to society.
Chapter 5 presents a detailed summary of this qualitative descriptive study. Also, chapter
5 recapitulates the research topic, the problem statement, the research questions, and salient
aspects of the conceptual framework and literature review. Additionally, Chapter 5 explains how
ENCRYPTION BACKDOORS AND PRIVACY 97
the data results augment existing knowledge on the topic and creates a compendium of
conclusions related to the conceptual framework for the study. Finally, Chapter 5 suggests
recommendations for future exploration and practice and discusses the implications that evolved
from the study.
ENCRYPTION BACKDOORS AND PRIVACY 98
CHAPTER 5: FINDINGS AND RECOMMENDATIONS
The purpose of this qualitative descriptive research study is to raise awareness for non-
technology professional users of mobile devices on the benefits of encryption for privacy. This
research study was relevant because it aimed at filling some of the gaps in the literature
regarding the opinions and views of non-technology professionals on the effects of end-to-end
encryption (E2EE) on society (Brantly, 2017). This research study examined the perspectives of
26 adult non-technology professionals in the state of Minnesota; this consisted of 12 females and
14 males.
This research study is based on the problem statement: law enforcement’s advocacy for a
backdoor into E2EE in instant messaging (IM) services was undermining privacy and security
(McCarthy, 2016). The specific problem was that non-technology professionals do not
understand the impact of creating backdoors into encryption technologies (Sagers, Hosack, &
Rowley, 2015; Wei et al., 2016). A qualitative descriptive study approach enabled the research
participants to present a picture of their perceptions and construct their own individual meanings
of the impact of a backdoor to their private chats. Additionally, a qualitative descriptive stance
permitted for objective research that was not constrained by the views of the researcher. Open-
ended questions provided participants a means to best voice their experiences unrestricted by the
influence of the researcher or past research findings (Creswell, 2015). The research questions
facilitated an examination of the phenomenon from individual portrayals of the research
participants. The following research questions guided this study:
RQ1: Do non-technology professionals in the U.S. understand the impact of creating
backdoors into end-to-end encrypted technologies?
ENCRYPTION BACKDOORS AND PRIVACY 99
RQ2: What are the perspectives of non-technology professional users of IM applications
regarding the argument security comes at a price, namely at the expense of
privacy?
RQ3: To what extent does the knowledge of encryption as a technology in safeguarding
consumer privacy affect the use of the internet by non-technology professionals?
In this research study, the research problem was addressed in various stages throughout
each chapter. An explanation for the choice of qualitative methodology as well as the
background of the research problem, assumptions, limitations, and delimitations were presented
in chapter one. Chapter one also discussed the conceptual framework for this research study. In
chapter two, a review of literature related to the research problem was conducted using the
thematic literature review approach. Chapter three outlined and detailed the research
methodology and design, population, and sampling technique, and it also itemized the phases of
data analysis.
Additionally, chapter three discussed validity and reliability. Chapter four presented a
detailed discussion of the results of the data analysis, including the identification of six major
themes, and a complete discourse with descriptive statistics for each theme. Chapter 5 presents
an interpretation of the study’s findings and conclusions. This chapter also discusses additional
findings and implications of the research, and recommendations for future research.
Limitations
There were two limitations related to the data analysis of this study.
1. The sample population of this study was limited to a single state, Minnesota. The state of
Minnesota is located in the middle of the sample frame distribution of states or
jurisdictions with the highest and lowest location quotient for information technology
ENCRYPTION BACKDOORS AND PRIVACY 100
experts (“U.S. Department of Labor,” 2017). The interpretation of results is affected by
this limitation because it is not known if location quotient alone or the large population of
healthcare workers in Minnesota introduced biases in the results.
2. Snowball sampling is a useful sampling methodology when it is not possible to use more
traditional survey techniques, and it has been employed successfully in previous work
that has yielded relevant results which have contributed to the body of literature on how
users manage privacy settings on IM applications. (Rashidi, Vaniea, & Camp, 2016).
Snowball sampling technique, however, has its limitations. According to Sharma (2017),
since snowball sampling does not select units for inclusion in the sample based on
random selection, unlike the probability sampling technique, it is impossible to determine
the possible sampling error and make generalizations from the sample to the population.
As such, snowball samples should not be considered to be representative of the
population being studied.
Findings and Interpretations
The application of Braun and Clarke’s (2006) inductive thematic analysis, a data-driven
process, resulted in six themes. The themes provided closure for the three research questions that
were the basis for this research study. Data analysis of survey answers to RQ1 produced a single
theme, government, and privacy.
Theme 1. Government and Privacy. Twenty-three participants (88%) who coded for
these themes showed a clear understanding of what an encryption backdoor meant and its impact
on their privacy. This was significant to this research because it answered RQ1. Eleven of the
participants (42%) were not opposed to the government adding a backdoor to read their private
messages in order to keep them safe, especially if there is a credible threat against public safety.
ENCRYPTION BACKDOORS AND PRIVACY 101
Government has maintained that they will only use this method of access if there is a credible
threat to public safety (Brantly, 2017).
Further, these findings are even more significant because they validate the purpose of the
research, which was to raise awareness for non-technology professional users of mobile devices
on the benefits of encryption to privacy. When participants were asked at the end of the survey if
this research study had increased their knowledge or awareness of the benefits of end-to-end
encryption to your privacy, 23 of the 26 of the participants (89%) responded that it had increased
by a moderate amount, a lot, or a great deal. Research question two, which sought to find out
what were the perspectives of non-technology professional users of IM applications regarding
the argument that security comes at a price, namely at the expense of privacy, generated three
themes, namely: information, activities, and communications.
Theme 2. Information. The sentiments expressed by 18 participants (69%) on this theme
was neutral or mixed. Participants said that while they would like their private messages to
remain private, they also do not mind the government stepping into their private information in
order to keep the country safe. This theme answered RQ2. Participants asserted through their
responses that they are willing to allow the government to infringe on their privacy if that will
guarantee them safety.
Theme 3. Activities. Participants all expressed comfort in letting their security be of a
higher priority than their privacy; thus, endorsing the government’s intent to monitor electronic
activities. This theme also answered RQ2.
Theme 4. Communications. There were four participants (15%) who coded for this
theme. Unlike participants who coded for the activities theme by expressing their comfort with
government surveillance in exchange for security, communications participants were decisively
ENCRYPTION BACKDOORS AND PRIVACY 102
against giving up their private communications in exchange for more security. This theme also
answered RQ2.
Theme 5. Social Media. Four participants (15%) expressed their views and opinions on
how their knowledge of encryption will affect their use of social media applications such as
WhatsApp. This theme on social media was in response to RQ3, which asked participants to
what extent the knowledge of encryption as a technology in safeguarding consumer privacy
affect their use of the internet. Participants expressed more confidence in the use of the internet,
knowing that encryption helps protect their communications.
Theme 6. Encryption. Five participants (19%) coded for encryption. This theme was also
in response to RQ3. Sixty percent of the participants who coded for this theme were concerned
that terrorists could master encryption technology and use it to cause harm to society. In
addressing RQ3, participants all agreed their knowledge of encryption would affect their use of
the internet by increasing the confidence they have in the privacy of online communications.
Comparing Findings to Theoretical Framework and Literature
The conceptual or theoretical framework on which this study was built was the
securitization of technology, which provided a link between science and technology (Barnard-
Wills & Ashenden, 2012; Deibert & Rohozinski, 2010; Hansen & Nissenbaum, 2009).
According to Schulze (2017), the securitization framework, which is understood as the social
construction of security/insecurity in the digital realm, has rarely been adopted in cryptography
discourses. Granting government and law enforcement agencies special access to otherwise
secure cryptography could, in the worst case, substantially weaken these systems, thus
threatening the safety of the billions of cell phones used by people today (Schulze, 2017). In the
recent years after the Edward Snowden leaks in 2013, there has been an evolving trend towards
ENCRYPTION BACKDOORS AND PRIVACY 103
the application, by default, of E2EE to a range of online communications IM applications, which
result in only the sender and the recipient being able to read the messages (McCarthy, 2016).
According to Rastogi and Hendler (2017), the prevalence of global surveillance as was revealed
by Edward Snowden in 2013 has caused much concern to many users. Some of the concerns
have been related to a third party listening to user conversations, without permission. E2EE in
WhatsApp was designed, keeping such privacy concerns in mind, amongst other security issues
(Rastogi & Hendler, 2017). WhatsApp ensures that the message sender or receiver cannot be
irrefutably tied to a particular message sent in the past by using the forward secrecy encryption
techniques (Rastogi & Hendler, 2017). The results of this research study have confirmed some of
the privacy concerns expressed by mobile device users, as mentioned by Rastogi and Handler
(2017) and Elmer-Dewitt (2016). According to Elmer-Dewitt, following the standoff between
Apple v. FBI over access to the iPhone of the San Bernardino shooter, Americans, by a small
margin (46% to 35%) support the government’s right to access data in smartphones in order to
protect the country against terror threats. This research study has also demonstrated that while
concerned with their privacy, non-technology professionals are willing to allow the government
to access their private messages if they have to do so in order to preserve national security.
Vaziripour et al. (2018) asserted the lack of understanding by non-technology
professionals of what an encrypted chat means, as the reason for the none adoption of E2EE; this
study proved the contrary. Eighty-one percent of participants who completed this research study
said they were aware of what encryption was, and that is was used on most popular websites
such as Twitter and Facebook to safeguard their private and sensitive information.
ENCRYPTION BACKDOORS AND PRIVACY 104
Implications of Findings
The findings of this research study give credibility to the framework of securitization of
technology, which provides a link to Science and Technology Studies (Barnard-Wills &
Ashenden, 2012; Deibert & Rohozinski, 2010; Hansen & Nissenbaum, 2009). Government
access to otherwise secure cryptography could, in the worst case, substantially weaken these
systems, thus threatening the safety of the billions of cell phones used by people today (Schulze,
2017). This research can be used to understand the perspectives of working non-technology
professionals in the U.S. regarding the government’s request for a cryptographic backdoor in
their smartphones in order to intercept their private communications.
The results of this research study may help create a greater consciousness of the benefits
of encryption to everyday users (non-technology professionals) of smartphones. It may also
amplify the voices of privacy advocates who may increase the pressure on Congress not to yield
to the demand from law enforcement on legislation mandating the creation of secret backdoors
into encryption services by technology companies.
The results of this study may also help educate the everyday user of the internet on the
benefits of E2EE in their daily communications on mobile devices. Participants of this research
study have said that it has significantly increased their knowledge of encryption. This creation of
awareness and expectation of privacy guaranteed by strong encryption for the everyday user of
the internet may also drive more technology companies to adopt E2EE, as was the case after the
Edward Snowden leaks in 2013 (McCarthy, 2016). Another benefit this study may bring is, non-
technology professionals may increase their adoption of using the internet for personal
transactions such as paying bills, online banking, and money transfers once they are aware and
understand the benefits of strong encryption on the internet. Participants of this study have
ENCRYPTION BACKDOORS AND PRIVACY 105
expressed an increase in confidence in their privacy on the internet, knowing that encryption
guarantees such privacy.
Strengths and Weaknesses
There were four strengths in this research study and one weakness. The first strength was
that the researcher achieved data saturation through the participation of 26 working non-
technology professionals who participated in the survey. The researcher’s employment of
structured and open-ended survey questions, a typical approach in qualitative inquiry, yielded
detailed and insightful portrayals of the participants lived experiences and generated substantial
data.
The second strength involved the use of a pilot study. According to Abdul, Othman,
Mohamad, Lim, and Yusof (2017), survey questions could be strengthened by piloting the
surveys. It can also help identify if there are flaws or limitations within the survey design that
allow necessary modifications to the major study. (Abdul et al., 2017). The pilot study for this
research established the comprehensibility, validity, and reliability of the survey questions. The
survey questions were revisited to allow quality data and more in-depth responses from the
participants.
The third strength of this research study was the utilization of manual coding and
subsequently, NVivo 12 Plus data analysis software. Prior to utilizing the NVivo 12 Plus
qualitative data analysis program, each survey submission was read several times, portions of the
text were highlighted in the Microsoft Word documents, and preliminary codes were identified in
the right margin of the transcripts. Qualitative analysis depends to a good extent on the
subjective interpretations of the researcher. Therefore, a combination of personal judgment and
ENCRYPTION BACKDOORS AND PRIVACY 106
software was used to bring objectivity to the coding process. The utilization of NVivo data
software increased the reliability and validity of the study.
The fourth strength was the large amount of qualitative data collected and the detailed
descriptions of the participants’ recounts and subsequent themes. The data allowed for thorough
mining of codes during data analysis and subsequent validation with NVivo data analysis
software. The research study was also able to capture participant’s knowledge and awareness of
E2EE at the beginning of the survey, and also evaluate if they have gained any additional
knowledge during the course of the survey at the end.
The weakness of this study was that it did not investigate if gender, age, ethnicity, and
level of education influenced participants’ views on the government’s demand for a backdoor
into encryption systems. The researcher collected demographic data to learn basic information
about the participants and to ensure that they met the age and geographic location criteria for
participation, but no attempt was made to draw conclusions related to demographic data and their
views and opinions of the government demand for a backdoor into encryption systems. This
could be an area for future qualitative research.
Recommendations
This research study intends to augment the limited number of qualitative descriptive
studies regarding the opinions and views of non-technology professionals on the benefits of
E2EE on society. The results from this study have revealed insightful accounts of 26 non-
technology professionals in the U.S. on E2EE, backdoors, and privacy. The weakness of this
study has created opportunities for a gender-based qualitative inquiry into the phenomenon of
E2EE, backdoors, and privacy. The next section highlights potential areas for researchers to
investigate.
ENCRYPTION BACKDOORS AND PRIVACY 107
Recommendations for Future Research
Based on the results of this research study the following are recommendations for future
research:
1) Extend the research sample area beyond the state of Minnesota to other states. The State
of Minnesota falls in the middle of the rankings for the location quotient for information
security experts (“U.S. Department of Labor,” 2017). Therefore, it is recommended that
states with the highest location quotient for information security experts such as Virginia
and Maryland, as well as states with the lowest location quotient for information security
experts such as New Mexico, Missouri, and Colorado, be sampled.
2) Perform a quantitative study of non-technology professionals with a random sample of
participants distributed across the US. This would eliminate some of the inherent
weaknesses expressed in the limitations of this research study on the snowball sampling
methodology.
3) Include the influence of gender, age, ethnicity, or level of education on participants’
views on the government’s demand for a backdoor into encryption systems could be an
interesting area of research. Similar studies carried out in Iran by Vaziripour et al. (2018)
on the Telegram IM application showed that skewed demographics might have
influenced the results of the research.
4) Expand this research study internationally, into other countries with less cellphone
penetration than the U.S. As mentioned by Schneier et al. (2016), encryption is now a
global phenomenon. Laws in the U.S. mandating backdoors into encryption systems will
primarily affect only U.S. users of encryption products made in the U.S. (Schneier et al.,
2016). Smartphone users in other countries rely on other products. The literature review
ENCRYPTION BACKDOORS AND PRIVACY 108
conducted for this research study found out countries such as Germany, United Kingdom,
Canada, France, and Sweden also produce a lot of encryption products (Schneier et al.,
2016). Researching the perspectives of people of other countries on this topic would
certainly add value to the body of literature in cybersecurity.
5) Limit the research to a specific demographic group within the millennials; young adults
between the ages of 18 – 24 years. Millennials or America’s youth are those born
between 1982 and 2000 (“U.S. Census Bureau,” 2015). They represent more than a
quarter of the nation’s population (“U.S. Census Bureau,” 2015). Although this research
study was for non-technology professionals who were 18 years and older in addition to
other criteria, none of the participants who responded to this study were between the ages
of 18 – 24 years. Respondents ranged in age from 25 – 70 years. Similar studies of this
sort, investigating the usage of WhatsApp mobile application among youth, aged between
18 and 23 years in Chennai, India have been carried out by Jisha and Jebakumar (2014).
6) Investigate the baby boomer generation. The baby boomer generation is defined as
people born between 1946 and 1964 (“U.S. Census Bureau,” 2015). In this research
study, only 2 participants (8%) were baby boomers. It would be relevant to the body of
literature in cybersecurity to get the views and opinions of baby boomers who are a pre-
internet generation, regarding the government’s request for a cryptographic backdoor in
their smartphones in order to intercept their private communications.
Chapter Summary
This research study was based on the problem statement: law enforcement’s advocacy for
a backdoor into E2EE in instant messaging (IM) services was undermining privacy and security
(McCarthy, 2016). The specific problem was that non-technology professionals do not
ENCRYPTION BACKDOORS AND PRIVACY 109
understand the impact of creating backdoors into encryption technologies (Sagers, Hosack, &
Rowley, 2015; Wei et al., 2016). In this chapter, the research study results revealed that 81% of
participants said they were aware of what encryption was and that is was used on most popular
websites such as Twitter and Facebook to safeguard their private and sensitive information. This
chapter also outlined the limitations as well as the strengths and weaknesses of the research
study. Limitations included the selection of a single state, Minnesota, for sampling as well as the
use of snowball sampling methodology. Some of the strengths of the research study included the
attainment of data saturation by sampling 26 participants, as well as the use of a pilot study to
strengthen the survey instrument.
The results of this research study were also placed in the context of the sparse amounts of
literature on the topic of the research. The results of this research study have confirmed some of
the privacy concerns expressed by mobile device users, as mentioned by Rastogi and Handler
(2017) and Elmer-Dewitt (2016). According to Elmer-Dewitt, following the standoff between
Apple v. FBI over access to the iPhone of the San Bernardino shooter, Americans, by a small
margin (46% to 35%) supported the government’s right to access data in smartphones in order to
protect the country against terror threats. This research study has also demonstrated that though
concerned with their privacy, non-technology professionals are willing to allow the government
to access their private messages if they have to do so in order to preserve national security.
Recommendations were made at the end of this chapter for future research such as the
application of a gender-based filter on the result set in order to see if it will skew the results in
any way. Also, to extend this research study to a quantitative study of non-technology
professionals with a random sample of participants distributed across the US. This would
ENCRYPTION BACKDOORS AND PRIVACY 110
eliminate some of the inherent weaknesses expressed in the limitations of this research study on
the snowball sampling methodology.
ENCRYPTION BACKDOORS AND PRIVACY 111
References
Abelson, H., Anderson, R., Bellovin, S. M., Benalo, J., Blaze, M., Diffie, W.,… Weitzner,
D. J. (2015). Keys under doormats: Mandating insecurity by requiring government access
to all data and communications. Computer Science and Artificial Intelligence Laboratory
Technical Report, MIT-CSAIL-TR-2015-026. doi: http://hdl.handle.net/1721.1/97690
Abdul, M. M, Othman, M., Mohamad, S. F., Lim, S. A., & Yusof, A. (2017). Piloting for
interviews in qualitative research: Operationalization and Lessons Learnt. International
Journal of Academic Research in Business and Social Sciences. 7(4).
doi:10.6007/IJARBSS/v7-i4/2916
Alhojailan, M. I. (2012). Thematic Analysis: A critical review of its process and
evaluation. West East Journal of Sciences, 1(1). Retrieved from
https://s3.amazonaws.com/academia.edu.documents/53978242/THEMATIC_ANALYSI
S.pdf?AWSAccessKeyId=AKIAIWOWYYGZ2Y53UL3A&Expires=1549320539&Sign
ature=yYq7gzJStQI5PjPV%2FTgqP0SwhxM%3D&response-content-
disposition=inline%3B%20filename%3DTHEMATIC_ANALYSIS_A_CRITICAL_RE
VIEW_OF_I.pdf
Ali, A. H., & Sagheer, A. M. (2017). Design of an android application for secure
chatting. International Journal of Computer Network and Information Security, 9(2), 29.
doi: 10.5815/ijcnis.2017.02.04
Barnard-Wills, D., & Ashenden, D. (2012). Securing virtual space: cyber war, cyber
terror, and risk. Space and Culture, 15(2), 110–123.
https://doi.org/10.1177/1206331211430016
Barr, A. C. (2016). Guardians of Your Galaxy S7: Encryption backdoors and the first
ENCRYPTION BACKDOORS AND PRIVACY 112
amendment. Minn. L. Rev., 101, 301-383. Retrieved from
http://www.minnesotalawreview.org/wp-content/uploads/2016/11/Barr.pdf
Beckmeyer, M. R. (2017). Identifying the tipping point between security and privacy:
a mixed methods study on balancing the u.s. government’s post-9/11 domestic electronic
surveillance program with u.s. citizens’ privacy rights & expectations (Unpublished
Doctoral Dissertation). Capitol Technology University, MD.
Bradshaw, C., Atkinson, S., & Doody, O. (2017). Employing a qualitative description
approach in health care research. Global Qualitative Nursing Research 4, 1-8.
https://doi.org/10.1177/2333393617742282
Brantly, A. F. (2017, August). Banning encryption to stop terrorists: A worse than
futile exercise. Combating Terrorism Center at West Point, CTCSENTINEL, 10(7), 29-
35. Retrieved from https://ctc.usma.edu/banning-encryption-to-stop-terrorists-a-worse-
than-futile-exercise/
Braun, V., & Clarke, V. (2006). Using thematic analysis in psychology. Qualitative
Research in Psychology, 3(2), 77-101. http://dx.doi.org/10.1191/1478088706qp063oa
Casemajor, N., Couture, S., Delfin, M., Goerzen, M., & Delfanti, A. (2015). Non-
participation in digital media: toward a framework of mediated political action. Media,
Culture & Society, 1(1), 1-17. doi:10.1177/0163443715584098
Castro, D., & McQuinn, A. (2016, March). Unlocking encryption: Information security
and the rule of law. Information Technology & Innovation Foundation. Retrieved from
http://www2.itif.org/2016-unlocking-encryption.pdf
Cipriani, J. (2016, March 10). What you need to know about encryption on your phone.
Retrieved from https://www.cnet.com/news/iphone-android-encryption-fbi/
ENCRYPTION BACKDOORS AND PRIVACY 113
Constine, J. (2018, January 31). WhatsApp hits 1.5 billion monthly users. $19 billion? Not
so bad. Retrieved from https://techcrunch.com/2018/01/31/whatsapp-hits-1-5-billion-
monthly-users-19b-not-so-bad/
Creswell, J. W. (2015). Educational research: planning, conducting, and evaluating
quantitative and qualitative research. Upper Saddle River, NJ: Pearson Education, Inc.
Crocker, A., & Cardozo, N. (2018, May). Bring in the nerds: EFF introduces actual
encryption experts to U.S. Senate staff. Retrieved from
https://www.eff.org/deeplinks/2018/05/bring-nerds-eff-introduces-actual-encryption-
experts-us-senate-staff
Deibert, R. J., & Rohozinski, R. (2010). Risking security: Policies and paradoxes of
cyberspace security. International Political Sociology, 4(1), 15–32.
doi/abs/10.1111/j.1749-5687.2009.00088.x
Dews-Farrar, V. (2018). Students' reflections and experiences in online learning: A
qualitative descriptive inquiry of persistence (Order No. 10809354). Available from
ProQuest Dissertations & Theses Global. (2036952458). Retrieved from
https://search.proquest.com/docview/2036952458
Dunn Cavelty, M. (2015). Die materiellen ursachen des cyberkriegs
cybersicherheitspolitik jenseits diskursiver erklärungen. Journal of Self-Regulation and
Regulation, 1, 167–184. doi:10.11588/josar.2015.0.23486
Elmer-Dewitt, P. (2016). Apple vs. FBI: What the polls are saying. Fortune. Retrieved
from http://fortune.com/2016/02/23/apple-fbi-poll-pew
Endeley, R. E. (2018). End-to-end encryption in messaging services and national
ENCRYPTION BACKDOORS AND PRIVACY 114
security - case of WhatsApp messenger. Journal of Information Security, 9(1), 95-99.
https://doi.org/10.4236/jis.2018.91008
Fink, A. (2018). How to conduct surveys. A step-by-step guide. Thousand Oaks, CA:
Sage Publications, Inc.
Gaynor, M., Omer, T., & Turner, J. (2017). Using simulation to teach security and
encryption to non-technical healthcare professionals. International Journal of Privacy
and Health Information Management (IJPHIM) 5(1). Retrieved from https://www.igi-
global.com/article/using-simulation-to-teach-security-and-encryption-to-non-technical-
healthcare-professionals/179269
Hawkins, D. (2018, June 11). The Key. The cybersecurity 202: We surveyed 100 experts. A
majority rejected the FBI's push for encryption backdoors. Retrieved from
https://www.washingtonpost.com/news/powerpost/paloma/the-cybersecurity-
202/2018/06/11/the-cybersecurity-202-we-surveyed-100-experts-a-majority-rejected-the-
fbi-s-push-for-encryption-back-
doors/5b1d39eb1b326b6391af094a/?utm_term=.737d0dfd32f6
Hansen, L., & Nissenbaum, H. (2009). Digital disaster, cyber security, and the
Copenhagen School. International Studies Quarterly, 53(4), 1155–1175.
https://doi.org/10.1111/j.1468-2478.2009.00572.x
Hern, A. (2014, October 17). The Guardian: Apple defies FBI and offers encryption by
default on new operating system. Retrieved from
https://www.theguardian.com/technology/2014/oct/17/apple-defies-fbi-encryption-mac-
osx
Herzberg, A., & Leibowitz, H. (2016). Can Johnny finally encrypt? Evaluating E2E-
ENCRYPTION BACKDOORS AND PRIVACY 115
encryption in popular im applications. doi:10.1145/3046055.3046059.
Hilal, A. H., & Alabri, S. S. (2013). Using NVIVO for data analysis in qualitative research.
International Interdisciplinary Journal of Education, 2(2), 181–186.
Ho, k., Nistala, A., Tu, K. (2016). End-to-end message encryption for Tinder. Retrieved
from https://courses.csail.mit.edu/6.857/2016/files/19.pdf
Human Rights Watch (2015, March). UN: Major step on internet privacy. Retrieved
from https://www.hrw.org/news/2015/03/26/un-major-step-internet-privacy
Inserra, D., Rosenzweig, P., Stimson, C. D., Shedd, D., & Bucci, S. P. (2015).
Encryption and law enforcement special access: The U.S. should err on the side of
stronger encryption (Report No. 4459). Washington, DC: The Heritage Foundation.
Jisha, K., & Jebakumar. (2014). A trend setter in mobile communication among
Chennai youth. IOSR Journal of Humanities and Social Science (IOSR-JHSS), 19(9), 01-
06. doi: 10.9790/0837-19970106
Jones, J., Turunen, H., & Snelgrove, S. (2016). Theme development in
qualitative content analysis and thematic analysis. Journal of Nursing Education
and Practice, 6(5), 100.
Kehl, D., Wilson, A., & Bankston, K. S. (2015, June). Doomed to repeat history?
Lessons from the crypto wars of the 1990s. New America. Washington, DC: New
America. Retrieved from https://static.newamerica.org/attachments/3407-doomed-to-
repeat-history-lessons-from-the-crypto-wars-of-the-
1990s/Crypto%20Wars_ReDo.7cb491837ac541709797bdf868d37f52.pdf
Kern, D. (2012). Understanding and implementing encryption backdoors. Retrieved
from http://cse.ucdenver.edu/~dkern/CSC7002/paper.pdf
ENCRYPTION BACKDOORS AND PRIVACY 116
Klein, A. I. (2016). Decryption mandates and global internet freedom. Toward a
pragmatic approach. National Security, Technology, and Law, 1608. Retrieved from
https://lawfareblog.com/decryption-mandates-and-global-internet-freedom
Latham, J. (2014). Qualitative sample size – how many participants is enough? Retrieved
from https://www.drjohnlatham.com/many-participants-enough/
Levy, S. (2018, April). Cracking the crypto war. WIRED. Retrieved
from https://www.wired.com/story/crypto-war-clear-encryption/
Lewis, J., Zheng, D., & Carter, W. (2017, February). The effect of encryption on lawful
access to communications and data. A report of the CSIS Technology Policy Program.
Washington, DC: Center for strategic and international studies
Lichtblau, E., & Goldstein, J. (2016, March 8). Justice Dept. appeals ruling in Apple iPhone case
in Brooklyn. The New York Times. Retrieved from
https://www.nytimes.com/2016/03/08/technology/justice-dept-appeals-ruling-in-apple-
iphone-case-in-brooklyn.html
Locklear, M. (2017, October). FBI tried and failed to unlock 7,000 encrypted devices.
Retrieved from https://www.engadget.com/2017/10/23/fbi-failed-unlock-7-000-
encrypted-devices/
Mak, A. (2018). How did the fbi access paul manafort’s encrypted messages. Slate.
Retrieved from https://slate.com/technology/2018/06/paul-manafort-how-did-fbi-access-
whatsapp-messages.html
Marks, Joseph. (2018, Aug 31). Five eyes intel alliance urges big tech to help break encrypted
messages. Nextgov.Com (Online), Retrieved from
https://search.proquest.com/docview/2098188902?accountid=44888
ENCRYPTION BACKDOORS AND PRIVACY 117
Max, Steven Patterson. (2016, April). WhatsApp copies apple’s strong encryption defense.
Network World, Southborough. Retrieved from
https://search.proquest.com/docview/1779534877?accountid=44888
McCarthy, H. J. (2016). Decoding the encryption debate: Why legislating to restrict
strong encryption will not resolve the “going dark” problem. Journal of Internet Law.
20(3). Retrieved from https://www.slideshare.net/HughJMcCarthy/decoding-the-
encryption-debate-hugh-j-mccarthy-september-2016222905691pdf
McCarthy, K. (2018, April). ISO blocks NSA's latest IoT encryption systems amid murky
tales of backdoors and bullying. Retrieved from
https://www.theregister.co.uk/2018/04/25/nsa_iot_encryption/
Michalas, A. (2017). How WhatsApp encryption works - and why there shouldn’t be
a backdoor. The Conversation. Retrieved from
https://theconversation.com/how-whatsapp-encryption-works-and-why-there-shouldnt-
be-a-backdoor-75266
Novak, M. (2018). Paul Manafort learns that encrypting messages doesn't matter if the
feds have a warrant to search your iCloud account. Retrieved
from https://gizmodo.com/paul-manafort-learns-that-encrypting-messages-doesnt-ma-
1826561511
Open Whisper Systems. (2013, July) Simplifying OTR deniability. Retrieved
from https://whispersystems.org/blog/simplifying-otr-deniability
Patton, M. Q. (1990). Qualitative evaluation and research methods (2nd ed.). Newbury
Park, CA: Sage.
Pavone, V., & Esposti, S. D. (2010). Public assessment of new surveillance-oriented
ENCRYPTION BACKDOORS AND PRIVACY 118
Security technologies: Beyond the trade-off between privacy and security. Public
Understanding of Science, 21(5), 556-572. doi:10.1177/0963662510376886
Perry, S. (2016). Tim Cook, a case study on the effects of transformational leadership
on privacy and IT security. Retrieved from
https://www.sans.edu/media/Tim-Cook-Transformational-Leadership-Essay-Final.pdf
Rashidi, Y., Vaniea, K., & Camp, J. (2016). Understanding Saudis' privacy concerns when
using WhatsApp. doi:10.14722/usec.2016.23022.
Rastogi, N., & Hendler, J. (2017, June). WhatsApp security and role of metadata in
preserving privacy. Paper presented at the European Conference on Cyber Warfare and
Security 269-XVI. Dublin, Ireland.
Rid, T. (2016). Maschinendämmerung: Eine kurze Geschichte der Kybernetik. Berlin:
Propyläen Verlag.
Rivest, R. L., Shamir, A., & Adleman, L. (1978). A method for obtaining digital
signatures and public-key cryptosystems. Communications of the ACM,
21(2), 120-126. doi: 10.1145/359340.359342
Ruiz, D. (2018). The secure data act would stop backdoors. Electronic Frontier
Foundation. Retrieved from https://www.eff.org/deeplinks/2018/05/secure-data-act-
would-stop-backdoors
Sagers, G., Hosack, B., & Rowley, R. (2015). Where's the security in WiFi? An
argument for industry awareness. 48th Hawaii International Conference on System
Sciences. IEEE Computer Society. Washington, DC, USA
Salkind, N. J. (2012). Exploring research. Upper Saddle River, NJ: Pearson Education,
Inc.
ENCRYPTION BACKDOORS AND PRIVACY 119
Sarker, G.R. (2015). Impact of WhatsApp messenger on the university level students: A
sociological study. International Journal of Natural and Social Sciences, 2,118-125.
Retrieved from http://ijnss.org/wp-content/uploads/2015/05/IJNSS-V2I4-16-pp-118-
125.pdf
Sayler, A. J. (2016). securing secrets and managing trust in modern computing
applications (Doctoral dissertation). Retrieved from
https://scholar.colorado.edu/csci_gradetds/112
Schneier, B. (2018, April). Two NSA algorithms rejected by the ISO. Retrieved
from https://www.schneier.com/blog/archives/2018/04/two_nsa_algorit.html
Schneier, B. (2018). Ray Ozzie's encryption backdoor. Retrieved from
https://www.schneier.com/blog/archives/2018/05/ray_ozzies_encr.html
Schneier, B., Seidel, K., & Vijayakumar, S. (2016). A worldwide survey of encryption
products. Berkman Center Research Publication 2016-2.
http://dx.doi.org/10.2139/ssrn.2731160
Schulze, M. (2017). Clipper meets apple vs. FBI-A comparison of the cryptography
discourses from 1993 and 2016. Media and Communication, 5(1).
http://dx.doi.org/10.17645/mac.v5i1.805
Shah, R. (2016). Law enforcement and data privacy: A forward-looking approach. The
Yale Law Journal, 125(2), 326-559. Retrieved from
http://digitalcommons.law.yale.edu/ylj/vol125/iss2/5
Sharma, Gaganpreet. (2017). Pros and cons of different sampling techniques. International
Journal of Applied Research 2017, 3(7), 749-752.
Shirvanian, M., Saxena, N., & George, J. (2017, December). On the pitfalls of
ENCRYPTION BACKDOORS AND PRIVACY 120
end-to-end encrypted communications: A study of remote key-fingerprint verification.
Proceedings of the 33rd Annual Computer Security Applications Conference. Orlando,
FL.
Simon, M. (2011). Dissertation and scholarly research: Recipes for success. New York,
NY: Createspace Independent Publishing Platforms.
Steven, L. (2018, April). WIRED: Cracking the crypto war. Retrieved
from https://www.wired.com/story/crypto-war-clear-encryption
SurveyMonkey Inc. (2019). Retrieved from www.surveymonkey.com. San
Mateo, California, USA
Sutikno, T., Handayani, L., Stiawan, D., Riyadi, M. A., & Subroto, I. M. I. (2016).
WhatsApp, Viber and Telegram which is best for instant messaging? International
Journal of Electrical and Computer Engineering, 6(3), 909-914. doi:
10.11591/ijece.v6i3.10271
Swire, P., & Ahmad, K. (2012). Encryption and globalization. The Columbia Science &
Technology Law Review, 13, 416-480. http://dx.doi.org/10.2139/ssrn.1960602
The Open University. (2017). Monitoring, Evaluation, Accountability and Learning
(MEAL): 6 Methods of data collection and analysis. Retrieved from
http://www.open.edu/openlearncreate/mod/resource/view.php?id=52658
Thomson, I. (2013). What have we learned about NSA? Privacy Journal, 39(9), 1-6. Retrieved
from https://franklin.captechu.edu:2074/docview/1418236576?accountid=44888
U.S. Census Bureau. (2015, June). Millennials Outnumber Baby Boomers and Are Far More
Diverse, Census Bureau Reports. Release number CB15-113. Retrieved from
https://www.census.gov/newsroom/press-releases/2015/cb15-113.html
ENCRYPTION BACKDOORS AND PRIVACY 121
U.S. Census Bureau. (2016, August). Number of IT workers has increased tenfold since
1970, census bureau reports. Retrieved from https://www.census.gov/newsroom/press-
releases/2016/cb16-139.html
U.S. Department of Homeland Security. (2015, July). Going Dark: Encryption,
Technology and the Balance between Public Safety and Privacy. Senate Committee on
the Judiciary. Homeland Security Digital Library
U.S. Department of Labor. (2017). Bureau of Labor Statistics. Occupational
employment statistics. Retrieved from
https://www.bls.gov/oes/current/occ_state_lq_chart/occ_state_lq_chart.htm#
U.S. Department of Labor. (2019). Bureau of Labor Statistics. Labor force statistics from the
current population survey. Retrieved from https://www.bls.gov/cps/cpsaat11b.htm
Vaismoradi, M., Jones, J., Turunen, H., & Snelgrove, S. (2016). Theme development in
qualitative content analysis and thematic analysis. Journal of Nursing Education
and Practice, 6(5), 100
Vaziripour, E., Wu, J., Farahbakhsh, R., Seamons, K., O’Neill, M., & Zappala, D. (2018). A
survey of the privacy preferences and practices of iranian users of telegram. Workshop
on Usable Security (USEC). San Diego, CA.
https://dx.doi.org/10.14722/usec.2018.23033
Wei, B., Doowon, K., Moses N., Yichen Q., Patrick G., & Michelle L. (2016). An
inconvenient trust: User attitudes toward security and usability tradeoffs for key-
directory encryption systems. Twelfth Symposium on Usable Privacy and Security.
Denver, CO
WhatsApp (2017, December). WhatsApp encryption overview. Technical white paper.
ENCRYPTION BACKDOORS AND PRIVACY 122
Retrieved from https://www.whatsapp.com/security/WhatsApp-Security-Whitepaper.pdf
Yeboah, J., & Ewur, G. (2014). the impact of WhatsApp messenger usage on students
performance in tertiary institutions in Ghana. Journal of Education and Practice, 5(6),
157-164. Retrieved from
https://www.iiste.org/Journals/index.php/JEP/article/view/11241
Zapotosky, M. (2016, March 28). FBI has accessed San Bernardino shooter’s phone without
Apple’s help. National Security. The Washington Post. Retrieved from
https://www.washingtonpost.com/world/national-security/fbi-has-accessed-san-
bernardino-shooters-phone-without-apples-help/2016/03/28/e593a0e2-f52b-11e5-9804-
537defcc3cf6_story.html?utm_term=.5ec203ab2092
ENCRYPTION BACKDOORS AND PRIVACY 123
APPENDIX A
ENCRYPTION BACKDOORS AND PRIVACY 124
ENCRYPTION BACKDOORS AND PRIVACY 125
APPENDIX B
Human Subjects Participant Consent
Dear Participant,
My name is Robert E. Endeley, and I am a doctoral student in Cybersecurity at Capitol
Technology University. I am currently in the process of recruiting individuals for my doctoral
research study entitled “End-to-End Encryption, Backdoors, and Privacy”.
Almost everyone in the U.S.A. uses a smartphone these days either for regular telephone
calls or for texting, and chatting with friends and relatives through the use of favorite apps such
as Facebook Messenger, WhatsApp, or Viber. When we communicate with our friends and
relatives, we expect our conversations to remain private. However, in recent years, the U.S.
government has been exploring ways of forcing smartphone manufacturers such as Google,
Apple, and Microsoft to introduce a so-called “backdoor” into the phones so that, for national
security reasons, the government can eavesdrop or “snoop” into your private conversations and
intercept the messages of suspected criminals or people under investigation.
The purpose of this study is to raise awareness of non-technology professional users of
mobile devices on the benefits of encryption for privacy. To this end, I am inviting individuals
who identify themselves as non-technology professionals in the U.S. to participate in my study. I
hope you will voluntarily agree to participate.
The study is part of my dissertation, which is a requirement for the completion of a
Doctor of Science degree at Capitol Technology University. To collect data for this study, I, the
researcher, will conduct online or hand-out paper-based survey and will maintain sole ownership
of all research data. By participating in this study, you may learn information about what the
U.S. government has proposed to do to your private information that may make you feel
ENCRYPTION BACKDOORS AND PRIVACY 126
uncomfortable, uninformed, and not considered in the decision-making process. You may
withdraw your participation in the study at any point during the research. If you are taking the
online survey, you can stop participating at any time by clicking the “Exit” link at the top of the
page or by simply closing the web browser. For the paper-based survey participants, you can
stop participating at any point by declining to answer the questions. If you opt-out without
completing the online survey or paper-based questionnaire, your data will not be used as part of
this study. To protect the anonymity and confidentiality of participants, I will not include the
actual names or identifying information of participants in this research or its publication.
The results of this study will contribute significantly to the benefit of a society that is
mostly unaware of the fact that the right to privacy on the internet is a human right. The results
of this study will, therefore, help educate the non-technology professional user of the internet on
the benefits of encryption in their daily communications on mobile devices.
Capitol Technology University requires that research participants sign a consent form
(Human Subjects Participant Consent) to participate in this study, which informs you of the
nature of the study and your rights. Your participation is strictly voluntary, and you may
terminate your involvement at any time. Participants in this study will not receive any form of
compensation or reward, before, during, or after completion of the research. Thank you for your
willingness to participate in this research study. Please do not hesitate to contact me at
[email protected] or 763-300-1630, if you have questions, comments, or concerns about
the study.
Sincerely,
Robert E. Endeley
Doctor of Science Student
ENCRYPTION BACKDOORS AND PRIVACY 127
Capitol Technology University
Signature __________________________________________ Date _________
Please note that signing this consent form indicates your agreement to participate in this study.
ENCRYPTION BACKDOORS AND PRIVACY 128
APPENDIX C
Literature Review Map
ENCRYPTION BACKDOORS AND PRIVACY 129
APPENDIX D
Literature Search
Key Word Search Journals/ Dissertations Reviewed
Books Reviewed
Conference Reviewed
YouTube/ TED Videos
Reports/ Studies Reviewed
End-to-end encryption
157 13 10 10 3
Encryption 200 13 10 5 3
WhatsApp security 2 0 2 0 2
Risks of encryption backdoors
26 2 0 7 0
Law enforcement and privacy 10 0 5 4 3
Total Publications Reviewed (487) 395 28 27 26 11
ENCRYPTION BACKDOORS AND PRIVACY 130
APPENDIX E
Research Methodology Map
- Abstract
- Dedication
- Acknowledgments
- TABLE OF CONTENTS
- List of Tables
- Table 1 Demographic Summary of Research Study Participants..................................................81
- Table 2 Research Questions, their Corresponding Themes, and Survey Questions......................87
- Table 3 How much the survey information had increased participant’s knowledge
- of the benefits E2EE to ……………………………………………………………………….....94
- List of Figures
- CHAPTER 1: INTRODUCTION
- Background of Study
- Problem Statement
- Purpose of Dissertation Study
- Significance of the Study
- Nature of Study
- Research Questions
- Conceptual or Theoretical Framework
- Definitions
- Assumptions
- Scope, Limitations, and Delimitations
- Chapter Summary
- CHAPTER 2: LITERATURE REVIEW
- Overview
- The Evolution of Encryption
- Private and Public Key Encryption
- Governments’ and Law Enforcement’s Encroachment on Encryption Technology
- Encryption Backdoors
- E2EE implementation in Mobile Applications Today
- Security Fundamentals of WhatsApp
- The Worldwide Impact of the Use of WhatsApp
- WhatsApp Privacy Concerns on the Youth
- Overview of Proposed Historical Solutions
- Conclusion
- Chapter Summary
- CHAPTER 3: METHOD
- Research Method and Design Appropriateness
- Research Design
- Population, Sampling, and Data Collection Procedures and Rationale
- Sampling
- Informed Consent
- Confidentiality and Anonymity
- Data Collection and Data Sources
- Pilot Study
- Reliability
- Validity: Internal
- Transferability
- Data Analysis
- Phase 1: Familiarization with Collected Data
- Phase 2: Generating Initial Codes
- Phase 3: Searching for Themes
- Phase 4: Reviewing Themes
- Phase 5: Defining and Naming Themes
- Phase 6: Producing the Report
- Chapter Summary
- CHAPTER 4: RESULTS
- Pilot Study
- Threats to validity and reliability
- Findings
- Demographics
- Data Analysis Procedures
- Results
- Significance of results
- Chapter Summary
- CHAPTER 5: Findings and recommendations
- Limitations
- Findings and Interpretations
- Comparing Findings to Theoretical Framework and Literature
- Implications of Findings
- Strengths and Weaknesses
- Recommendations
- Recommendations for Future Research
- Chapter Summary
- References
- APPENDIX A
- APPENDIX B
- Human Subjects Participant Consent
- APPENDIX C
- Literature Review Map
- APPENDIX D
- Literature Search
- APPENDIX E
- Research Methodology Map