Back Doors to encryption

profilefollower
End-to-endEncryptionBackdoorsandPrivacy.pdf

Running head: ENCRYPTION BACKDOORS AND PRIVACY

End-to-End Encryption, Backdoors, and Privacy

by

Robert E. Endeley

A Dissertation Presented in Partial Fulfillment

of the Requirements for the Degree

Doctor of Science in Cybersecurity

CAPITOL TECHNOLOGY UNIVERSITY

June 27, 2019

© 2019 by Robert E. Endeley ALL RIGHTS RESERVED

ProQuest Number:

All rights reserved

INFORMATION TO ALL USERS The quality of this reproduction is dependent upon the quality of the copy submitted.

In the unlikely event that the author did not send a complete manuscript and there are missing pages, these will be noted. Also, if material had to be removed,

a note will indicate the deletion.

ProQuest

Published by ProQuest LLC ( ). Copyright of the Dissertation is held by the Author.

All rights reserved. This work is protected against unauthorized copying under Title 17, United States Code

Microform Edition © ProQuest LLC.

ProQuest LLC. 789 East Eisenhower Parkway

P.O. Box 1346 Ann Arbor, MI 48106 - 1346

22624057

22624057

2019

ENCRYPTION BACKDOORS AND PRIVACY

End-to-End Encryption, Backdoors, and Privacy

Approved:

Sondria Miller, Ph.D., Chair

Ian McAndrew, Ph.D., Committee Member

Donovan Wright, Ed.D., Committee Member

___________________________________________________________ Ian McAndrew, Ph.D Date Dean of Doctoral Studies Capitol Technology University

endrob
Stamp
endrob
Pencil

ENCRYPTION BACKDOORS AND PRIVACY

Abstract

A qualitative analysis study that examined the views and opinions of non-technology

professionals in the U.S. regarding government and law enforcement agencies’ demand for

legislation that will allow them to snoop on online private communications of smartphone users.

Governments would prefer exclusive access to encryption technologies, called a backdoor, to use

in accessing messages. Technology professionals have, however, argued against a backdoor; they

claim a backdoor would not only be an infringement of their privacy but that hackers could also

take advantage of it. In light of this security and privacy conflict between technology

professionals and government’s need to access messages in order to thwart potential terror

attacks, this study presents the views and opinions of non-technology professionals in the U.S.

on the ensuing encryption debate. Using qualitative descriptive design methodology, a survey of

26 participants was conducted and data was analyzed using Braun and Clarke’s six-step process

of inductive thematic analysis. Results from this research study showed that non-technology

professionals are willing to allow the government to infringe on their privacy if that will

guarantee them safety.

Keywords: instant messaging, WhatsApp, end-to-end encryption, privacy, government

ENCRYPTION BACKDOORS AND PRIVACY iii

Dedication

I dedicate this doctoral study first to the glory and honor of God, and then to my three

lovely children, Prince Herbie, Princess Dianne, and Princess Bellafannie. These three little

giants kept the joie de vivre in me as I navigated the rough seas of doctoral study. I also dedicate

this study to my late father Dr. E.M.L Endeley and late mother Fanny E. Endeley, not leaving out

my late brother and friend Professor Herbie Nganjo Endeley. The last three people have been the

bedrock of my life.

ENCRYPTION BACKDOORS AND PRIVACY iv

Acknowledgments

I want to acknowledge the steadfast support of my aunt, Enanga Catherine Ndima, a

beautiful and kind-hearted lady, who graciously took care of my kids throughout the grueling

process of doctoral study. I acknowledge the meticulous supervision of my chair, Dr. Sondria

Miller, who guided me throughout this dissertation and taught me how to write consciously. I

also acknowledge the immense editing help I got from my sister Princess Grace N.N. Endeley

and my brother Dr. Isaac N. Endeley.

ENCRYPTION BACKDOORS AND PRIVACY v

TABLE OF CONTENTS

Abstract ........................................................................................................................................... 3

Dedication ...................................................................................................................................... iii

Acknowledgments.......................................................................................................................... iv

TABLE OF CONTENTS .................................................................................................. … …….v

List of Tables ................................................................................................................................. ix

List of Figures ................................................................................................................................. x

CHAPTER 1: INTRODUCTION ..................................................................................... … …….1

Background of Study ...................................................................................................................... 2

Problem Statement .......................................................................................................................... 5

Purpose of Dissertation Study ......................................................................................................... 8

Significance of the Study ................................................................................................................ 8

Nature of Study ............................................................................................................................... 9

Research Questions ....................................................................................................................... 12

Conceptual or Theoretical Framework ......................................................................................... 14

Definitions..................................................................................................................................... 17

Assumptions .................................................................................................................................. 19

Scope, Limitations, and Delimitations .......................................................................................... 20

Chapter Summary ......................................................................................................................... 21

CHAPTER 2: LITERATURE REVIEW ............................................................................ .. ……23

Overview ....................................................................................................................................... 25

The Evolution of Encryption ........................................................................................................ 26

Private and Public Key Encryption .......................................................................................... 27

ENCRYPTION BACKDOORS AND PRIVACY vi

Governments’ and Law Enforcement’s Encroachment on Encryption Technology .................... 29

Encryption Backdoors ................................................................................................................... 36

E2EE implementation in Mobile Applications Today .................................................................. 38

Security Fundamentals of WhatsApp....................................................................................... 45

The Worldwide Impact of the Use of WhatsApp..................................................................... 47

WhatsApp Privacy Concerns on the Youth ............................................................................. 48

Overview of Proposed Historical Solutions .................................................................................. 50

Conclusion .................................................................................................................................... 56

Chapter Summary ......................................................................................................................... 57

CHAPTER 3: METHOD .................................................................................................... .. ……59

Research Method and Design Appropriateness ............................................................................ 60

Research Design ....................................................................................................................... 61

Population, Sampling, and Data Collection Procedures and Rationale ........................................ 62

Sampling .................................................................................................................................. 63

Informed Consent ..................................................................................................................... 65

Confidentiality and Anonymity................................................................................................ 65

Data Collection and Data Sources ........................................................................................... 66

Pilot Study ................................................................................................................................ 67

Reliability ................................................................................................................................. 67

Validity: Internal ........................................................................................................................... 68

Transferability .......................................................................................................................... 69

Data Analysis ................................................................................................................................ 69

Phase 1: Familiarization with Collected Data .......................................................................... 71

ENCRYPTION BACKDOORS AND PRIVACY vii

Phase 2: Generating Initial Codes ............................................................................................ 71

Phase 3: Searching for Themes ................................................................................................ 71

Phase 4: Reviewing Themes .................................................................................................... 72

Phase 5: Defining and Naming Themes ................................................................................... 72

Phase 6: Producing the Report ................................................................................................. 73

Chapter Summary ......................................................................................................................... 73

CHAPTER 4: RESULTS ................................................................................................. …. ……75

Pilot Study ..................................................................................................................................... 76

Threats to validity and reliability .................................................................................................. 78

Findings......................................................................................................................................... 79

Demographics .......................................................................................................................... 80

Data Analysis Procedures ........................................................................................................ 81

Results ...................................................................................................................................... 86

Research Question 1 ............................................................................................................ 87

Theme 1. Government and Privacy. .............................................................................. 88

Figure 6. An explore diagram showing codes for the government theme .......................... 89

Research question 2 ............................................................................................................. 90

Theme 1. Information ..................................................................................................... 90

Theme 2. Activities ........................................................................................................ 91

Theme 3. Communications ............................................................................................. 92

Research question 3 ............................................................................................................. 92

Theme 1. Social Media ................................................................................................... 92

Theme 2. Encryption ...................................................................................................... 92

ENCRYPTION BACKDOORS AND PRIVACY viii

Significance of results ................................................................................................................... 94

Chapter Summary ......................................................................................................................... 95

CHAPTER 5: Findings and recommendations ............................................................... ….. ……98

Limitations .................................................................................................................................... 99

Findings and Interpretations ....................................................................................................... 100

Comparing Findings to Theoretical Framework and Literature ................................................. 102

Implications of Findings ............................................................................................................. 104

Strengths and Weaknesses .......................................................................................................... 105

Recommendations ....................................................................................................................... 106

Recommendations for Future Research ...................................................................................... 107

Chapter Summary ....................................................................................................................... 108

References ................................................................................................................................... 111

APPENDIX A ................................................................................................................... … …..123

APPENDIX B ................................................................................................................... … …..125

Human Subjects Participant Consent .......................................................................................... 125

APPENDIX C ................................................................................................................... … …..128

Literature Review Map ............................................................................................................... 128

APPENDIX D ................................................................................................................... … …..129

Literature Search ......................................................................................................................... 129

APPENDIX E ...................................................................................................................... . …..130

Research Methodology Map ....................................................................................................... 130

ENCRYPTION BACKDOORS AND PRIVACY ix

List of Tables

Table 1 Demographic Summary of Research Study Participants..................................................81

Table 2 Research Questions, their Corresponding Themes, and Survey Questions......................87

Table 3 How much the survey information had increased participant’s knowledge

of the benefits E2EE to ……………………………………………………………………….....94

ENCRYPTION BACKDOORS AND PRIVACY x

List of Figures

Figure 1. A bar chart showing the age distribution of participants..............................................80

Figure 2. A pie chart of the six themes generated from the research study.................................84

Figure 3. A thematic map of the major themes generated in the research study.........................85

Figure 4. The relationship between research questions, codes, and themes................................86

Figure 5. Word cloud of the most used words in the open-ended survey questions....................88

Figure 6. An explore diagram showing codes for the government theme...................................89

Figure 7. An explore diagram showing the child themes that make up the information theme..90

Figure 8. An explore diagram showing the child themes that make up the activities theme.......91

Figure 9. Distribution graph showing participants knowledge on whether or not they knew.....93

ENCRYPTION BACKDOORS AND PRIVACY 1

CHAPTER 1: INTRODUCTION

The world is always changing, due in part to advancements in the domains of science and

technology (Yeboah & Ewur, 2014). What is more, nowadays it appears difficult to escape the

presence of technology in our daily lives (Endeley, 2018; Yeboah & Ewur, 2014). Since

smartphones became popular, many instant messaging (IM) services have been launched

(Yeboah & Ewur, 2014). Some governments have become concerned about the ubiquity of IM

services on mobile phones and their use of end-to-end encryption (E2EE) in safeguarding users’

privacy, as it makes eavesdropping harder for them (Endeley, 2018; Michalas, 2017). E2EE

ensures messages between communicating parties are secure, free from snooping, and hard to

crack (Brantly, 2017). E2EE offers peace of mind to end users as it secures their data in transit

and from third parties (Endeley, 2018). The service provider cannot access the messages, which

can only be decrypted by the intended recipient (Michalas, 2017; “WhatsApp,” 2017).

While E2EE ensures integrity, security, and privacy, it removes opportunities for

government surveillance and the capacity to keep the nation secure by intercepting terrorist

communications (Rastogi & Hendler, 2017). Governments would prefer special access to

encryption technologies, called a backdoor, to use in accessing messages (Michalas, 2017). They

have emphasized they will only use the backdoor if there is a credible threat to national security

(Brantly, 2017). In opposition to governments’ proposals for a backdoor, Kern (2012) argued the

promise of privacy guaranteed by modern encryption techniques, is, to a great extent, what has

expounded the broad use of the internet. Kern further stated common online practices, such as

online shopping, banking, and remote terminal services, would largely be impossible without the

guarantee of the privacy and confidentiality provided by encryption.

ENCRYPTION BACKDOORS AND PRIVACY 2

This study aimed to gain the attention of everyday users to the benefits of E2EE on their

instant messaging (IM) communications and to demonstrate why users should be concerned with

governments’ requests for backdoors into these encryption systems. A survey was used to collect

data from research participants, who were recruited using the snowball sampling methodology.

Background of Study

According to McCarthy (2016), the Federal Bureau of Investigation (FBI) has been

voicing concern; due to barriers such as strong encryption, government’s security apparatus has

been going dark in its attempt to monitor certain electronic communications and suspected

terrorists. McCarthy revealed an increasing awareness of data-related privacy concerns in the

aftermath of the Edward Snowden revelations made from 2013 onwards. These revelations

purported to show the wide-reaching extent of bulk government surveillance by the U.S. and

U.K. security agencies (McCarthy, 2016). McCarthy further stated the world’s leading internet

communication services providers such as Apple, Google, Facebook, WhatsApp, and

Blackberry, have rushed to announce a renewed commitment to customer privacy. These

companies all announced plans to implement E2EE on a default basis.

Inserra, Rosenzweig, Stimson, Shedd, and Bucci (2015) examined the raging debate

between the former FBI Director James Comey and most of the technology community, over

whether law enforcement should have exclusive access to phones and end-to-end encrypted

messaging applications. In what Inserra et al. termed a Crypto War, the FBI has contended

exclusive access is needed to the communications and data of criminals and terrorists on the

internet, an example of the ongoing dispute arose after a terrorist attack in 2015. A California

man named Syed Farook, together with his wife, killed 14 people and injured 22 others at the

Department of Public Health in San Bernardino, California (Steven, 2018). In an attempt to

ENCRYPTION BACKDOORS AND PRIVACY 3

understand Farook’s motivations, and to get the fullest possible sense of his network and

contacts, the FBI sought access to the contacts and messages on Farook’s iPhone 5c. However,

there was a problem (Steven, 2018).

According to Steven (2018), Farook’s iPhone 5c, which was protected by Apple’s default

encryption system, was impossible to access. Even when served with a warrant, Apple could not

extract information from its own product (Steven, 2018). Apple’s FileVault disk encryption

secures the device’s entire content at the disk level, basically rendering it inaccessible for anyone

without the passcode to access data on the disk, unlike the regular password-protected computer

which leaves the hard drive’s content accessible to anyone who can access it directly (Hern,

2014). According to Schulze (2017), in early 2016, the government filed a court order to compel

Apple to unlock the encrypted iPhone 5c of the San Bernardino attacker. The FBI wanted Apple

to rewrite its operating system software (iOS), to disable encryption security features which

would enable the FBI to access the data (Schulze, 2017). In effect, the FBI wanted a backdoor to

ensure everyone’s iPhone can be decrypted on demand so the FBI can access the phones of the

few users under FBI investigation (Schneier, Seidel, and Vijayakumar, 2016). Apple, however,

refused and defended itself by claiming such an action would be a threat and infringement on

personal liberty (Schulze, 2017).

The court order was ultimately moot as the FBI found a third party to unlock the phone.

Calls for backdoors into popular messaging applications using E2EE have become a ritual in the

wake of terrorist attacks in Western nations (Brantly, 2017). Following the terrorist attacks of

March 2017 in London and the bombing attacks of May 2017 in Manchester, authorities found

out terrorists used the favored messaging application WhatsApp before the attacks (Brantly,

2017). Calls were made within the United Kingdom and the United States to leave no hiding

ENCRYPTION BACKDOORS AND PRIVACY 4

places for terrorists (Brantly, 2017). Endeley (2018) stated the WhatsApp messaging service has

emerged as the most popular messaging service today and it uses E2EE in transmitting user data.

E2EE makes governments’ and secret services’ efforts to combat organized crime, terrorists, and

child pornographers technically impossible (Barr, 2016). Governments contend that if the

messages of these criminals can be accessed, then their criminal actions can be prevented

(Brantly, 2017). Conflicting concerns about privacy and national security are not the only issues

associated with E2EE. Many people are also concerned about infringements on free speech

(Barr, 2016).

Barr (2016) examined law enforcement’s push for legislation compelling companies to

create encryption backdoors, tools which will provide government access to encrypted

communication, and issues such legislation would raise concerning the First Amendment.

According to Barr, as far back as 1990, several court cases challenged the export control of

strong encryption claiming such restrictions were unconstitutional restraints on free speech. Barr

argued against these claims, saying sweeping encryption regimes suggested by law enforcement

would not satisfy the First Amendment’s prohibition against compelled speech. Barr examined

how current proposals for encryption backdoors implicate compelled speech issues in a way past

attempts to regulate encryption did not. Barr also analyzed the arguments for and against

protecting source code and argued source code might only be compelled in the presence of a

clear and present danger. Regardless of how E2EE impacts the principles of privacy, free speech

and national security, the practical limitations of implementing backdoors all but guarantee

personal communications can indeed be kept private if the user so chooses (Schneier, Seidel, &

Vijayakumar, 2016).

ENCRYPTION BACKDOORS AND PRIVACY 5

Schneier et al., (2016) have pointed out countries such as the U.S., the U.K., and France

seem very interested in mandating backdoors. The impetus to mandate backdoors in encryption

products for the countries mentioned above is coming from law enforcement. Security

researchers, according to Schneier et al. have, however, argued backdoors are impossible to

implement securely and will result in reduced security for everyone. A practical limitation to

mandating backdoors as a way of reducing crime is because encryption products come from

different parts of the world (Schneier et al., 2016). Anyone attempting to evade encryption

backdoors in the U.S., the U.K., or France has a wide variety of foreign encryption products to

pick from which can encrypt hard drives, voice and text conversations, virtual private networks

(VPN) links and everything else (Schneier et al., 2016). Schneier et al. identified 865 hardware

or software encryption products from 55 countries: 546 of these products, or two-thirds, were

from outside the United States. Schneier et al. outlined that most common non-U.S. countries for

encryption products were Germany, followed respectively by the United Kingdom, Canada,

France, and Sweden. Germany and the Netherlands have publicly disavowed backdoors in all

their encryption products.

Problem Statement

The general problem is law enforcement’s advocacy for a backdoor into E2EE in IM

services, thus undermining privacy and security (McCarthy, 2016). The New York County

District Attorney, Cyrus Vance, in a written testimony to the U.S. Senate Judiciary Committee

said Apple and Google smartphones should be configured to allow data on these devices to be

accessed by law enforcement when it has judicial authorization to do so (“U.S. Department of

Homeland Security,” 2015). Law enforcement agencies such as the FBI have argued to the U.S.

ENCRYPTION BACKDOORS AND PRIVACY 6

Congress the only way to compel smartphone manufacturers to comply with their request for a

backdoor will be through legislation (Barr, 2016).

The specific problem is non-technology professionals do not understand the impact of

creating backdoors into encryption technologies (Sagers, Hosack, & Rowley, 2015; Wei et al.,

2016). Non-technology professionals may not think of encryption very much, but it is

fundamental to all our lives. Almost everything we do today on the internet uses a secret code,

including internet banking, or logging on to Twitter or Facebook; encryption protects all such

information. While E2EE protects users’ IM from eavesdropping by third parties, full-disk

encryption protects data such as photos, texts, emails, contacts, and bank account information

from access by rogue individuals who may either steal your device or lay hands on a lost one

(Herzberg & Leibowitz, 2016). Encryption backdoor, which was the focus of this study, is an

intentionally designed weakness into a cryptosystem (Schulze, 2017). An encryption backdoor

may allow third parties to gain access to unencrypted data using certain keys (Abelson et al.,

2015). The same backdoor used by an authorized third party such as a government agency

authorized by court order may also be vulnerable to an unauthorized attacker who should not

have access to the data (Abelson et al., 2015).

Much of the literature regarding the effects of E2EE on society has centered on the points

of view of cryptographers and law enforcement agencies (Brantly, 2017). An in-depth review of

the literature on this debate, however, showed no study had been done before in the U.S. to seek

the opinions and views of non-technology professionals. Brantly, 2017 stated the former NSA

and CIA Director, General (Ret.) Michael Hayden said, “we will only go as far as the American

people allow us, but we will go all the way to that line” (p. 29). General (Ret.) Michael Hayden

did not give any details following his statement on the view of the American people regarding

ENCRYPTION BACKDOORS AND PRIVACY 7

encryption backdoors; he left it to anyone's imagination (Brantly, 2017). According to the “U.S.

Census Bureau” (2016), technology professionals represent only 2.9 percent of the U.S. labor

force. Non-technology professionals, therefore, represent the largest segment of the labor force,

and by inference the largest group of smartphone users (“U.S. Department of Labor,” 2019;

“U.S. Census Bureau,” 2016). This study sought to understand the lengths at which non-

technology professionals would want the government to go regarding reading their private

messages as a tradeoff for more security.

Encryption technology is not a new technology; it is rather a century-old technique to

scramble readable text, using mathematical algorithms, into unreadable cipher-text (Schulze,

2017). The sender and recipient involved in an encrypted communication require a correct key or

password to make the encrypted text intelligible again (Schulze, 2017). Encryption was created

to avoid eavesdropping from third parties (Schulze, 2017). According to Human Rights Watch

(2015), when words and actions can be monitored or intercepted, it has a discouraging effect on

what people feel free to do or say or where they feel free to go. Secure encryption offers an

opportunity for internet users to reclaim a portion of the privacy they have lost in an era where

they cannot shield their affairs from the prying eyes of some governments (McCarthy, 2016).

This study was a qualitative study, and it used a qualitative descriptive design

methodology to seek the opinions and views of non-technology professional on the ensuing

encryption debate. The population of this study were users of mobile phones running the end-to-

end encrypted IM service, WhatsApp, and are located in the U.S. In 2018, WhatsApp was named

the most popular messaging service endowed with E2EE (Rastogi & Hendler, 2017). This

research was, therefore, focused on WhatsApp.

ENCRYPTION BACKDOORS AND PRIVACY 8

Purpose of Dissertation Study

The purpose of this qualitative descriptive study is to raise awareness for non-technology

professional users of mobile devices on the benefits of encryption for privacy. With the use of

smartphones on the rise, instant messaging (IM) applications have become all but a necessity

(Sutikno et al., 2016). Without encrypted communication between IM servers and end users, all

conversations, pictures, attached files, and voice messages could be exposed to the Internet

should the servers be hacked (Swire & Ahmad, 2012). High-value personal information such as

passport numbers, medical information, or credit card information could also be intercepted and

exposed without the use of E2EE (Swire & Ahmad, 2012).

This study used qualitative analysis to gain insights into the views and opinions of non-

technology professionals regarding their privacy and encryption capabilities on public

communication platforms, particularly IM platforms. Specifically, the research methodology was

founded on qualitative descriptive design, which does not emphasize the formation of new theory

by the end of the analysis, as would be required if this study was to use the grounded theory

approach. Instead, qualitative descriptive analysis is the method of choice when straightforward

descriptions of a phenomenon are desired (Dews-Farrar, 2018). This study involved U.S.

subjects who were users of the WhatsApp IM service. Data was collected through an online and

a paper-based survey from the sample population.

Significance of the Study

The results of this study will contribute significantly to the benefit of a society mostly

unaware of their right to privacy on the internet as a human right. In March 2015, the United

Nations Human Rights Council resolved privacy is a gateway right which affects an individual’s

ability to exercise almost every other right, particularly freedom of assembly, freedom of

ENCRYPTION BACKDOORS AND PRIVACY 9

association and freedom of expression (“Human Rights Watch,” 2015). The results of this study

will help create an awareness of the benefits of encryption to the non-technology user of the

internet. It may also amplify the voices of privacy advocates who will increase the pressure on

Congress not to yield to the demand from law enforcement on legislation mandating the creation

of secret backdoors into encryption services by technology companies.

The results of this study may also help educate the everyday user of the internet on the

benefits of E2EE in their daily communications on mobile devices. This creation of awareness

and expectation of privacy guaranteed by strong encryption for the everyday user of the internet

may also drive more technology companies to adopt E2EE, as was the case after the Edward

Snowden leaks in 2013 (McCarthy, 2016). The revelation of backdoors into Microsoft’s

Outlook.com and SkyDrive services led to a number of protests by Microsoft customers

(Thompson, 2013). These applications eventually lost credibility, and according to McCarthy,

there has been an industry-wide rush to announce a renewed commitment to customer privacy by

the world’s leading internet communication services providers such as Apple, Google, Facebook,

WhatsApp, and Blackberry. These major internet companies have all promised E2EE by default

in all their IM tools (McCarthy, 2016). Another benefit this study may bring is, non-technology

professionals may increase their adoption of using the internet for personal transactions such as

paying bills, online banking, and money transfers once they are aware and understand the

benefits of strong encryption on the internet.

Nature of Study

Descriptive research allows the researcher to obtain a comprehensive picture of the

central phenomenon under study. The central phenomenon in this research was encryption and

backdoors, specifically E2EE. The sample population for this study was users of the end-to-end

ENCRYPTION BACKDOORS AND PRIVACY 10

encrypted IM application, WhatsApp. According to Jisha and Jebakumar (2014), WhatsApp is

the fastest growing IM application and was selected for this study because of its global

favorability, with a user base of over 1.5 billion subscribers (Jisha & Jebakumar, 2014).

WhatsApp has attracted a lot of attention recently because of its large-scale use of E2EE, the first

application to ever implement E2EE to this scale (Rastogi & Hendler, 2017). In 2009, Brian

Acton and Jan Koum created WhatsApp purposely to make communication and the distribution

of multimedia messaging easier and faster (Sarker, 2015). WhatsApp works with internet

connectivity and helps its users to stay in touch with friends and relatives on their contact lists

(Yeboah & Ewur, 2014). Apart from making its users connect and stay connected, it also helps

them to create groups, send images, videos, documents and audios (Jisha & Jebakumar, 2014).

Given the usage of WhatsApp as one of the criteria for which survey participants were selected,

the researcher also looked at the most appropriate qualitative study approach to use in achieving

the best results.

The researcher looked at a good number of qualitative study approaches to use for this

study and concluded a qualitative descriptive study would best fit this research. The researcher

was seeking to gain insight into the views and opinions of non-technology professionals about

their privacy on public communication platforms. The qualitative descriptive approach would

yield the best results in answering the research questions posed in this study.

This study could not be carried out using an ethnographic research approach because it

was not a cultural study. Also, ethnographic research requires the researcher to be immersed in

the culture, often for years (Creswell, 2015). To accomplish the purpose of this research, such a

long duration of study will not be necessary. This study could not be similarly carried out with a

narrative research approach. A narrative research approach according to Creswell (2015) weaves

ENCRYPTION BACKDOORS AND PRIVACY 11

together a sequence of events, usually just from one or two individuals to form a cohesive story.

In this study, the researcher was seeking to draw the attention of non-technology professionals to

the benefits of strong encryption in their daily use of the internet. Therefore, a narrative research

approach using just one or two individuals would not have been able to provide successful

results for this study. Another research approach the researcher examined was a

phenomenological study; this research approach is used when trying to describe an event,

activity, or a phenomenon (Creswell, 2015). It involves visiting sites and events or watching

videos to gain an understanding of the phenomenon under research. This approach also would

not have enabled us to answer the research questions posed by this research on encryption

backdoors and its implication on privacy. Thus, it was not chosen as the appropriate research

approach. This study looked at other research approaches for appropriateness.

Another vital research approach the researcher examined was the grounded theory

approach. According to Creswell (2015), whereas a phenomenological study looks to describe

the essence of an activity or event, the grounded theory looks to provide an explanation or theory

behind the events. Our intended study was not seeking to build a research theory. Therefore, this

approach was not appropriate for our research. Lastly, the researcher also reviewed the case

study approach. Case study designs, according to Creswell, are a variation of the ethnographic

design, also known as an ethnographic case study. The researcher did not choose the case study

design because the study primarily involved events occurring in the present (Salkind, 2012).

Due to the limited understanding of the central phenomenon, E2EE, and backdoors to

non-technology individuals, snowball sampling according to Creswell (2015) was the most

appropriate sampling methodology. Also called chain referral sampling, snowball sampling has

the advantage, after observation of the initial subjects, the researcher asks for assistance from the

ENCRYPTION BACKDOORS AND PRIVACY 12

subjects to help identify participants with similar traits. Snowball sampling typically proceeds

after the start of the study (Creswell, 2015). The snowball sampling methodology was also

selected for this study because it has been used in similar studies on privacy concerns and IM,

such as the study by Rashidi, Vaniea, and Camp (2016). To uncover whether participants meet

the requirement of non-technological professionals, they were asked about their general

computer knowledge and their computer security skills. The study also evaluated participants on

their familiarity with encryption in general and E2EE, specifically. Participants did not receive

any compensation; they were informed of the purpose of the study and Institutional Review

Board (IRB) approval for the research study.

Research Questions

In the FBI v. Apple case of 2016 in San Bernardino, a survey conducted by the Pew Research

Center found in December 2015, the public sided with the FBI initially, with around 51%

arguing Apple should help the FBI (Elmer-Dewitt, 2016). However, later polls in February 2016,

with diverse methodologies, showed the public sided with Apple (Elmer-Dewitt, 2016). The

passionate discourse about encryption lasted until March 2016, when in a separate case in New

York State, a Brooklyn court ruled in Apple's favor saying the All Writs Act of 1789 used by a

U.S. Magistrate to compel Apple to comply, did not govern the unlocking of an iPhone

(Lichtblau & Goldstein, 2016). Before the ruling of the Brooklyn court, the FBI had succeeded in

accessing the phone’s content in the San Bernardino case with the help of a third-party company

(Zapotosky, 2016). The split in public opinion in both court cases between the FBI v. Apple led

the researcher to arrive at some research questions which served as the primary focal points in

performing this research study:

ENCRYPTION BACKDOORS AND PRIVACY 13

• Do non-technology professionals in the U.S. understand the impact of creating backdoors

into end-to-end encrypted technologies?

The WhatsApp application does an excellent job in displaying a message at the top of

each new chat session saying all messages to this chat and calls are secured with E2EE. This

information to users is a guarantee of privacy, but non-technology professionals would

seldom use terms like E2EE in their daily lives, even though E2EE is part of our daily digital

lives. E2EE encapsulates our private data online like credit card numbers during a transaction

or Voice-Over-Internet Protocol (VOIP) phone conversation which may be wiretapped

(Shirvanian, Saxena, & George, 2017). Creating an awareness of the value E2EE to the

ordinary men and women who use the internet for daily activities and routine tasks, is one of

the objectives this research sought to accomplish.

• What are the perspectives of non-technology professional users of IM applications

regarding the argument security comes at a price, namely at the expense of privacy?

A study carried out by Beckmeyer in 2017 showed non-information security

professionals placed more emphasis on privacy than security when surveyed on balancing the

U.S. government’s Post-9/11 domestic electronic surveillance program with U.S. citizens’

privacy rights and expectations (Beckmeyer, 2017). While the study by Beckmeyer had a

more stringent definition as to who was considered an information security professional or

not, it failed to investigate the value placed on privacy by simple everyday non-technological

users of the internet.

• To what extent does the knowledge of encryption as a technology in safeguarding

consumer privacy affect the use of the internet by non-technology professionals in the

U.S.?

ENCRYPTION BACKDOORS AND PRIVACY 14

This research was also seeking to understand the outcome of creating an awareness of

encryption, usage and behavior patterns of non-technology professionals on the internet. The

results of this study will show whether or not creating such awareness drives users towards

more end-to-end encrypted applications to safeguard their conversations from the prying eyes

of governments and hackers.

Conceptual or Theoretical Framework

This study built on the broader conceptual framework of securitization of technology,

which provides a link to Science and Technology Studies (Barnard-Wills & Ashenden, 2012;

Deibert & Rohozinski, 2010; Hansen & Nissenbaum, 2009). Studies on the crypto-wars debate

tend to be either technical (Abelson et al., 2015) or historical (Kehl, Wilson, & Bankston, 2015).

Empirical securitization studies, which focus on digital technologies, tend to ignore the potential

material impact of discourses, as Dunn Cavelty argued (Dunn Cavelty, 2015). According to

Schulze (2017), the securitization framework, which is understood as the social construction of

security/insecurity in the digital realm, has rarely been adopted in cryptography discourses.

Governmental access to otherwise secure cryptography could, in the worst case, substantially

weaken these systems, thus threatening the safety of the billions of cell phones used by people

today (Schulze, 2017).

In the recent years after the Edward Snowden leaks in 2013, there has been an evolving

trend towards the application, by default, of encryption to a range of online communications such

as emails and IM applications, which result in only the sender and the recipient being able to

read the messages (McCarthy, 2016). Governments’ request for a means to listen to some private

communications of U.S. residents is not new (Schulze, 2017). Schulze (2017) stated the looming

digital age of the 1990s got the National Security Agency (NSA) worried. In 1992 the American

ENCRYPTION BACKDOORS AND PRIVACY 15

Telephone and Telegraph Company (AT&T) began the development of consumer phones which

could encrypt voice communication between parties (Schulze, 2017). These consumer phones

with the capability to encrypt voice communications made the NSA recognize that encrypted

digital communication could replace ordinarily interceptable audio calls (Schulze, 2017). This

new development in cell phone technology led the NSA in a rush to develop the Clipper

technology, which was a key-escrow enabling law enforcement access to otherwise secure

technology (Schulze, 2017). This development later termed the Clipper chip, according to

Schulze, theoretically allowed user-friendly encryption based on a hardware chip called the

Clipper chip. This chip would be attached to devices, cell phones, and computers and would

allow a copy of the encryption keys to be stored in government databases, thus giving the

government unrestricted access to otherwise secure technology (Schulze, 2017). The FBI and

NSA could then easily eavesdrop on any Clipper-based cell phone with a warrant (Schulze,

2017). This proposed technology did not win the heart of the public; there was a strong public

reaction from a broad spectrum of society (Rid, 2016). Most computer experts and social

movements of digital natives opposed it (Rid, 2016). In early 1994, the Clipper program

officially started, yet it never saw any widespread adoption. Law enforcement and national

security agencies today claim they are losing surveillance capabilities they previously had; they

are therefore strongly opposed to strong encryption in electronic communication (Swire &

Ahmad, 2012).

Questions coming to mind which are analogous to the difficult trade-offs posed by many

debaters over domestic counterterrorism measures since 9/11 include: should companies be

compelled to weaken their products so the government can have a way to read users’ messages?

Does the Fourth Amendment’s balance require law enforcement to retain the ability to access

ENCRYPTION BACKDOORS AND PRIVACY 16

data covered by a search warrant? Does law enforcement need such a mandate to investigate

crime effectively? The government needs to investigate and prosecute serious crimes and protect

the country against organized crime, terrorists, and child pornographers. However, the liberty,

privacy, and cybersecurity of American citizens and companies are at risk (Klein, 2016).

According to Klein (2016), what has arguably made the present encryption debate

different from previous brawls over national security and civil rights is the degree and

significance to which the international consequences have been echoed and contested. Opponents

have contended if the U.S. government imposes a decryption mandate, dictatorial regimes in

other parts of the world will follow suit; they will use it as a means to oppress their citizens and

increase their grip on power (Klein, 2016). According to Klein, opponents have also argued the

government’s efforts to undermine anonymization and encryption goes against the U.S.

government’s own internet freedom agenda. This encryption debate on whether to have a

backdoor or not illustrates well the tension between the U.S. government’s internal law-

enforcement, counterterrorism needs, and its global values of democracy, freedom of expression

and communication (Klein, 2016). In authoritarian regimes with a weak commitment to the rule

of law, journalists, activists, and dissidents have a real need for such encrypted technologies

which hide their communication and online activities from prying eyes (Klein, 2016). According

to Klein, authoritarian regimes with technological sophistication like Russia and China have built

their surveillance systems to monitor opposition groups, dissidents and some members of

disfavored minorities. Against this backdrop of the use of surveillance and hacking tools as an

instrument of repression in some countries, the U.S. government has integrated internet freedom

as part of its broader human rights agenda (Klein, 2016). Through the State Department’s Bureau

of Democracy, Human Rights and Labor (DRL), the U.S. government now annually funds the

ENCRYPTION BACKDOORS AND PRIVACY 17

development of secure communication technologies for use by dissidents overseas (Klein, 2016).

The most famous contribution of the U.S. government in this space is the development of Tor, a

free and widely used software allowing its users to browse the internet anonymously and create

invisible Uniform Resource Locators (URLs) (Klein, 2016). Klein also stated a less well-known

fact is the U.S. government contributed several millions of dollars to develop the encryption

protocol used today by Signal and WhatsApp messaging services. In the wake of the debate over

the democratic values of the U.S. and whether to impose a decryption mandate, a new bipartisan

bill has been introduced to the U.S. Congress preventing any agency or court order from forcing

any company to build backdoors into its products (Ruiz, 2018).

The Electronic Frontier Foundation (EFF), a leading nonprofit organization defending

civil liberties in the digital world, reported in its May 10, 2018, online publication a new bill

introduced in the U.S. Congress called the Secure Data Act. See APPENDIX A (Ruiz, 2018).

This bill prevents any government agency or court order from forcing any company to build

backdoors into encrypted devices or communications (Ruiz, 2018). According to the EFF, this

bill will protect companies such as Apple and Google who make encrypted smartphones, tablets,

desktops and laptop computers, as well as developers of favorite E2EE IM applications such as

Signal and WhatsApp, from being forced to alter their products in a manner likely to weaken

encryption (Ruiz, 2018).

Definitions

The following terms were used throughout this study; therefore, these are defined for this

research study.

Backdoor. An intentionally engineered gateway into the encryption system to provide an

alternative means of accessing the encrypted content (McCarthy, 2016).

ENCRYPTION BACKDOORS AND PRIVACY 18

Encryption. This is the process of converting information in plain text into an

unintelligible form so it cannot be read without a secret decryption key (McCarthy, 2016). The

plain text once encrypted is called a cipher. Encryption technology generally consists of three

mathematical algorithms: one to generate the secret key, one to encrypt the plaintext information,

and one to decrypt the cipher

E2EE. In recent years, a trend has evolved towards the application, by default, of

encryption to a range of electronic communications, such as emails and online chat services, with

the effect of only the sender and recipient being able to read the message (McCarthy, 2016). This

is end-to-end encryption.

Instant Messaging (IM). It is a social media tool frequently used nowadays. It allows

people to communicate with friends using texts, phone calls, videos, shared files, individually or

in groups, and to maintain contact with them even internationally, in real time communications

(Sutikno et al., 2016).

Non-technology professionals. These are working professionals who do not have a

technology background nor are working in the field of technology (Beckmeyer, 2017). These are

everyday blue- and white-collar professionals who are not technology-savvy (Beckmeyer, 2017).

Privacy. Privacy includes the right of the individual to have one’s personal information

protected from the undue prying eyes of government without the consent of the individual, save

in exceptional circumstances dictated by the law. (Pavone & Esposti, 2010)

Security. It refers to the right and duty of national governments to ensure citizens’ safety

(Pavone & Esposti, 2010).

Surveillance. It includes “a non-disruptive and surreptitious data collection and

categorization process, centrally organized and monitored by private or public actors to control

ENCRYPTION BACKDOORS AND PRIVACY 19

individuals and influence their behavior” (Casemajor, Couture, Delfin, Goerzen, & Delfanti,

2015).

WhatsApp. It is a popular mobile instant messaging (MIM) application which allows

users to send text messages easily, videos, links, photos and make voice calls (Rashidi, Vaniea,

& Camp, 2016). It is also used to maintain online communities through the use of groups and

multi-party chat features

Assumptions

The assumptions outlined in this qualitative descriptive research study depict elements

which may be out of the control of the researcher but are, however, very important to the validity

of the research. This research study assumed non-technology professionals in the U.S. do not

understand the impact of encryption backdoors demanded by law enforcement. The limited

understanding of the effects of encryption is partly because non-technology professional users of

the internet lack knowledge on the proper use of encryption (Sagers et al., 2015). The research

study also assumed there is a lack of awareness of the benefits of encrypted communication

about privacy for non-technology professionals living in the U.S. This research study, therefore,

theorized that the survey participants would have their own unique and educated insights into the

national security versus privacy debate on encryption, where they might place more emphasis on

the aspects of privacy rather than national security.

The study further assumed the sample population would comprise non-technology

professionals who do not understand the concept of encryption. The poll conducted by the Pew

Research Foundation on the FBI v. Apple case in 2016 validated this assumption (Elmer-Dewitt,

2016). An initial survey showed 51% of the population sided with the FBI’s request for Apple to

comply, but as the case progressed and more debates ensued, the population became a little more

ENCRYPTION BACKDOORS AND PRIVACY 20

educated on the fundamental issues of the debate, which was privacy (Elmer-Dewitt, 2016).

Subsequent polls showed the population siding with Apple (Elmer-Dewitt, 2016).

Scope, Limitations, and Delimitations

The scope of this research study pertained to the boundaries within which this research

was performed, with guidance on how the research problem would be solved. The research study

was limited to a sample of non-technology professionals who used WhatsApp and did not know

much or anything about encrypted communications and the U.S. government’s insistence for a

cryptographic backdoor. The population was U.S. residents. The research study did not delve

into some of the weaknesses inherent with E2EE communications, as was uncovered recently in

WhatsApp and Signal by the FBI in their prosecution of Paul Manafort, former manager of 2016

Trump election campaign (Mak, 2018)

The limitations of a research dissertation or study are viewed as potential weaknesses out

of the control of the researcher (Simon, 2011). The research study was to obtain the opinions and

views of non-technology professionals about the U.S. government’s infringement on privacy by

requesting for encryption backdoors either by legislation through Congress, or by petitioning the

Foreign Intelligence Surveillance Court (FISC) to compel technology companies to comply.

Based on this objective, the researcher understood the limitations on the varying depths of

knowledge around privacy laws by the participants of the survey, such as the U.S. Citizen’s

Privacy Rights. This research study was also limited to the survey participant’s level of

knowledge in the field of information technology. The participant’s level of education may have

also limited the researcher's intention to create an awareness of the benefits of encryption.

Simon (2011) defined delimitations as those elements restricting a study’s scope and

serve to clarify its research boundaries were under the control of the researcher. For this research

ENCRYPTION BACKDOORS AND PRIVACY 21

study, the procedures used for handling and storing completed questionnaires and data ensured

maximum practical confidentiality for participants. The survey announcement and introduction

communicated the assurance of confidentiality. This research study was also limited to

WhatsApp instant messenger because E2EE is turned on by default unlike in Facebook

messenger where E2EE is optional.

Chapter Summary

Chapter 1 delivered a synopsis of this research study regarding privacy concerns of

introducing mandatory backdoors into end-to-end encrypted systems. The chapter introduced the

discussion on the security and privacy conflict between the end users of E2EE applications and

government’s need to access messages to thwart potential terror attacks. It also examined law

enforcement’s push for legislation which would compel companies to create encryption

backdoors and issues such legislation would raise concerning the First Amendment. This chapter

also examined the emerging debate on privacy on the internet as a human right, following the

United Nations Human Rights Council resolutions of March 2015, where it was resolved privacy

is a gateway right affecting an individual’s ability to exercise almost every other right. Chapter 1

also reviewed the type of research which was carried out for this research study, methodology

and research questions. A survey instrument was used in collecting relevant data to address the

identified research gap which was, non-technology professionals’ limited understanding of the

consequences of allowing governments to create a backdoor into encryption technologies. The

snowball sampling methodology was reviewed as the sampling method of choice, given the

expectations of the research study.

In Chapter 2, this research study will explore the current and historical literature of

predominant encryption and its rapid emergence on mobile platforms. Chapter 2 will also

ENCRYPTION BACKDOORS AND PRIVACY 22

investigate concepts presented in Chapter 1 and examine the design and implementation details

of a secure chatting application with E2EE for Android operating system (OS) smartphones.

Chapter 2 will further provide a germinal conversation on how advancements in mobile phone

technologies have also brought about ubiquity in IM services, amongst which the most popular

are WhatsApp, Viber, and Telegram messengers.

ENCRYPTION BACKDOORS AND PRIVACY 23

CHAPTER 2: LITERATURE REVIEW

This literature review on the topic end-to-end encryption (E2EE), backdoors, and

consumer privacy utilized the thematic literature review approach. According to Creswell

(2015), in a thematic review of literature, the researcher identifies a theme, and briefly discusses

theoretical concepts and topics important to the understanding of the main topic, citing literature

to document the chosen theme. According to Alhojailan (2012) thematic analysis allows the

researcher to determine precisely the relationship between concepts and compare them with data

between ideas. The thematic review approach was chosen for this study because it involves the

identification of prominent or recurrent themes, which were summarized under each thematic

heading. This approach helped the researcher to identify overreaching thematic categories in

encryption and privacy leading to a greater understanding of each topic. Thematic analysis was

the most appropriate approach because its identification of themes confers greater accuracy and

enhances the researcher’s whole meaning (Alhojailan, 2012).

This review was guided in scope by the research question: do non-technology

professionals understand the impact of creating backdoors into end-to-end encrypted

technologies? This question was posited because everyday users of the internet lack awareness of

the benefits of encrypted communication to user privacy (Sagers, Hosack, & Rowley, 2015;

Vaziripour et al., 2018). There were two reasons why the topic E2EE, backdoors, and privacy

was selected as the focus of this dissertation. First, there is increasing pressure from governments

to technology companies, to be able to access encrypted data through a cryptographic backdoor

(Castro & McQuinn, 2016). Governments are contending modern encryption such as E2EE,

removes opportunities for government surveillance and the capacity to keep the nation secure by

intercepting terrorist communications. Governments would like a backdoor into the encryption

ENCRYPTION BACKDOORS AND PRIVACY 24

technologies for them to use in accessing messages; they have stressed they would only use the

backdoor if there was a credible threat to national security (Brantly, 2017). Second, non-

technology professionals do not understand the impact of creating backdoors into encryption

technologies (Sagers et al., 2015; Wei et al., 2016). According to Sagers et al. non-technology

professionals in addition to not understanding the benefits of encryption, do not also know

applications using modern encryption techniques such as E2EE and also how to use them. The

results of this research will benefit a society mostly unaware of the right to privacy on the

internet as a human right.

This research should be of interest to technology as well as non-technology professionals

as it strives to educate everyday users without much in-depth knowledge of computers, to

understand the importance of encryption in their daily lives. This study will help create an

awareness of the benefits of encryption to the non-technology user of the internet, and the

challenges backdoors pose to encryption. The rationale for limiting the research question to non-

technology professionals was because of the dramatic shift in public opinion shown in a previous

study by Elmer-Dewitt (2016). In the FBI v. Apple case of 2016, the FBI wanted Apple to

rewrite its operating system software (iOS), to disable encryption security features so the FBI

could access the data (Elmer-Dewitt, 2016). A Pew survey showed in December 2015, the public

sided with the FBI initially, with around 51% arguing Apple should help the FBI unlock the

phone, 38% supporting Apple, and 11% not knowing enough about the dispute to form an

opinion (Elmer-Dewitt, 2016). However, later polls in February 2016, with diverse

methodologies, showed the public sided with Apple (Elmer-Dewitt, 2016). This demonstrated

that by Apple making a strong public case in protecting the privacy of its users through the use of

encryption, it also educated its user-base on their role in preserving user-privacy (Elmer-Dewitt,

ENCRYPTION BACKDOORS AND PRIVACY 25

2016). Apple’s vigorous defense of its software shifted public opinion to its favor (Elmer-Dewitt,

2016). This literature review was, therefore, conducted on the foundation of raising public

awareness of the advantages of E2EE.

Overview

In this chapter, the researcher reviewed and analyzed the intensifying debate on the

proliferation of robust encryption technologies on mobile devices across the globe. Also, a

review was performed of law enforcements’ response to E2EE which included the request to

create a backdoor into encryption systems, allowing them special access to read communications

between people suspected of criminal activity. This research study also reviewed policies certain

governments were implementing to safeguard national security at the expense of individual

privacy and cybersecurity, strengthened by modern encryption technologies.

Modern encryption systems are quite structured and robust in such a manner that not even

the service providers who engineered them can break them to access the encrypted content

(McCarthy, 2016). The debate on the mixed blessings of strong encryption has become a

worldwide issue; a pitched battle between law enforcement and much of the technology industry

is brewing (Perry, 2016). The literature in this chapter showed no single country can claim a

monopoly on the knowledge to create strong encryption technologies because cryptography is a

worldwide academic discipline (Schneier et al., 2016). This can be confirmed by the quantity and

quality of research and conference papers emanating from countries other than the U.S.

(Schneier et al., 2016). This chapter also reviewed different encryption technologies used to

preserve the privacy and confidentiality of online communications and examples of modern-day

IM systems using E2EE such as Apple’s iMessage, WhatsApp, and Signal.

ENCRYPTION BACKDOORS AND PRIVACY 26

The Evolution of Encryption

The proliferation of new devices, applications, and modes of communication is affecting

the way we store and communicate personal data. Due to this digitization of our lives, devices on

the internet and our data have become targets for hackers and criminals. Most technology

companies are therefore adopting encryption for storage and communication merely as a

response to market demand by consumers for more security and privacy (McCarthy, 2016).

Security professionals and researchers all agree encryption guarantees integrity, safety, and

confidentiality of consumers whether when sending an email or communicating with a family

member on an IM chat (Rastogi & Hendler, 2017). According to Castro and McQuinn (2016),

there has been a stream of advancements in encryption in the last few decades, and many

companies have integrated these security improvements into their products to improve the

security of consumers and businesses. The Edward Snowden revelations in 2013, for example,

showed how widely our personal information and lives could be compromised by hackers and

security agencies having access to our emails, which may sometimes contain personal and family

pictures, medical information, books we read, or the politics we practice (McCarthy, 2016). Most

people expect a private email to remain private and would not appreciate anyone in between

reading it without their knowledge. Some government agencies have, however, pushed back

against these improvements in technology which usher in encryption, citing national security

concerns (Swire & Ahmad, 2012).

Encryption is the process by which data, words, or photographs are coded into an

unreadable format so anyone who acquires the data without knowledge of the algorithm and key

used to encode it, is unable to read it (Inserra, Rosenzweig, Stimson, Shedd, & Bucci, 2015).

Encryption is not new to the technology world. It has been used since ancient times (Inserra

ENCRYPTION BACKDOORS AND PRIVACY 27

et.al., 2015). Samuel Morse in 1840 developed a code assigning a set of dots and dashes to letters

of the alphabet (Inserra et.al., 2015). This series of dots and dashes were then transmitted over

phone lines so anyone intercepting them might not understand the message if they do not know

how Morse code works (Inserra et.al., 2015). This was done due to the numerous intervening

parties between the sender and the receiver of the message over a phone line. The advancements

in computer science have also led to rapid progress in the development of more complex

encryption algorithms, effectively surpassing decryption techniques used to break encryption

(Inserra et.al., 2015). A modern cryptosystem is generally composed of three mathematical

algorithms: one to generate the encryption keys, one to encrypt the message, and one to decrypt

the encryption message (McCarthy, 2016). The length of the algorithm, measured in bit-lengths,

determines the strength of the encryption (McCarthy, 2016). McCarthy uses the analogy of a

combination lock in explaining the strength of the algorithm; the longer the combination, the

more difficult it is to break.

Private and Public Key Encryption

Over the years since cryptosystems were developed, private key encryption, also known

as symmetric encryption, was the most widely used encryption method until the 1970s when a

new and more secure encryption method known as public key encryption or asymmetric

encryption was developed (Sayler, 2016). In private key encryption, both communicating parties

use the same key to encrypt and decrypt every message (Sayler, 2016). The crucial part of

private key encryption is to generate and transmit the encryption key securely from one party to

the other. This key, as its name suggests, has to be kept a secret between the communicating

parties (Sayler, 2016). If intercepted, the key could be used by a third party to decrypt messages

(Sayler, 2016). According to Sayler (2016), the security of symmetric encryption cipher is

ENCRYPTION BACKDOORS AND PRIVACY 28

proportional to the length of the key; the longer the key, the more secure the data encrypted with

it. Symmetric cryptography algorithms are quite useful in situations where a single user will both

encrypt and decrypt a piece of data such as the case with data stored on our smartphones. An

Android phone running Android 6.0 (or later) or an iPhone running iOS 8 (or later) by default

will encrypt all data stored on it (Cipriani, 2016). The PIN codes (of numbers, letters, or a

combination of the two) and fingerprints are used to unlock an encrypted device (Cipriani, 2016).

Symmetric cryptography has practical limitations where multiple parties wish to communicate or

exchange data securely (Sayler, 2016). In multiple party communications such as group

messages in IM applications using symmetric cryptography, the parties must find a means to

communicate their private key and authentication keys out-of-band securely (Sayler, 2016). In

the absence of other cryptographic methods such as Diffie-Helman key exchange protocol, the

only alternative method to securely communicate keys while avoiding interception is to meet in

person and exchange the keys manually (Sayler, 2016). This is not only a cumbersome task to

accomplish, but it is impractical for all but the simplest situations, especially given the current

cyber landscape where parties could be continents apart (Sayler, 2016). These challenges with

symmetric cryptographic systems led researchers to find alternative methods for secure data

exchange such as public key encryption (Sayler, 2016).

In public key encryption on the other hand, instead of both parties sharing a common

secret key, each party has a public key, which is shared with every other party who wishes to

send each party a message (Sayler, 2016). However, in addition to the public key which is used

to encrypt messages, each party holds a private key it shares with no other party, and this private

key is used to decrypt all messages sent to the receiving party (Sayler, 2016). If the cryptosystem

is designed correctly, it is computationally infeasible to calculate one of the keys from the other.

ENCRYPTION BACKDOORS AND PRIVACY 29

This mathematical certainty gives each party the confidence to publish one of the keys to the

public while keeping the corresponding key private (Sayler, 2016). Asymmetric cryptography

works on the principles of a trapdoor function (Sayler, 2016). A trapdoor function is a

mathematical function which is easy to compute in one direction, yet infeasible to calculate in

the reverse direction without particular information (e.g., the key) (Sayler, 2016). Even though

Diffie and Hellman had proposed a theoretical implementation of a public key cryptography

system, the first practical public key cryptography system came a few years later with the

publication of the RSA (Rivest, Shamir, & Adleman, 1978). Even though asymmetric

cryptography is generally preferred nowadays and considered more secure, symmetric

algorithms are more performant (and for a given key length, more secure) (Sayler, 2016). Thus,

asymmetric cryptography schemes such as RSA and Diffie-Hellman can be used to bootstrap

secure communications across an insecure channel by allowing two parties to derive or exchange

a mutual secret to be used to facilitate further secure communication using symmetric key

encryption and authentication algorithm, making such split-type cryptography systems desirable

(Sayler, 2016).

Governments’ and Law Enforcement’s Encroachment on Encryption Technology

According to a report published by the “U.S. Department of Homeland Security” (2015),

the U.S. Senate held a hearing on whether recent technological changes have upset the balance

between public safety and privacy. Law enforcement officials are becoming increasingly

concerned that even after obtaining a warrant from a judge to search for evidence of a crime,

they lack the technical means to do so (“U.S. Department of Homeland Security,” 2015). This is

due to companies increasingly choosing to encrypt devices in such a way the companies

themselves are unable to unlock them, even when presented with a valid search warrant (“U.S.

ENCRYPTION BACKDOORS AND PRIVACY 30

Department of Homeland Security,” 2015). First, law enforcement agencies are reporting a

decreasing ability to intercept real-time communications such as phone calls, text, email, and

other types of data-in-transit (“U.S. Department of Homeland Security,” 2015). Second, they

relate a similar concern about their inability to execute search warrants on encrypted phones,

laptops and other devices which contain data-at-rest (“U.S. Department of Homeland Security,”

2015). Given this technological evolution, there is a potential impact on the fair and impartial

application of the laws to everyone, as certain people are effectively placed outside the law

(“U.S. Department of Homeland Security,” 2015). The “U.S. Department of Homeland Security”

report concluded mandated technological weaknesses in encryption as proposed by some law

enforcement agencies as a means of solving the problem of having exclusive access to these

encrypted devices, are both futile and counterproductive. The report concluded Congress was

open to reviewing ways to provide law enforcement with judicially-sanctioned access to these

platforms without compromising overall security (“U.S. Department of Homeland Security,”

2015).

According to Castro and McQuinn (2016), the government’s efforts to limit the use of

public encryption technology has seen various levels of success. One example is the NSAs

efforts to manipulate specific cryptographic standards by sometimes introducing encryption

backdoors and not making it known to the public, or finding security vulnerabilities in

commercial systems and not announcing it, but instead, allowing the government to exploit those

weaknesses (Castro & McQuinn, 2016). These secretive actions by the government have not

only weakened data security for U.S. firms but have also sowed seeds of distrust around the

world, thus damaging U.S. information technology competitiveness (Castro & McQuinn, 2016).

According to McCarthy (2018), the International Standards Organization (ISO) rejected two

ENCRYPTION BACKDOORS AND PRIVACY 31

symmetric encryption algorithms, SIMON and SPECK, submitted by the NSA amid concerns

they contained NSA-designed backdoors which would allow U.S. spies to break the encryption.

The ISO had for long been debating on which cryptographic algorithms to include as standards

for the Internet of Things (IoT) devices (McCarthy, 2018). The NSA submitted SIMON and

SPECK block ciphers to the ISO as optimized algorithms best fit for small and low-cost

processor devices such as IoT devices, they were both rejected by the ISO (Schneier, 2018).

According to Schneier, the NSA officials refused to provide the required level of technical

documentation for such a submission to proceed. The U.S. government had restricted the export

of strong encryption (with keys above 40 bits) in the 1990s for the same reason they are being

suspected today of including cryptographic backdoors; they encouraged weak encryption so they

could intercept and spy on all communications (Swire & Ahmad, 2012).

According to Swire and Ahmad (2012), after the U.S. government shifted position in

1999 to allow the export of strong encryption, encryption laws and policies largely faded away.

However, encryption has once again become a major policy debate due in part to laws in some

individual countries such as India and China (Swire & Ahmad, 2012). Specific regulations in

these countries regarding encryption technologies on trade, secure communications, and national

security will have enormous implications for the nature of the global internet and

telecommunications infrastructure (Swire & Ahmad, 2012). The 2008 terrorist attacks in

Mumbai changed India’s approach and policy to encryption technology (Swire & Ahmad, 2012).

The licensing regime of the department of telecommunications in India, developed in the 1990s

prohibits the deployment of E2EE for wired and wireless international and national service

providers as well as for internet service providers (Swire & Ahmad, 2012). It also restricts end

users from using encryption algorithms with greater than 40-bit key length (Swire & Ahmad,

ENCRYPTION BACKDOORS AND PRIVACY 32

2012). These rules were started to be enforced widely only after the Mumbai terrorist attacks

(Swire & Ahmad, 2012). According to Swire and Ahmad (2012), conflicts between India’s

security policy and international commercial practices have led to disputes with companies like

Google, Skype, Research in Motion, and others.

China’s approach to gaining traction on the encryption market and to becoming a great

technological leader has been a departure from international best practices which promote open,

peer-review encryption standards (Swire & Ahmad, 2012). Swire and Ahmad (2012) stated

China treats encryption as a national policy, subject to government direction and authority. In its

policy of indigenous innovation, China hopes to gain expertise in the areas of cybersecurity and

encryption (Swire & Ahmad, 2012). China regulates the sale, import, and development of

commercial encryption (Swire & Ahmad, 2012). China has outlawed the sale, and use of foreign

encryption on its territory (Swire & Ahmad, 2012; Castro & McQuinn 2016). Research shows

restrictions on the distribution, sale, and use of strong encryption by some foreign governments

do not prevent or reduce the availability of strong encryption around the world.

Schneier, Seidel, and Vijayakumar (2016) examined all the possible encryption solutions

available worldwide in today’s market. While most of the products available today are developed

and sold by for-profit organizations, some are created as free, open-source products available for

free download and use (Schneier et al., 2016). According to Schneier et al., a group of

researchers from George Washington University in 1999 first attempted to survey the worldwide

market for encryption products. The impetus of the research at the time was the embargo on U.S.

companies to export strong encryption (above 40-bit keys) (Schneier et al., 2016). The

researchers collected information on 805 hardware and software encryption products from over

35 countries (Schneier et al., 2016). Their research showed the prevention by the U.S.

ENCRYPTION BACKDOORS AND PRIVACY 33

government from exporting strong encryption products was to the detriment of American

companies only, as this embargo did not prevent or reduce the availability of strong encryption

around the world (Schneier et al., 2016).

Schneier et al. (2016) in their follow-up study 17 years later, identified 865 hardware or

software products incorporating encryption, from 55 countries. Some 546 of these products,

which represented two-thirds of the total, were from outside the U.S. (Schneier et al., 2016). The

U.S. thus, produces the most and widely used encryption products (Schneier et al., 2016).

According to Schneier et al., any U.S. laws mandating backdoors into encryption systems will

primarily affect U.S. users of the product or people who are unconcerned about government

surveillance, or at least indifferent about making a switch to an alternative non-U.S. product not

having a backdoor. The literature review conducted for this research study found out the most

common non-U.S. country for encryption products was Germany, followed by the United

Kingdom, Canada, France, and Sweden respectively. With regards to backdoors, both Germany

and the Netherlands have publicly disavowed them in all their encryption products. The U.K. and

France seem very interested in mandating backdoors (Schneier et al., 2016).

According to Klein (2016), efforts at reconciling the U.S. government’s interest in

accessing the contents of some encrypted data with its historical position of supporting dissident

movements and individual freedoms in some authoritarian regimes around the world puts the

U.S. at the crossroads of enforcing domestic laws of the United States. This request for a

backdoor also puts the U.S. at the crossroads of playing interest-driven politics which may

sometimes include espionage, waging an intense and unrelenting campaign against terrorism,

and at the same time promoting civil liberties and democratic movements in illiberal countries

(Klein, 2016). According to Klein, the case of San Bernardino shooter Syed Farook is the most

ENCRYPTION BACKDOORS AND PRIVACY 34

prominent example of law enforcement challenges with encryption technologies. Law

enforcement agencies in the U.S. and around the world are continually accumulating piles of

smartphones containing evidence of serious crime, but neither the device manufacturer nor law

enforcement can open them even with a judicial order (“U.S. Department of Homeland

Security,” 2015). According to the FBI Director, Christopher Wray, in 11 months, the FBI could

not gain access to over 7,000 phones because of encryption (Locklear, 2017). Device encryption

and E2EE which protect messages at rest and messages in transit, respectively, raise the stakes

for access to these devices by law enforcement (“U.S. Department of Homeland Security,”

2015). Law enforcement can only read end-to-end encrypted messages on the end device, and it

would mean placing itself as the user of the device. If the user is still actively using the phone,

the government can get a warrant to place spyware on the phone such as a keylogger to spy on

the passcode to use in eventually opening the phone or by seizing the phone from the user when

it is unlocked. However, in the San Bernardino case, the user was dead, making the phone

effectively a brick. As law enforcement and governments push to have more authority to read

encrypted messages, technology companies are equally reacting by adding encryption to their

suite of communication applications (Shah, 2016).

Shah (2016) looked at the ramifications of the Edward Snowden leak on U.S. tech

companies. Privacy concerns which emerged as a result of the Snowden leak have had ripple

effects beyond the national security context, as private companies, NGOs, and foreign

governments are now implementing new laws and policies meant to shield them from the NSA

(Shah, 2016). Foreign companies which were clients of giant U.S. tech companies such as

Google and Microsoft have threatened to switch to local internet providers in light of the

suspicious relationship between U.S. tech companies and the U.S. government (Shah, 2016).

ENCRYPTION BACKDOORS AND PRIVACY 35

Considering certain companies are opting for full E2EE on client data, the government is left

with several options allowing law enforcement have full access to such data in light of suspected

criminal or terrorist actions (Shah, 2016). According to Shah, options available to the

government are: compelled decryption, or passing legislation requiring companies to retain

decryption ability to be responsive to law enforcement requests.

Shah (2016) stated advances in cloud storage services and encryption would soon render

the current legal framework of the U.S. government outdated. Preserving the balance between

security and privacy would require updating the warrant regime to better align the incentives of

governments, technology companies, and individual consumers. For example, in December

2013, federal prosecutors obtained a warrant for an email linked to a Microsoft account (Shah,

2016). Microsoft challenged the warrant arguing it could not be applied extraterritorially because

the server hosting the email was located in Ireland, which is out of U.S. territory (Shah, 2016).

Microsoft pointed to the Federal Rules of Criminal Procedure and also made a case for the

statutory presumption against extraterritoriality (Shah, 2016). It contended in order to obtain the

content of the email account, the U.S. government had to go through the bilateral process

established by the Mutual Legal Assistance Treaty (MLAT) between the U.S. and Ireland, an

extraordinarily slow and challenging process (Shah, 2016). According to Shah, regardless of the

outcome, the case highlights the limitations of the current legal framework of the U.S., with a

quickly evolving technology world of cloud computing. Given the need to revisit the current

U.S. legal framework about advances in technology, Barr (2016) examined how current

proposals for encryption backdoors implicate compelled speech issues in a way past attempts to

regulate encryption did not. Barr also analyzed the arguments for and against protecting source

code, he argued source code might only be compelled in the presence of clear and present

ENCRYPTION BACKDOORS AND PRIVACY 36

danger. While law enforcement and governments have been wrangling over policies and

technologies enabling them to intercept and read messages from terrorists and other organized

crime groups, on the one hand, security researchers have, on the other hand, been examining

different implementations of E2EE in the most popular IM applications (Abelson et al., 2015).

Encryption Backdoors

Law enforcement agencies such as the FBI are getting increasingly concerned about their

inability to access private communications and smartphone data (Castro & McQuinn, 2016). The

FBI director Christopher Wray earlier in 2018 declared the situation intolerable (Levy, 2018).

Director Wray said the FBI was locked out of 7,775 devices in 2017 (Levy, 2018). Government

officials such as the U.S. Deputy Attorney-General Rod Rosenstein have expressed the need for

responsible encryption such as backdoors allowing access only with judicial authorization (Levy,

2018). Security experts have contended the global nature of internet services makes compliance

with backdoor requests hard to define and enforce (Abelson et al., 2015).

In an article published by WIRED magazine in April 2018, former Microsoft Chief

Software Architect and creator of Lotus Notes, Ray Ozzie, made a proposal at Columbia

University on how to solve the impasse over secure backdoors between technology companies

and law enforcement agencies (Levy, 2018). In his idea named CLEAR, Ozzie stated his scheme

would give law enforcement agencies access to encrypted data without significantly elevating the

risks for billions of people who use encrypted devices such as mobile phones (Levy, 2018).

Ozzie added the scheme works by technology companies such as Google or Apple generating

two complementary keys: one called the vendor’s public key, stored in every Android phone or

tablet, and the other is called the vendor’s private key (Levy, 2018). The private key is stored

with Google and protected with the same tamper-proof care Google uses to certify its operating

ENCRYPTION BACKDOORS AND PRIVACY 37

system updates (Levy, 2018). A combination of the private and public key pair can be used to

encrypt and decrypt a secret PIN which each user’s device automatically generates upon

activation. It should be noted Ozzie’s scheme attempts to solve the impasse with stored data

(data at rest) and not the interception of real-time communications (data in transit) (Levy, 2018).

According to Abelson et al. (2015), if law enforcement wants to assure itself access to real-time

communications with backdoors, then intruders will also have an easier time getting access to

real-time data.

Renowned cryptographers such as Bruce Schneier were quick to criticize Ozzie’s idea as

barely a proposal and not ground-breaking (Schneier, 2018). According to Schneier, this idea is

no different from the key escrow scheme the government had proposed in the early 1990s.

Schneier contented Ozzie’s idea also suffers from the same shortcomings as the government-

proposed key escrow scheme, namely: (a) the security from hackers of the database for storing

private keys cannot be guaranteed; (b) the scheme requires technology companies to build a co-

processor no one knows how to build yet; and (c) the scheme does not solve any of the policy

problems around the whole system (Schneier, 2018). Ozzie’s proposal requires when a device is

unlocked with CLEAR, a special chip inside the phone blows itself up, effectively freezing the

contents of the phone. This prevents tampering with the contents of the phone (Levy, 2018).

Cryptographers have generally agreed building a backdoor is easy; the tricky part is how to

secure it (Abelson et al., 2015). According to Abelson et al. (2015) law enforcements’ push for

backdoors could potentially cause more damage to the security of the internet today than it

would have done 20 years ago. The storage vault proposed by Ozzie would certainly become the

target of organized criminals and well-funded foreign intelligence agencies (Schneier, 2018).

ENCRYPTION BACKDOORS AND PRIVACY 38

Centralized key repositories, as was proposed by the U.S. government for the Clipper chip, are

basically a magnet for all sorts of attackers (Schneier, 2018).

Exceptional access, also known as a backdoor, would force internet system developers to

reverse some of the great privacy features of strong encryption such as Forward Secrecy, a

design practice seeking to reduce the impact on user privacy when systems are breached

(Abelson et al., 2015). There are also unsolved challenges of guaranteeing access to multiple law

enforcement agencies in multiple countries around the world (Abelson et al., 2015). This is likely

to be an enormously complex, expensive, and unattractive foreign affairs offer (Abelson et al.,

2015). Opponents to backdoors, according to Klein (2016), have referenced the Vodaphone

Greece backdoor incident as an example of the huge risks involved in creating them. According

to Klein (2016), an unknown intruder hacked into Greece’s lawful-wiretap (backdoor) and spied

on phone calls of the president, prime minister, and other Greek politicians before the breach was

discovered. Abelson et al. (2015) stated the spying went on for ten months in 2004 and 2005.

Communications technologies specifically designed to comply with requirements from law

enforcement agencies for backdoors for legal access have turned out to be insecure (Abelson et

al., 2015). For example, in 2010 a researcher from IBM noticed a Cisco architecture designed to

enable compliance for lawful interception in IP networks was found to be insecure and several

carriers in Europe had implemented this flawed architecture since it had been public for several

years, making a significant portion of their network vulnerable to attacks (Abelson et al., 2015).

E2EE implementation in Mobile Applications Today

Herzberg and Leibowitz (2016) examined the implementation of E2EE in popular IM

applications such as WhatsApp, Viber, Telegram, and Signal. IM applications, while used by

billions of people worldwide, have inherent challenges in providing usable encryption. Some of

ENCRYPTION BACKDOORS AND PRIVACY 39

these challenges include E2EE in group chats and multiple device support (portability) (Herzberg

& Leibowitz, 2016). According to Herzberg and Leibowitz, supporting E2EE in group chats on

multiple devices linked to the same account such as on a smartphone and desktop goes beyond

trivial. While WhatsApp and Viber, both proprietary, have implemented E2EE by default for all

conversations, Telegram, on the other hand, is an open-source cloud-based service and by

default, all Telegram messages are client-server encrypted (Herzberg & Leibowitz, 2016). Users

of Telegram, however, can create secret chats in which all messages are end-to-end encrypted

(Herzberg & Leibowitz, 2016). The implementation of E2EE in both WhatsApp and Viber is

based on Signal’s security protocol (Herzberg & Leibowitz, 2016). According to Rastogi and

Hendler (2017), Signal Protocol supports forward secrecy which prevents previously transmitted

messages from being decrypted and read if the communication channel is compromised. Forward

secrecy requires a fresh ephemeral key to be generated for every message issued (Rastogi &

Hendler, 2017). Signal Protocol uses the following key types (Rastogi & Hendler, 2017):

 Identity key pair, a long-term Curve25519 key pair generated at install time for all

asymmetric cryptographic operations.

 Signed pre Key, a medium-term Curve25519 key pair.

 Pre Keys, also Curve25519 keys but for one-time use. These are used actually to encrypt

the message.

The goal of usable encryption is to provide every standard user with the ability to encrypt

messages over a secure channel (Herzberg & Leibowitz, 2016). All four applications examined

by Herzberg and Leibowitz (2016) used two modes of E2EE: opportunistic E2EE mode, which

requires almost no user interaction, and authenticated E2EE mode, which requires considerable

user interaction. Herzberg and Leibowitz in their research mentioned the classical definition of

ENCRYPTION BACKDOORS AND PRIVACY 40

E2EE as contained in security and cryptographic literature, E2EE is used only for encryption

offering a defense against a rogue Man-in-the-Middle (MitM) operator as provided in

authenticated mode only. This study by Herzberg and Leibowitz focused on the authenticated

E2EE mode. This mode alone represents the classical definition of E2EE, and it ensures

confidentiality even against a rogue operator (Herzberg & Leibowitz, 2016). This mode,

therefore, is required to protect against privacy breaches even from potent adversaries who may

coerce and manipulate the operator. This paper examined how the advancements in mobile

phone technologies have also brought about the ubiquity of IM services, amongst which the most

popular are WhatsApp, Viber and Telegram messengers (Herzberg & Leibowitz, 2016). These

messaging services allow users to communicate with friends and family through text, video,

phone calls, and shared files. Communications could also be in groups (Herzberg & Leibowitz,

2016).

Sutikno, Handayani, Stiawan, Riyadi, and Subroto (2016) compared WhatsApp, Viber,

and Telegram based on features such as ease of use, confidentiality and privacy through E2EE,

the total number of users on each platform, and how feature-rich each application is. Sutikno et

al. revealed, WhatsApp, which was acquired by Facebook Inc. in 2014, is the most popular

messaging application with over one billion users. WhatsApp provides services for text and

audio messaging, free voice calls and exchanges of photos and videos (Sutikno et al., 2016).

WhatsApp has become the top-of-mind brand name in the IM market because it has also enjoyed

a lot of word-of-mouth publicity (Sutikno et al., 2016). Sutikno et al. also stated WhatsApp is ads

free and has a web-based application which runs on the Chrome browser, and a desktop version

for Windows, too.

ENCRYPTION BACKDOORS AND PRIVACY 41

Viber, on the other hand, is the most feature-rich app of the three (Sutikno et al., 2016). It

has a high-quality video call feature and also provides voice services allowing users to dial any

mobile number, independent of whether the receiver has Viber installed or not (Sutikno et al.,

2016). Viber like WhatsApp also allows its users to send photos; users can use their fingers to

draw pictures they can send. Of the three IM services, Viber was the first to offer voice and

video calls. It also offers better voice quality with less noise through all bandwidths than the

other two apps (Sutikno et al., 2016).

Telegram, initialized in August 2013 by the Russian-born entrepreneur Pavel Durov is a

free and favored service like the other three and is based on open-source platform (Sutikno et al.,

2016). It also offers an ad-free environment with a clean and fast interface, Sutikno et al.

asserted. Telegram is the Russian version of WhatsApp (Sutikno et al., 2016). Telegram has

earned the status as the most popular social network in more than 40 countries; it is also the most

downloaded application in the Google Play Store (Sutikno et al., 2016). In conclusion, Sutikno et

al. (2016) asserted the three applications boast of strong E2EE. WhatsApp is favored for its

simple interface and ease of use, while Telegram is reputable for being the most secure. Viber,

on the other hand, is the most functional messenger of the three, and it owes this superiority to its

abundance of features and call options (Sutikno et al., 2016). WhatsApp and Viber use

authenticated mode of encryption as described by Herzberg and Leibowitz (2016).

Ali and Sagheer (2017) investigated the security and confidentiality of users’ information

on IM applications by building a secure chatting application with E2EE for Android OS

smartphones. Smartphones and tablets have become more than communication devices, they

have become an incorporated portion of our lives (Ali & Sagheer, 2017). It is, therefore,

important for security to be a key consideration in the design of all software put on the phones,

ENCRYPTION BACKDOORS AND PRIVACY 42

most especially, communication applications, as governments and malicious individuals are

always trying to hack servers and reveal personal information of their users (Ali & Sagheer,

2017). In their research, Ali and Sagheer outlined the problem they were investigating by saying

a large number of applications in the app markets claim they provide security, integrity, and

confidentiality to users’ information. However, hacked information proves many developers do

not give primary consideration to security when designing their applications (Ali & Sagheer,

2017).

In their implementation of E2EE protocol, Ali and Sagheer (2017) used Elliptical Curve

Diffie Hellman (ECDH) key agreement protocol for sharing the secret encryption key between

the communicating parties. To guarantee confidentiality, the authors used the symmetric key

algorithms, Advanced Encryption Standard (AES) and Rivest Cipher 4 (RC4), to encrypt all

messages between communicating parties (Ali & Sagheer, 2017). The authors used the RC4

stream cipher specifically for encrypting voice and image messages, and AES 128 block cipher

for text message encryptions (Ali & Sagheer, 2017). To test the usability of their research on

E2EE in real life, Ali and Sagheer tested the encryption and decryption algorithms on some

Android OS smartphones, with different processor speeds and Random Access Memory (RAM).

The results showed acceptable execution speeds for mobile phones, even for ones constrained in

resources such as processing power and memory (Ali & Sagheer, 2017). The authors also

observed and concluded the AES algorithm is a slower block cipher compared to others, but it

provides the highest security (Ali & Sagheer, 2017).

Contrary to the view of most security professionals contending backdoors are a bad idea

and may actually make the system vulnerable to unauthorized attackers (Hawkins, 2018), Ho,

Nistala, and Tu (2016) proposed an E2EE design for the favored messaging application Tinder,

ENCRYPTION BACKDOORS AND PRIVACY 43

with a secure backdoor to access and read messages if necessary. Tinder, founded in 2012, is a

rapidly growing dating startup bringing people together via a mutual opt-in system with over 10

million daily active users (Ho et al., 2016). Message security was largely lacking in Tinder, and

for a platform where people shared a lot of personal information including but not limited to

phone numbers and addresses, it was important to guarantee privacy with the addition of E2EE

(Ho et al., 2016).

Ho et al. (2016) noted prior to their design proposal for adding E2EE to Tinder, the

application used a fairly simple data-at-rest encryption scheme for its users’ messages. This

means data was only encrypted at the servers of Tinder, where users’ messages are stored (Ho et

al., 2016). All transmitted messages were therefore open to eavesdropping as they were all

transmitted in plain text (Ho et al., 2016). In their design of E2EE of a backdoor in Tinder, one

of the steps in their consideration was Tinder should always be able to decrypt messages even

after two users have been unmatched (Ho et al., 2016). Tinder claims this backdoor ability to be

able to decrypt messages was part of their business model of responding to users’ complaints as

requested by law enforcement (Ho et al., 2016). Ho et al., however, concluded a possible

weakness in their design was they could not prevent messages from being read by an active

adversary who previously had access to the messages.

Another study on E2EE authentication but specifically on critical weaknesses in the

security and usability of the code verification methods employed in remote end-to-end encrypted

applications was carried out by Shirvanian, Saxena, and George (2017). The study by Shirvanian

et al. showed most code verification methods offer poor security and low usability in the remote

setting. The study covered several remote/proximity code verification methods deployed by

popular E2EE applications including, WhatsApp, Viber, Telegram, Signal, and a host of others

ENCRYPTION BACKDOORS AND PRIVACY 44

(Shirvanian et al., 2017). The hypothesis for the study was to show remote code verification will

be highly error-prone for end users to implement due to the challenges associated with remote

setting outlines (Shirvanian et al., 2017). WhatsApp Viber, Telegram, and Signal have all

implemented E2EE to hide all communication from attackers as well as the service provider

itself. In the implementation of E2EE, a secret key only known to the communicating parties is

used to encrypt/authenticate all communication between the parties involved in the conversation

(Shirvanian et al., 2017). To share the private key, the end users run a key-exchange protocol

over the insecure public internet (Shirvanian et al., 2017). The result of this initial key exchange

is a master key which is used subsequently to generate session keys used for encrypting all the

messages including text, data, and voice (Shirvanian et al., 2017). The initial key exchange is run

over an unauthenticated and insecure channel which makes it susceptible to MitM attacks

(Shirvanian et al., 2017). To prevent potential MitM attacks against this key-exchange protocol,

E2EE applications compute a readable/exchangeable security code (Shirvanian et al., 2017). This

security code is used to provide end-to-end authentication (Shirvanian et al., 2017).

The results of this study by Shirvanian et al. (2017) showed the code verification methods

deployed in E2EE applications suffer from several issues with respect to security and usability,

arising from human errors in verifying the codes in the remote settings. While the

implementation of security in E2EE used in WhatsApp and other favored IM applications has

been reviewed and analyzed by security experts around the world, other studies have been

carried out specifically on the potential impact of E2EE on WhatsApp and how it affects national

security (Endeley, 2018).

Endeley (2018) presented the benefits of E2EE on consumer privacy and security, and

also outlined some of the challenges it poses to public safety and national security. According to

ENCRYPTION BACKDOORS AND PRIVACY 45

Endeley, WhatsApp has emerged as the most popular messaging service today, and it uses E2EE

in transmitting user data. According to Constine (2018), the CEO of the parent company of

WhatsApp, Facebook, announced in a meeting held in the fourth quarter of 2017 WhatsApp

messaging platform had 1.5 billion users and transmitted over 60 billion messages per day. With

so many subscribers worldwide, WhatsApp is the first application to implement E2EE to this

scale (Rastogi & Hendler, 2017). This feature has led to strong complaints from law enforcement

agencies arguing the addition of E2EE will deprive them of critical evidence (Castro &

McQuinn, 2016). Governments would want a backdoor to the encryption in such apps to access

messages but have emphasized the backdoor would only be used in circumstances where there is

a credible threat to national security (Brantly, 2017).

Security Fundamentals of WhatsApp

Prior to WhatsApp’s implementation of E2EE in 2016, the application had come under

intense pressure for multiple security lapses from security professionals (Rastogi & Hendler,

2017). According to Rastogi and Hendler (2017) WhatsApp’s negligence towards making its

platform secure made it an easy target for attackers. In 2011 for example, the application

verification process used for authenticating users was found to be insecure; experts were able to

perform session hijacking attacks on the application (Rastogi & Hendler 2017). Session

hijacking is a vulnerability in the application where experts can exploit valid user sessions by

successfully hijacking several user accounts and impersonating them (Rastogi & Hendler, 2017).

E2EE not only makes it theoretically impossible for an eavesdropper to access messages

in a conversation, but it also makes it theoretically impossible to access transmitted data even

after the traffic has been intercepted (Rastogi & Hendler 2017). According to a security

whitepaper by WhatsApp (2017), even if encryption keys on a user’s device are compromised,

ENCRYPTION BACKDOORS AND PRIVACY 46

the intruder cannot go back in time to decrypt previously transmitted messages; this feature in

WhatsApp’s implementation of E2EE is called Perfect Forward Secrecy or sometimes simply

called Forward Secrecy. WhatsApp E2EE was built using the Signal Protocol; this protocol was

chosen because it offers forward secrecy, plausible deniability, and repudiation (Rastogi &

Hendler 2017). Repudiation means a message receiver can be sure where a message came from.

However, repudiation cannot prove to anyone else the sender is the person who is the originator

of the message; the inability to prove the originator of the message in encryption is called

deniability (“Open Whisper Systems,” 2013). Repudiation is possible through the Signal

Protocol because each member in a participating WhatsApp conversation has a long-term key

which they use to sign an ephemeral key (Rastogi & Hendler, 2017). This ephemeral key is

exchanged among members to calculate the shared secret key using the Diffie-Hellman key

exchange protocol (Rastogi & Hendler 2017). This established shared key is what is used to

encrypt subsequent messages (Rastogi & Hendler 2017).

Message authenticity and integrity is guaranteed in WhatsApp conversations by each

participant generating three keys from the shared secrets obtained during the exchange of the

ephemeral keys (Rastogi & Hendler 2017). The first and second keys are a sending and receiving

cipher key, and the third is a set of Message Authentication Code (MAC) keys also called

ephemeral keys (Rastogi & Hendler, 2017). It is these MAC keys which confirm message

authenticity and integrity as they are transmitted with every message. Authenticity cannot be

denied because each receiver is capable of producing a sender’s MAC key (Rastogi & Hendler,

2017).

ENCRYPTION BACKDOORS AND PRIVACY 47

The Worldwide Impact of the Use of WhatsApp

Rashidi, Vaniea, and Camp (2016) carried out a study in Saudi Arabia on privacy

concerns using the WhatsApp application. According to Rashidi et al., the flood of Mobile

Instant Messaging (MIM) applications such as WhatsApp, Google Hangouts, Snapchat and

Facebook messenger on the application markets today have also come with the visibility and

unexpected exposure of personal information. While most applications provide settings to users

allowing them to limit the amount of information visible to intended and unintended audiences,

these controls do not always match the users’ expectations and needs (Rashidi et al., 2016).

Rashidi et al., in reviewing literature prior to their research, found out the definition and extent of

privacy concerns vary with different cultures. In their research in the Kingdom of Saudi Arabia

(KSA), Rashidi et al. explored the effectiveness of coarse-grained privacy settings in WhatsApp,

in managing the privacy of users in the KSA.

Rashidi et al. (2016) through an administered survey discovered WhatsApp users enjoyed

the simplicity of the application but would prefer the ability to limit the visibility of information

to specific people. Participants who responded to the survey were recruited using the snowball

sampling methodology through WhatsApp itself (Rashidi et al., 2016). Respondents were also

concerned about strangers being able to contact them through WhatsApp (Rashidi et al., 2016).

WhatsApp uses phone numbers as the unique identifier of its users. When a new user joins

WhatsApp, the user is prompted to provide their phone number, and the application also takes

the user through a verification process (Rashidi et al., 2016). Further, all the contacts in the

user’s cell phone contact list are automatically added to the user’s WhatsApp contacts if these

contacts already have a WhatsApp account (Rashidi et al., 2016).

ENCRYPTION BACKDOORS AND PRIVACY 48

WhatsApp Privacy Concerns on the Youth

According to Rashidi et al. (2016), users of MIM have three areas of concern for privacy

• privacy of people not on your contact list,

• privacy regarding availability, and

• privacy regarding the content of MIM communications.

WhatsApp displays profile information such as when a person last logged in, their current status,

profile picture (display photo), and current location (Rashidi et al., 2016). While some people

may be inclined to hide this for privacy concerns, Rashidi et al. argued sharing it also enables

improved coordination with other people. In the study carried out by Patil and Lai, office

workers found sharing status information during work hours was beneficial to work coordination

and also acceptable from a privacy perspective (as cited in Rashidi et al., 2016).

Privacy and security have been ongoing work for the WhatsApp team (Rashidi et al.,

2016). WhatsApp has been continuously altering the way privacy is managed on the application

(Rashidi et al., 2016). The Office of the Privacy Commissioner of Canada (OPC) in 2013

determined WhatsApp was breaching privacy laws (Rashidi et al., 2016). WhatsApp was

violating certain internationally accepted privacy principles, mainly in relation to the retention,

safeguard, and disclosure of personal data. WhatsApp has so far addressed a good number of the

privacy and security concerns since then by including encryption in 2016 and sharing of status

messages. (Rashidi et al., 2016)

In a separate study to examine the use of WhatsApp messenger amongst students in

tertiary institutions in Ghana, Yeboah and Ewur (2014) looked at the intensity of usage and how

WhatsApp affected their academic performance. The study’s objectives were to assess the

impact of the use of WhatsApp messenger on students as well as to also determine the

ENCRYPTION BACKDOORS AND PRIVACY 49

relationship between the use of the application and academic performance (Yeboah & Ewur,

2014).

Yeboah and Ewur (2014) reviewed the literature examining social media and the various

definitions of social media in public and academic use. Yeboah and Ewur argued social media

accounted for nearly one-quarter of all internet activity, with LinkedIn having over eighty

million users in over 200 countries. For this study, the researchers made use of primary and

secondary data (Yeboah & Ewur, 2014). Primary data was obtained using a questionnaire pilot-

tested for 30 students, 25 from Accra Polytechnic and five from Kumasi Polytechnic using

online, postal and telephone surveys (Yeboah & Ewur, 2014). A total of 550 representatives

from five tertiary institutions were surveyed. Students were asked why they most often used

WhatsApp on their mobile phones (Yeboah & Ewur, 2014). The respondents reported the

number of hours each of them spent on WhatsApp per day (Yeboah & Ewur, 2014). While only

4 % spent 1-2 hours, 17% spent 3-5 hours per day, 31% spent 6-7 hours and 48% spent more

than 8 hours per day (Yeboah & Ewur, 2014). The study showed an average student spends over

8 hours every day engaged in using WhatsApp on their mobile phone (Yeboah & Ewur, 2014).

Yeboah and Ewur (2014) concluded WhatsApp is a necessary evil for students of tertiary

institutions in Ghana. If negatively used, WhatsApp can seriously affect a student’s performance;

areas of such negative impact included reducing a student’s study time, procrastination of related

problems, destruction of students’ grammar and spelling abilities, amongst others.

In a similar study in India, Jisha and Jebakumar (2014) investigated the usage of

WhatsApp mobile application among youth, aged between 18 and 23 years in Chennai, India.

Jisha and Jebakumar sought to: (a) investigate the intensity of usage of WhatsApp amongst youth

in the Chennai region; (b) explore the various ways WhatsApp is used, and (c) find out the

ENCRYPTION BACKDOORS AND PRIVACY 50

frequency and interactivity of WhatsApp amongst its users. Jisha and Jebakumar went ahead to

review the literature on some of the previous studies on WhatsApp and the youth both locally in

India and internationally. The review included previously cited research conducted in Ghana on

the negative impact of WhatsApp on student performance (Jisha & Jebakumar, 2014). Other

studies reviewed were ones done in India, on Indian youth preference of WhatsApp and

Facebook over SMS (Jisha & Jebakumar, 2014).

Jisha and Jebakumar (2014) conducted this study using online questionnaires to assess

the demographics of youngsters, their smartphone details, a ranking of WhatsApp usage, among

other parameters. The sample size was limited to 100 college students in the Chennai region who

possessed smartphones and were users of WhatsApp (Jisha & Jebakumar, 2014). Results from

data collected indicated young people from Chennai use WhatsApp mainly for communication

and to update their social media status on a regular basis (Jisha & Jebakumar, 2014). The various

features available and the great speed in sending and receiving messages were added advantages

to the widespread use of WhatsApp amongst college students in Chennai (Jisha & Jebakumar,

2014). The paper concluded WhatsApp had created a sense of belonging, proximity, and

intimacy with friends and relatives (Jisha & Jebakumar, 2014). WhatsApp has become one of the

reasons for smartphone penetration in India and has developed the tagline of being simple,

personal, and real time (Jisha & Jebakumar, 2014).

Overview of Proposed Historical Solutions

According to Endeley (2018) and Lewis, Zheng, and Carter (2017), the risks to public

safety presented by encryption have not reached the level justifying restrictions or a design

mandate. The encryption issues law enforcement faces today may be frustrating, but they are

quite manageable (Lewis et al., 2017). In a survey of 100 security experts published by Hawkins

ENCRYPTION BACKDOORS AND PRIVACY 51

(2018) in the Washington Post, 72% said the inability of the FBI to access encrypted cell phones

during an investigation does not leave the country less safe. On the contrary security experts

agree Americans would be just as safe, if not more so, without a backdoor (Hawkins, 2018).

Removing E2EE in WhatsApp will not be a lasting solution because criminals would create their

own E2EE software allowing them to communicate securely while ordinary users will lose the

ability to send genuinely private messages on WhatsApp (Lewis et al., 2017).

Lewis et al. (2017) analyzed the debate on making strong, unrecoverable encryption, over

recoverable encryption available to the public. According to Lewis et al., encryption helps

protect data from cybercriminals and spies; national interest is, therefore, best served by the

increased use of encryption. Lewis et al. further stated no law enforcement or intelligence

community personnel they interviewed in their research disputed the need to encourage strong

encryption. At the same time, there is a growing risk to public safety as terrorists, child

pornographers and organized crime are all drawn to the use of unrecoverable encryption

platforms which are technically impossible to access by law enforcement (Lewis et al., 2017).

Lewis et al. (2017) further revealed even with the rapid growth of encryption, the share of

traffic of interest to law enforcement and unrecoverable due to E2EE is very small. Currently,

only 18% of global communication traffic is end-to-end encrypted. It is estimated this number

would rise to 22% by 2019. Lewis et al. also stated it is unclear how damaging increased

encryption use is for law enforcement, nor is it clear if increased encryption use leads to an

increase in crime. The researchers concluded publicly available data on major terrorist attacks

reveals terrorists’ distrust Western encryption. They rely more on burner phones and prearranged

codes to evade surveillance (Lewis et al., 2017).

ENCRYPTION BACKDOORS AND PRIVACY 52

According to Inserra et al. (2015), giving the FBI special access to a master encryption

key would undermine the security of technology systems; either cybersecurity is of paramount

importance or law enforcement gets exclusive access to catch the criminals and terrorists, thus,

compromising cybersecurity. Some scholars have, however, contended, Google, for example,

decrypts Gmail and Gchat for its business reasons, and there has been no reported security

incident as a result of this, nor has Google ever taken a position, saying the system is insecure

because of this feature (Inserra et al., 2015). Therefore, decryption by law enforcement may not

necessarily lead to poor online security (Inserra et al., 2015). Inserra et al. also proposed a

number of possible solutions which would make a backdoor feasible. Amongst the possible

solutions were the use of biometrics. Inserra et al. suggested encryption with biometric locks

might solve the inherent security problem of backdoors. However, with a biometric encryption

lock, decryption will also only be possible with the same biometric lock (Inserra et al., 2015).

Therefore, law enforcement would require direct interaction with the individual being

investigated or charged to decrypt his or her phone or listen in on their communications (Inserra

et al., 2015). The Director of the NSA had also proposed a possible solution which was to ensure

the decryption key is not held by a single agency but rather distributed amongst a number of

agencies (Inserra et al., 2015). In this disposition, no single individual or agency will be able to

decrypt messages single-handedly (Inserra et al., 2015). Opponents of this solution have argued

while breaking up keys might improve security and privacy, it may invariably introduce other

vulnerabilities and complexities to the encryption process itself (Inserra et al., 2015). For

example, how will communication across different countries work? Inserra et al. concluded,

therefore, Congress should not support special access for law enforcement, as it will weaken

cybersecurity and incent criminals and terrorists to switch from U.S. applications to foreign ones.

ENCRYPTION BACKDOORS AND PRIVACY 53

Brantly (2017) analyzed calls from liberal democracies around the world to ban

encryption or create backdoors into encrypted messaging applications due to terrorist groups’

increasing use of encryption to plan and coordinate terrorist attacks. Calls for backdoors into

favorite messaging applications using E2EE have become a ritual in the wake of terrorist attacks

in the West (Brantly, 2017). According to Brantley, following the terrorist attacks of March 2017

in London, and the bombing attacks in Manchester in May 2017, it was revealed the terrorists

used the favorite messaging application WhatsApp before the attacks. Following these

revelations, calls were made within the United Kingdom and the United States to make

WhatsApp no hiding place for terrorists.

Brantly (2017) argued there is no significant evidence suggesting any of the attacks

perpetrated against the U.S. would have been prevented had encryption been weakened.

According to Brantly, providing backdoors into favorite messaging applications or weakening

encryption would fail to stop terrorists because the marketplace for messaging applications is

diverse with over 180 different applications on different platforms with 31 of these applications

having general public licenses. This means the code for E2EE is available to terrorist groups,

hence, an easy adaptation of the source code by terrorist groups (Brantly, 2017). Brantly

concluded, even with encryption backdoors, there will still be terrorist attacks because not all

terrorists use encryption to communicate their plans.

Perry (2016) focused on the transformational leadership and idealized influence of Apple

Chief Executive Officer (CEO) Tim Cook on the debate on encryption and privacy. According to

Perry, Cook’s approach was to ensure the U.S. government does not go against the legal

framework by forcing companies to compromise the security of their products or invade the

privacy of their customers. Following the tragic incident of 2015 where two attackers killed 14

ENCRYPTION BACKDOORS AND PRIVACY 54

people in San Bernardino, California, a federal judge ordered Apple to help the FBI unlock the

attacker’s iPhone 5c (Perry, 2016). Tim Cook responded with a 1,100-word document, posted on

the Apple website (Perry, 2016). According to Perry, Cook pointed out granting access to

encrypted customer data would set a legal precedent to expand the powers of government. This

could also lead to other means of uncontrolled electronic surveillance such as location tracking,

accessing phone camera and microphone without the customer’s knowledge, and intercepting

customer data transmissions (Perry, 2016). Cook made a strong argument saying unfettered

access to customer data would undermine not just Apple security, but also global security, as the

legal precedent would be set and other companies would have to comply (Perry, 2016).

According to Sayler (2016), a possible solution to the privacy concerns raised by a court

order forcing a cell phone maker such as Apple to decrypt its iPhone for FBI access, is through a

secure data storage model called Secret Storage as a Service (SSaaS), as a means of securing

consumer data stored in the cloud. As users’ transition from storing data on local storage devices

to third-party cloud storage, they face some undesirable consequences, from increased risk of

data being compromised by hackers, to reduced legal protection from government surveillance

(Sayler, 2016). The model proposed by Sayler relies on users placing limits on the degree to

which they must trust a single third party while still allowing them to leverage the desirable

features of such third party organizations. According to Sayler, in an SSaaS ecosystem, a user

designates one or more trusted Secret Storage Providers (SSPs) with storing and regulating

access to their private secrets (encryption keys, etc.) on their behalf. Existing technologies such

as third-party cloud storage services can then interact with these SSPs via standard interfaces to

access their secrets. Sayler outlined some benefits provided by the SSaaS model over granting

ENCRYPTION BACKDOORS AND PRIVACY 55

the traditional third-party services full and unfettered access to our data. Such benefits include no

single trusted party, separation of duties, and support for existing use cases.

While Ozzie’s proposal to backdoors as described by Levy (2018) only addresses one

aspect of encrypted data, namely encrypted phone storage; it, however, addresses an important

issue which has kept the law enforcement community very concerned. According to the FBI

director, his agency has over 7,000 phones in its possession unable to be unlocked, impeding

investigations (Locklear, 2017). Ozzie’s proposal effectively puts phone manufacturers and law

enforcement agencies in a complementary position to unlock and decrypt data in phones under

investigation (Levy, 2018).

Abelson et al. (2015) have proposed backdoor solutions to encrypted real-time

communication streams namely, phone calls or video calls through an E2EE messaging

application such as WhatsApp. The real-time intercept backdoor proposed by Abelson et al. calls

for public key escrow to be kept by either law enforcement agencies or trusted third parties,

similar to the Clipper chip escrow. According to Abelson et al. the most obvious approach to

allow for law enforcement access would require for example, traffic between Alice in Nigeria

and Bob in Brazil to have their session key also encrypted under the public keys in the police key

escrow in both Nigeria and Brazil. This approach, however, raises serious issues given the global

nature of internet services (Abelson et al., 2015). If an E2EE software sold or used in Brazil will

copy all its keys to its government’s key escrow storage, criminals might buy their software from

vendors not cooperating with the government (Abelson et al., 2015). Criminals in the U.S. might

buy their software from Russia, for example (Abelson et al., 2015).

ENCRYPTION BACKDOORS AND PRIVACY 56

Conclusion

In a closed-door meeting at the U.S. Capitol convened by the Electronic Frontier

Foundation (EFF) in 2018, Erik Neuenschwander, Apple’s manager of user privacy spoke to

Senate staff on the realities of device encryption (Crocker & Cardozo, 2018). In an analogy

similar to the dangers of service providers or government agencies storing encryption keys,

Neuenschwander said even though the days of the Wild-Wild-West are over, there were still

4,200 bank robberies in 2016 (Crocker & Cardozo, 2018). Neuenschwander’s analogy was

drawn from the tradeoffs Apple has had to make between functionality and user privacy (Crocker

& Cardozo, 2018). Apple determined the best way for it to guarantee user privacy was to

completely take itself off the equation of maintaining control of any device encryption keys

(Croker & Cordozo, 2018). If Apple were to maintain any encryption keys on its servers, those

would immediately become the target of attackers, no matter what precautions Apple took to

protect them (Croker & Cordozo, 2018). Apple has therefore set user privacy as a priority in its

security plan (Crocker & Cardozo, 2018).

Castro and McQuinn (2016) concluded the U.S. government should not limit the

commercialization of cybersecurity innovations, especially on encryption. The researchers

contended doing so is unlikely to have a significant effect on the ability of terrorists and

cybercriminals to engage in encrypted communications but will make communications by the

average user and business less secure (Castro and McQuinn, 2016). Barr (2016) offered some

possible solutions to enable law enforcement access encrypted information in narrowly tailored

circumstances. One of such solutions would be custom-crafted updates (Barr, 2016). Since Apple

and other cell phone vendors have privileged control over what is included in updates to their

operating system software (OS), Apple or other cell phone vendors could easily include a

ENCRYPTION BACKDOORS AND PRIVACY 57

spyware or special backdoor access as part of the OS update without the user’s knowledge or as

an innocuous update obfuscating the true intention of the update (Barr, 2016). Barr contended if

this is done specifically for an individual with information linking the individual to terrorist or

criminal communications sufficient to allow a warrant, such an approach will not raise

overbreadth concerns. According to Barr, this would be compelled speech sufficiently narrowly

tailored.

According to Gaynor, Omer, and Turner (2017), a basic understanding of encryption and

how it safeguards the privacy of individuals is vital to the safety of personal information such as

health records. Gaynor et al. further stated data security and privacy are complex concepts and

remain foreign to a lot of non-technical professionals. Non-technical professionals do not only

have limited knowledge of encryption and its benefits to safeguarding personal information, but

they also have a limited understanding of what a backdoor would do to existing encrypted

communication (Gaynor et al., 2017).

Chapter Summary

In this chapter (Literature Review) a thorough review of the issues of encryption,

backdoors and civil liberties was conducted. This chapter highlighted research on the

understanding and evolution of the debate on encryption and backdoors, both from the viewpoint

of security experts and legal experts. Additionally, this chapter included a comprehensive review

of the popular messaging applications, and how their spread on smartphones is also an increasing

concern of governments and some government agencies around the world such as the FBI and

the NSA in the U.S. Also, a review of policies certain governments are implementing to

safeguard national security at the expense of individual privacy and cybersecurity was done.

ENCRYPTION BACKDOORS AND PRIVACY 58

Research on the implementation details of E2EE was also reviewed including the weaknesses

and benefits of certain protocols.

Chapter 3 follows, presenting a detailed discussion of the research methodology and the

design appropriateness. The methodology chapter includes a detailed discussion of the survey

population, description of the data collection method using an online survey, data collection

procedures and instruments used to collect the data to show their appropriateness and reliability.

All the information presented in Chapter 3 serves to answer the questions posed by the general

and specific problems statements as cited in Chapter 1. Subsequent chapters will address the

results and conclusions of this study.

ENCRYPTION BACKDOORS AND PRIVACY 59

CHAPTER 3: METHOD

The purpose of this qualitative descriptive research study is to raise awareness for non-

technology professional users of mobile devices on the benefits of encryption for privacy. The

encryption and privacy debate heated up more recently following the prosecution of President

Donald Trump’s former campaign manager, Paul Manafort: United States v. Manafort, District

Court, District of Columbia (Novak, 2018). According to Novak (2018), Manafort was indicted

and convicted amongst other crimes for money laundering and tax evasion. The federal

prosecutors also accused him of witness tampering using end-to-end encrypted messaging

applications WhatsApp and Telegram (Novak, 2018). This research, which was focused on end-

to-end encryption (E2EE), backdoors, and privacy, was accomplished using a qualitative

descriptive design approach. This design method was the most appropriate for this research

because it sought to gain insight into the views and opinions of non-technology professionals

regarding their privacy on public communication platforms. Such an approach was especially

useful for researchers wanting to know the “what” and “how” of events (Dews-Farrar, 2018).

The qualitative descriptive study design, therefore, yielded the right results in answering the

research questions posed in this research study.

This chapter includes a discussion of the research method chosen and the appropriateness

of the design, identification of the research questions, and specific details of the implementation

of the current study. In this chapter, the researcher also discussed the characteristics of

qualitative and quantitative research, and why a qualitative study was selected rather than a

quantitative study. This discussion was used as a framework to evaluate the research design in

relation to the research questions. The results of this study are reported in subsequent chapters.

ENCRYPTION BACKDOORS AND PRIVACY 60

Research Method and Design Appropriateness

This research study used a qualitative analysis methodology. The rationale for selecting a

qualitative analysis for this research was based on the diagnosis of the purpose statement.

According to Creswell (2015), while quantitative research involves analyzing relationships or

predicting variables, qualitative research begins with a single idea or concept called the central

phenomenon; it consists in developing a detailed understanding of the central phenomenon. In

qualitative research according to Creswell, literature review plays a less substantive role than in

quantitative research, but it needs to justify the problem. Based on the purpose statement of this

study, the central phenomenon is encryption and privacy. The researcher examined several

qualitative and quantitative study approaches for their appropriateness to use in this study. The

researcher concluded quantitative focused-studies reduced their findings to numerical

interpretations, the center of which are variables (Dews-Farrar, 2018). This researcher

determined based on the central phenomenon in the purpose statement and on the principles of

qualitative methodology as described by Creswell (2015) and Salkind (2012), a qualitative

approach will be the best way to conduct this research.

Additionally, the researcher did not want to quantify the views and opinions of non-

technology professionals on the impact of the government wanting to create backdoors into

encryption technologies, but rather to acknowledge their expectations of privacy on IM

applications and how this has influenced and created their personal experiences. Such

individuals, per this study would be everyday users of IM applications who do not have an in-

depth knowledge of computers. A qualitative research method would, therefore, seek and capture

their views and opinions about their use of encryption in conserving privacy. A qualitative

analysis methodology would enable research participants to present a more informed account of

ENCRYPTION BACKDOORS AND PRIVACY 61

their lived experiences and to construct their appreciation of the impact of backdoors into

encryption technologies.

Research Design

A qualitative descriptive design was the design methodology selected for this study.

According to Bradshaw, Atkinson, and Doody (2017), qualitative descriptive design represents

the characteristics of qualitative research. Rather than focusing on culture as does ethnography,

the lived experience as in phenomenology or the building of theory as with grounded theory, the

qualitative descriptive design seeks to discover and understand a phenomenon, a process, or the

perspectives, views and opinions of the people involved in the experience (Bradshaw et al.,

2017). The qualitative descriptive design does not emphasize the formation of theory as in the

grounded research theory approach. Instead, qualitative descriptive analysis is the method of

choice when straight descriptions of a phenomenon are desired (Dews-Farrar, 2018). The

selection of a qualitative descriptive design for this study was in alignment with the research

questions in this study which centered on creating awareness and understanding how non-

technology professionals would interpret the impact of government-mandated backdoors into

encryption technologies. The use of a qualitative descriptive design is particularly important

where information is required directly from individuals experiencing the phenomenon under

investigation and where time and resources are limited (Bradshaw et al., 2017). This study was

concerned with understanding how non-technology professionals respond to events affecting

their online activities such as law enforcement advocating for a backdoor into E2EE in IM

services, thus undermining their privacy and security (McCarthy, 2016).

The qualitative descriptive inquiry yielded insightful responses which would not have

been obtainable in a quantitative approach. Within the qualitative descriptive design approach,

ENCRYPTION BACKDOORS AND PRIVACY 62

the central phenomenon of interest is explored with participants in a particular situation and from

a specific conceptual framework with the research question related to the meaning of the

experience. The participants for this study were a purposeful sample of individuals who had the

requisite exposure and experience of the research phenomena being investigated (Bradshaw et

al., 2017). The interactions of a given social unit are investigated, and the participant group is

selected from the population the researcher wishes to engage in the study (Bradshaw et al.,

2017).

Population, Sampling, and Data Collection Procedures and Rationale

This research study posited non-technology professionals have a limited understanding of

the consequences of a government-mandated backdoor into encryption technologies. The general

population of the study were adult users of mobile phones located in the U.S. and running the

end-to-end encrypted IM service, WhatsApp, on their mobile phones. The IM application

WhatsApp was selected for this study because according to Sutikno, Handayani, Stiawan,

Riyadi, and Subroto (2016), it is amongst the most favored IM applications endowed with E2EE.

Jisha and Jebakumar (2014) stated WhatsApp is the fastest growing IM application as most

young people are moving away from Facebook. WhatsApp enjoys global favorability with a user

base of over 1.5 billion subscribers. It is also the first application ever to implement E2EE to this

scale (Rastogi & Hendler, 2017). From the target population, the researcher chose a research

sample of 26 participants who met the criteria for participation.

Qualitative researchers have over the years recommended different ranges with regards to

sample size for qualitative inquiry. There are, therefore, no specific rules when determining the

appropriate sample size in qualitative research. It is, however, typical to study a few individuals

or a few cases (Creswell, 2015). According to Salkind (2012), the magic number for qualitative

ENCRYPTION BACKDOORS AND PRIVACY 63

research is around 30, while Latham (2014) asserted 15 participants as a minimum for most

qualitative studies works well. Latham (2014) further stated a sample size of between 15 and 20

participants is a “sweet spot” for a homogenous group. In accordance with the aforementioned,

the research will engage with a sample size of 26 participants. The sample size of 26 for this

research study meets the saturation limit in qualitative descriptive research as shown in similar

research carried out by Dews-Farrar (2018) using the same design. The participants had to meet

the following criteria: (a) Participants had to be owners of a mobile phone running the latest

version of the WhatsApp application. (b) They had to be willing to participate in an online

survey, or a face-to-face interview with the researcher. (c) They had to be non-technology

professionals who at the time of this study did not have any experience working in technology or

hold any diploma or certification in computer science, computer security or computer

networking. (d) Participants had to be willing to give honest accounts of their views and opinions

about privacy and national security.

Sampling

After obtaining Institutional Review Board/Academic Review Board (IRB/ARB)

approval, the researcher initiated the participant recruitment process. Purposeful sampling,

specifically the snowball sampling methodology, was used for the selection of the 26

participants. Purposeful sampling involves the selection of individuals who are qualified to

provide in-depth information about the phenomenon being researched. Snowball sampling is a

sub-category of purposeful sampling and has the advantage that after observing the initial

participants, the researcher asks for assistance from the participants to help identify people with a

similar trait (Creswell, 2015). Non-technology professionals like themselves who meet the

requirements for the sample population (Creswell, 2015). Snowball sampling is a non-probability

ENCRYPTION BACKDOORS AND PRIVACY 64

sampling methodology. Rashidi, Vaniea, and Camp (2016) used snowball sampling in a study on

privacy setting usage in WhatsApp application to recruit participants. The study by Rashidi et al.

yielded relevant results which have contributed to the body of literature on how users manage

privacy settings on IM applications. Snowball sampling generally consists of two steps:

1. The researcher identifies the potential participants in the population. Often, only a

handful.

2. The researcher asks the identified participants to recruit other participants. The chain

continues until the sample size is reached.

According to the Bureau of Labor Statistics of the “U.S. Department of Labor” (2017),

States or jurisdictions with the highest location quotient for information technology experts are

Virginia with 4.71, Maryland with 2.50, and the District of Columbia with 2.25. The location

quotient is a way of quantifying how concentrated a particular industry or occupation is in a

particular region or State, in reference to the entire nation. The States ranking with the lowest

location quotient for information security experts are New Mexico, Missouri, and Colorado

ranking 1.33, 1.37, and 1.41 respectively. The State of Minnesota falls in the middle of the

rankings with 1.65 as its location quotient for information security experts. The average rankings

in the distribution of technology professionals in Minnesota in relation to the rest of the country

make it an ideal candidate for the target population of this study. In technologically dense states

there is a higher likelihood that more people will be working for a technology company even

though they do not work directly with technology. The selection of the state of Minnesota

eliminated possible biases of participants from technologically dense states such as Virginia or

sparsely dense technology states such as New Mexico.

ENCRYPTION BACKDOORS AND PRIVACY 65

In addition to the above, the “U.S. Department of Labor” (2017) data showed that the

state of Minnesota also had a diverse labor force in non-technology professional jobs such as

medical device technology, healthcare, and hospitality industries amongst others. Since the

interest of the researcher was in non-technology professionals, a state with such rich, and

balanced diversity made a good sample state. Further, the researcher resided in Minnesota which

significantly reduced the cost of the research. The selected participants in this research did not

include children, minors, or convicts. All participants were 18 years or older.

Informed Consent

All prospective participants were informed of the purpose of the study and were required

to sign an informed consent form (Appendix B) recording their acceptance to participate in the

study. Participants in the paper-based survey signed a printed copy of the informed consent form

while those taking the survey online signed an online version. The researcher created special

folders named P1 – P26 (representing the 26 participants) in the Capitol Technology University-

provided secure cloud storage drive, OneDrive, where each participant’s completed surveys were

securely stored after the analysis is completed. The paper copies were destroyed after scanning.

Confidentiality and Anonymity

Participants were assured of the anonymity and confidentiality of the process in the

informed consent agreement; no identifying values were linking the information to the

participant, and not even the researcher was able to identify a specific participant. All agreements

between the researcher and the participants, including pilot test participants were safely stored on

the secure drive in folders. This storage drive guaranteed the confidentiality of all participants in

the study.

ENCRYPTION BACKDOORS AND PRIVACY 66

Data Collection and Data Sources

Data was collected through an online or a paper-based survey. Since the research study

was designed for non-technology professionals, it was possible that not all of the participants

will have access to the internet or own a computer. Hence, the need for a paper-based version of

the survey. Data from the survey provided answers to open-ended questions so that the

participants could best voice their experiences unrestricted by the influence or perspectives of the

researcher or past research findings (Creswell, 2015). Data from the online survey was collected

using the online survey tool called SurveyMonkey. SurveyMonkey is an online web tool that

allows you to launch any kind of professional online survey project, be it for market research, a

quick poll, competitive analysis, customer or the employee feedback (“SurveyMonkey Inc,”

2019). This easy-to-use platform allows you to tailor your surveys according to your defined

target audience. Advanced features in SurveyMonkey help all kinds of professionals to conduct

different types of surveys online and get real-time results by reaching out to millions of

respondents (“SurveyMonkey Inc,” 2019). The vast amount of data collected can easily be

analyzed through data analysis and reporting features offered by SurveyMonkey

(“SurveyMonkey Inc,” 2019). Moreover, for further collaborative purposes, the data and report

analysis can be exported into different formats and shared across teams. It also has a paid version

that includes programs that can perform data analysis, bias elimination, and more. This study

used the paid version. The paper-based questionnaires were conversations between the researcher

and each participant; they were designed to elicit the interviewee’s knowledge or perspective on

the phenomenon under study. (“The Open University,” 2017). Questions were mostly open-

ended.

ENCRYPTION BACKDOORS AND PRIVACY 67

Participants were contacted at local libraries, coffee shops, and other social gatherings.

Online participants were contacted via the professional online tool LinkedIn and also via

WhatsApp chat groups where the survey link was advertised. The variability of the responses to

the questions during the pilot phase helped in deciding whether a question was well-worded,

understandable, if it should be open-ended or not, and if it should be included in the

questionnaire or not.

Pilot Study

Prior to collecting data for this study, a pilot study was conducted with five participants

recruited from the study population. This was to establish the validity, functionality, and

comprehensibility of the questions contained therein. According to Fink (2018), the rule of

thumb is to start with five participants and continue with small groups until no new information

is being gained from the pilot study. Participants in the pilot study were not included in the actual

survey. An informed consent agreement was be signed by both the pilot study participants and

the study participants. This pilot group provided feedback and concerns about the survey that

was used to make changes to the instrument. The researcher asked the pilot participants to mark

any poorly-worded questions or responses that did not make sense or seemed to be taking a lot of

time to complete. To help bolster the validity of the survey, all relevant questions regarding the

central phenomenon of this study were included; a range of possible responses were also tested

to try and capture the different views and feelings of the participants. Feedback from the pilot

study was used to revise questions towards more clarity and usefulness.

Reliability

According to Fink (2018), a reliable qualitative survey instrument provides a consistent

measure of the important characteristics of the study despite background fluctuations. A survey

ENCRYPTION BACKDOORS AND PRIVACY 68

instrument that yields consistent results under the same survey conditions is said to be reliable.

The survey instrument for this research was built to be reliable after a successful pilot test. The

survey instrument was also validated using the pilot study to ensure that the information it

provided was an accurate reflection of the participants’ knowledge, attitudes, values, and

opinions. The survey had content validity; the questions accurately represented the

characteristics, opinions, or attitudes they were intended to measure. According to Fink (2018),

the content of the survey instrument could be validated by asking experts of the central

phenomenon of the study whether the questions are representative samples of the opinions and

views the research intends to survey. Alternatively, the researcher could be sure the survey

instrument is reliable and valid by using already tested and published questions. These are

questions which have been carefully tested by other surveyors and researchers in similar

scientific studies and are sometimes found in published peer-reviewed articles.

Validity: Internal

There are two very important concepts in the measurement of internal survey instrument

validity: measurement validity and design validity (Fink, 2018). Measurement validity comes

from the validity and reliability of the survey instrument; it refers to the characteristics of the

survey instrument; whereas design validity refers to the selection of the survey participants

(Fink, 2018). Because surveys work in an imperfect world, even the most carefully designed

studies are influenced by factors over which the surveyors have no control. Participants may

promise to take the survey but may fail to do so in the end. Such risks and others have the effect

of biasing or prejudicing the results of the survey and consequently affecting the accuracy of the

survey.

ENCRYPTION BACKDOORS AND PRIVACY 69

According to Fink (2018), a study has internal validity if its outcome is as a result of or is

caused by the variables that are controlled and manipulated in the study. There are a number of

items that can pose a threat to the internal validity of this survey such as a biased selection of

participants for the survey, the sampling procedure, and the effect of a terrorist attack in the U.S.

while the survey is being conducted (Fink, 2018). The threat of bias in the selection of

participants in this research study were mitigated by the researcher using the snowball sampling

technique for participant selection. Snowball sampling is a tested and proven survey

methodology that has been used in other studies similar to this one such as the study carried out

by Rashidi, Vaniea, and Camp (2016). Sampling errors were minimized for this study by the fact

that the researcher did not have a direct influence on the selection of participants. This is

because, in snowball sampling, the participants are selected by their peers.

Transferability

Transferability in qualitative research is the ability to generalize, or the extent to which

the results of the research apply to other contexts or settings. The context and methods of the

current study such as the characteristics of the participants, including geographic location, age

group, and information technology experience, were thoroughly described in this research to

assist readers who may want to apply the findings to other contexts or settings, do so

appropriately.

Data Analysis

The researcher accumulated ample amounts of data as a result of surveying 26

participants. Qualitative data analysis typically relies on the researcher’s impressions and

interpretations; the researcher, therefore, found it important to recognize the need for a

transparent, thorough, and systematic analysis of the data to ensure the validity of the research.

ENCRYPTION BACKDOORS AND PRIVACY 70

The research questions guiding this data analysis were designed to investigate the phenomenon

of backdoors and privacy in modern IM applications amongst Americans. These research

questions were:

• Do non-technology professionals in the U.S. understand the impact of creating backdoors

into end-to-end encrypted technologies?

• What are the perspectives of everyday users of IM applications regarding the argument

security comes with a price, namely at the expense of privacy?

• To what extent does the knowledge of encryption as technology in safeguarding

consumer privacy affect the use of the internet by non-technology professionals in the

U.S.?

This research utilized the thematic data analysis approach in analyzing data. This

approach is exploratory and requires all the data to be coded, allowing for new impressions to

shape the interpretation of the data in different directions (“The Open University,” 2017). A code

is a word or short phrase descriptively capturing the essence of elements of the data (“The Open

University,” 2017). Thematic analysis involves the researcher searching across the range of data

sources used for the analysis to find repeated patterns of meaning. For this research study, the

researcher searched through interview transcripts and survey responses. Before applying the

thematic analysis, the researcher read the data in its entirety in order to familiarize himself with

it. The researcher took notes and prepared written summaries as he analyzed each survey

response. This enabled the researcher to condense the data into key themes and topics which

shed light on the research question. The researcher then developed a coding framework, which

was a list of codes the researcher used to index and divide the material into descriptive topics and

ENCRYPTION BACKDOORS AND PRIVACY 71

themes. The thematic approach which was used for this research study allowed the researcher to

add new codes to the list as coding and analysis progressed, in an iterative process.

The thematic analysis comprises six discrete steps (Braun & Clarke, 2006). It is worth

mentioning the analysis of data using this approach is not a linear process that progresses from

one step to the other (Braun & Clarke, 2006). Instead, it is a recursive process where the

researcher moves back and forth throughout the phases (Braun & Clarke, 2006).

Phase 1: Familiarization with Collected Data

As mentioned in the data analysis section above, the researcher began data analysis by

the process of familiarization with collected data. This process involved the repeated reading of

the data actively and searching for meanings and patterns (“The Open University,” 2017). This

process of reading over the data several times is time-consuming and justifies why qualitative

research tends to use a smaller sample size, 26 participants in the case of this study

Phase 2: Generating Initial Codes

This phase involved the production of initial codes from the data. Coding is considered

part of the data analysis as the data is being organized into meaningful groups. The entire content

of the data set was coded using the software program NVivo. Qualitative analysis depends to a

good extent on the subjective interpretations of the researcher. Therefore, a combination of

personal judgment and software was used to bring objectivity to the coding process. The end

product of this phase was an identified list of codes.

Phase 3: Searching for Themes

This phase began after phase two was completed; implying all the data had been initially

coded. During this phase, the researcher re-focused the analysis on the broader level of themes.

This involved sorting the different potential codes obtained in phase two into potential themes.

ENCRYPTION BACKDOORS AND PRIVACY 72

During this phase, the researcher was essentially analyzing the codes, categorizing different

codes into overarching themes. The researcher used tables and mind maps to construct a visual

representation to help organize the themes into groups. Some initial codes were used to form

themes; others were used for sub-themes, while others were discarded. This phase ended with a

collection of themes and sub-themes and gave the researcher a sense of the significance of

individual themes.

Phase 4: Reviewing Themes

This phase involved the two-step process of review and refinement of themes put

together in phase three. During this phase, the researcher eliminated some candidate themes after

having observed there was not much data to support them or the data were too diverse. Internal

homogeneity and external heterogeneity defined by Patton (1990) for judging categories were

considered in this phase; data within the themes were checked to make sure they were coherent

and meaningful while maintaining clear and identifiable distinctions between them. Themes

appearing to form a coherent pattern were moved to the second level, which was refinement. The

outcome of the refinement process was a thematic map, which captured all the contours of the

coded data. At this stage, the researcher considered the validity of the captured themes about the

data set. The researcher also evaluated if the thematic map accurately reflects the meanings

evident in the data set as a whole.

Phase 5: Defining and Naming Themes

This phase began after a satisfactory thematic map had been developed; the researcher

then proceeded to define and refine the themes to be presented for analysis. The essence of the

specific and overall meaning of each theme was identified, and the researcher used this

ENCRYPTION BACKDOORS AND PRIVACY 73

information to determine what aspect of data each theme captured. For each theme, the

researcher conducted and wrote a detailed analysis.

Phase 6: Producing the Report

During this last phase, the researcher performed the final analysis of the themes and

produced a final report. According to “The Open University” (2017), writing up a thematic

analysis requires the researcher to tell and convince the reader of the validity of the analysis. The

report provides concise, coherent, logical, and a non-repetitive account of the story the data told,

within the confines of the themes and research questions.

Chapter Summary

This chapter reviewed both qualitative and quantitative research methodologies and

selected qualitative as the most appropriate methodology for conducting this research. This is

because unlike quantitative research which seeks to measure variables, this research centers on a

single idea. The central phenomenon or main idea for this research was end-to-end encryption,

backdoor, and how it affected the privacy of non-technology professionals. The goal of this

research was to analyze the views and opinions of non-technology professionals in the U.S. on

this idea or central phenomenon.

This chapter also reviewed and selected the most appropriate research design for this

study. The researcher reviewed the various qualitative designs such as the grounded theory

approach, the ethnographic approach, the phenomenal approach, the case study, and the

descriptive approach. The researcher selected the descriptive design approach because it strives

to gain insight into the views and opinions of non-technology professionals regarding their

privacy on public communication platforms. The qualitative descriptive study design was

deemed the most appropriate for this research because it is known to yield the best results in

ENCRYPTION BACKDOORS AND PRIVACY 74

answering the type of questions posed in this research and has also been used in similar studies

in the past. This chapter also reviewed sampling techniques and selected snowball sampling as

the most appropriate technique to use in selecting research participants. The internal and external

validity of the survey instrument were also evaluated as well as content validity.

Lastly, the researcher selected thematic data analysis as the choice of methodology to be

used to analyze the data from the survey. The six steps involved in thematic data analysis were

also reviewed, including how the coding of research data was carried out. The results of this

study are presented in Chapter 4.

ENCRYPTION BACKDOORS AND PRIVACY 75

CHAPTER 4: RESULTS

The main objective of this qualitative descriptive research study was to gain insight into

the views and opinions of non-technology professionals regarding their privacy on public

communication platforms. This chapter presents an overview of the population and sample for

this study, including demographic data and criteria for participation. A narrative of collected data

and a summary regarding the number of surveys collected are discussed. Additionally, data

collection, data analysis procedures, and identification of codes and themes are reviewed. The

researcher also recapitulates reliability and validity and presents results from data analysis. This

research study’s results include the presentation of the various themes and their alignment with

the research questions as well as a descriptive narrative in which selective quotes from

participants are embedded.

The researcher established in Chapters 1 and 2, the raging debate between law

enforcement agencies and most of the technology community, over whether law enforcement

should have exclusive access to phones and end-to-end encrypted messaging applications (Perry,

2016). In 2018, an alliance of five countries known as the Five Eyes, which includes the U.S.,

UK, Canada, Australia, and New Zealand, issued a memo demanding that technology companies

create specialized solutions, tailored to their individual systems that are capable of meeting

statutory access requirements (Mark, 2018). According to Max (2016), governments and security

agencies are wrong due to their unfounded belief that strong encryption that protects information

on the internet, can at the same time be made weak in order to grant the government access to

information.

Vaziripour et al. (2018) asserted that non-technology professionals lack understanding of

what an encrypted chat means and does to guarantee security. This research study was, therefore,

ENCRYPTION BACKDOORS AND PRIVACY 76

posited on the central question of whether non-technology professionals understood the impact

of government-mandated backdoors on encrypted public messaging services. A qualitative

descriptive study enabled accurate depictions of participants’ views on the impact of

government-mandated encryption backdoors (Dews-Farrar, 2018). Additionally, the researcher

sought to augment the sparse number of scholarly qualitative descriptive studies concerning end-

to-end encryption (E2EE), backdoors, and privacy.

The survey questions for this research study were formulated to elicit responses that

would unveil the participants’ views and opinions regarding government and law enforcement

agencies’ demand for legislation that will allow them to snoop on online private communications

of smartphone users. The research questions were as follows:

RQ1: Do non-technology professionals in the U.S. understand the impact of creating

backdoors into end-to-end encrypted technologies?

RQ2: What are the perspectives of non-technology professional users of IM applications

regarding the argument security comes at a price, namely at the expense of

privacy?

RQ3: To what extent does the knowledge of encryption as a technology in safeguarding

consumer privacy affect the use of the internet by non-technology professionals?

The qualitative descriptive nature of this study required that the researcher focus not so

much on generating new theory, but on illuminating the lived experiences of the research

participants (Dews-Farrar, 2018).

Pilot Study

The pilot study established the comprehensibility, validity, and reliability of the survey

questions. In a study on the importance of piloting in qualitative research, Abdul, Othman,

ENCRYPTION BACKDOORS AND PRIVACY 77

Mohamad, Lim, and Yusof (2017) mentioned the imperativeness of pilot studies in preparation

for a major study. According to Adul et al., pilot studies can be applied to address potential

practical issues following research procedures. Such studies are distinctly helpful in testing

interview questions and adjusting them accordingly prior to the full study (Adul et al., 2017).

The pilot study for this research consisted of five preliminary participants. The informed consent

agreement was given to each participant, and the researcher obtained approval from all five

participants. The participants were then served with the survey, three with the paper-based

surveys while two participants took it online. Both groups of participants did this with the

researcher present for clarifications and discussions. This allowed the researcher to interact

directly with participants and know if the questions on the questionnaire were clear enough as

well as if participants understood the purpose of the research.

The pilot study revealed that the participants would be better served by defining key

terms such as encryption, end-to-end encryption, and backdoors in the participant consent form

before they got to the survey questions. Participants remarked an early definition of key terms

used in the survey would enable them to fully understand the purpose of the research before

agreeing to participate. The researcher, therefore, defined key terms included in the title of the

research in the consent form. This pilot study also helped the researcher improve the questions in

the survey. Feedback from the pilot study was used to revise the final wording in the survey

questions.

The findings of this pilot study demonstrated the functionality of the survey instrument

and the interest in the research by the target population. Thus, after adjustments to the survey

from recommendations of the pilot study participants, the researcher concluded that the survey

instrument was valid for this study’s topic and served to answer the specific problems posited.

ENCRYPTION BACKDOORS AND PRIVACY 78

Threats to validity and reliability

According to Fink (2018), there are a number of items that can pose a threat to the

internal validity of a survey; these include a biased selection of participants for the survey,

sampling procedure, or as it could be in the case of this research, the effect of a terrorist attack in

the U.S. just before, or while the survey is being conducted. Creswell (2015) recommended that

qualitative researchers select at least two procedures listed below to confirm the validity of the

findings. Creswell’s proposition was as follows: (a) prolonged involvement with research

subjects; (b) triangulation; (c) external review of the research process and results; (d)

acknowledging possible researcher bias at the outset of the project; (e) participant validation of

research results and descriptions; (f) in-depth descriptions, which will enable transferability and

substantiate authenticity; and (g) use computer programs for coding data.

The following guidelines to address threats to validity and reliability were employed in

this qualitative research:

1. The researcher utilized more than one source to substantiate the research. The sources of

data included the paper-based questionnaire and an online survey.

2. To ensure validity and reliability, NVivo Pro 12 qualitative data analysis software was

employed for data coding and finalization of themes.

3. The survey instrument was validated using the pilot study to ensure that the information it

provided was an accurate reflection of the participants’ knowledge, attitudes, values, and

opinions. The survey also had content validity because the questions accurately

represented the characteristics, opinions, or attitudes they intended to measure.

4. The threat of bias in the selection of participants in this research study was mitigated

because the researcher used the snowball sampling technique for participant selection.

ENCRYPTION BACKDOORS AND PRIVACY 79

Snowball sampling is a tested and proven survey methodology that has been used in other

studies similar to this one, such as the study carried out by Rashidi, Vaniea, and Camp

(2016). Sampling errors are minimized by the fact that the researcher does not have a

direct influence on the selection of participants. This is because, in snowball sampling,

the participants are selected by their peers.

5. Transferability in qualitative research is the ability to generalize, or the extent to which

the results of the research apply to other contexts or settings. The context and methods of

the current study such as the characteristics of the participants, including geographic

location, age group, and information technology experience, have been thoroughly

described in this research to assist readers who may want to apply the findings to other

contexts or settings, do so appropriately.

Findings

Forty-six participants in total responded to the survey between May 1, 2019, and May 10,

2019. Twenty of the 46 participants who responded to the survey were eliminated during the data

analysis phase because they did not meet the survey criteria. The participants had to meet the

following criteria: (a) Be the owner of a mobile phone running the latest version of the

WhatsApp application. (b) Be willing to participate in an online survey or a face-to-face

interview with the researcher. (c) Be a non-technology professional who at the time of this study

did not have any experience working in technology or hold any diploma or certification in

computer science, computer security, or computer networking. (d) Be willing to give honest

accounts of their views and opinions about privacy and national security. (e) Be a resident of the

state of Minnesota. Eight of the participants did not reside in the state of Minnesota, one

participant was the holder of an information security certification, five participants had a job that

ENCRYPTION BACKDOORS AND PRIVACY 80

included information technology related activities, and six participants were eliminated due to

the fact they did not complete the full survey. Twenty-six participants completed all the survey

questions. The researcher has, therefore, only included responses of survey participants who met

the survey criteria and completed all the questions.

Ten (38%) of the 26 retained participants completed the survey on paper, while 16 (62%)

completed online. The 10 paper surveys were manually entered into SurveyMonkey for

preliminary analysis before further importing the entire dataset into NVivo data analysis software

for full analysis.

Demographics

Out of the 26 participants who completed the survey, 12 (46.15%) were female, while 14

(53.85%) were male. Participants ranged in age from 25 – 70 years. The largest group of

participants were between the ages of 45 - 54 years (46.15%), with the smallest between the ages

24 – 35 (7.69%) and 65 – 74 (7.69%). Figure 1 below shows the age distribution of participants.

All 26 participants (100%) resided in the state of Minnesota, held no degree or certification in

computer science, and their jobs did not include information technology related activities. Table

1 displays a demographic summary of the participants.

Figure 1. A bar chart showing the age distribution of participants

ENCRYPTION BACKDOORS AND PRIVACY 81

Table 1

Demographic Summary of Research Study Participants

Participant Reside in Minnesota?

Hold computer certification?

Does your job include information technology related activities?

Age Group

Gender

P1 Yes No No 55 to 64 Male P2 Yes No No 55 to 64 Female P3 Yes No No 35 to 44 Male P4 Yes No No 35 to 44 Male P5 Yes No No 45 to 54 Male P6 Yes No No 45 to 54 Male P7 Yes No No 45 to 54 Male P8 Yes No No 45 to 54 Male P9 Yes No No 45 to 54 Female P10 Yes No No 55 to 64 Male P11 Yes No No 45 to 54 Male P12 Yes No No 35 to 44 Male P13 Yes No No 45 to 54 Male P14 Yes No No 25 to 34 Female P15 Yes No No 45 to 54 Female P16 Yes No No 65 to 74 Female P17 Yes No No 45 to 54 Male P18 Yes No No 35 to 44 Female P19 Yes No No 35 to 44 Female P20 Yes No No 45 to 54 Female P21 Yes No No 45 to 54 Female P22 Yes No No 65 to 74 Male P23 Yes No No 35 to 44 Female P24 Yes No No 45 to 54 Male P25 Yes No No 35 to 44 Female P26 Yes No No 25 to 34 Female

Data Analysis Procedures

The analytical approach used for this research study was the thematic analysis. Thematic

analysis is the classification, examination, and description of themes within qualitative data

(Braun & Clarke, 2006). Braun and Clarke’s six-phase process for inductive thematic analysis

ENCRYPTION BACKDOORS AND PRIVACY 82

was implemented in this study. The steps were as follows: (a) familiarize yourself with the data;

(b) generate initial codes; (c) search for themes; (d) review the themes; (e) define and name

themes; (f) produce the report. According to Braun and Clarke, the identification of themes

across the data set is key to analyzing and understanding the relationships between the data and

the research questions.

The first phase of data analysis in this research study involved reading the survey

submissions several times. This resulted in familiarity with the data in preparation for initial

identification of codes. There were a total of 14 questions in the survey and these were divided

into two sections. The first section, which consisted of seven questions was to ensure participants

met the survey criteria and also to gather demographic data. The second section contained seven

open-ended questions on end-to-end encryption, backdoors, and privacy.

The second phase in the thematic analysis involved generating initial codes or coding.

According to Creswell (2015), coding is the process of segmenting and labeling text to make

sense out of the text data from your survey. Coding is an inductive process of narrowing data

down into a few themes (Creswell, 2015). Codes are applied to words, sentences, and paragraphs

to recognize and categorize important concepts in the data that are related to the research

questions (Creswell, 2015). Qualitative analysis depends to a good extent on the subjective

interpretations of the researcher (Creswell, 2015). Therefore, a combination of personal

judgment and software was used to bring objectivity to the coding process. After several

readings of the submitted data, various words, sentences, and paragraphs were highlighted, and a

mark-up was created from each survey in which initial codes were affixed. Individual surveys

were first manually coded to determine preliminary codes and probable themes. Multiple

readings of the survey submissions and initial manual coding presented the opportunity to be

ENCRYPTION BACKDOORS AND PRIVACY 83

fully engaged with the data and gain an unquestionable understanding of the phenomenon. After

this was completed, all the survey submissions were then exported from SurveyMonkey into

NVivo 12 Plus data analysis software program for auto-coding. NVivo 12 Plus for Windows was

the software tool selected to assist in the process of coding and analyzing the data for this study.

NVivo 12 Plus is a qualitative data analysis software developed by QSR International; it assists

with managing and analyzing unstructured data by breaking that data into nodes that help

describe the larger emerging pattern (Hilal & Alabri, 2013). For this research study, the units of

analysis were the words, phrases, and sentences conveyed by non-technology professionals.

Employment of data analysis software enabled a thorough in-text query of recurrent

words in the submissions and scrutiny of the contexts in which the words were used. Utilization

of NVivo software provided the opportunity to perform another round of coding to confirm the

findings from manual coding. This process allowed for the finalization of codes and eventual

development of a codebook. The development of the codebook involved the creation of a list of

initial codes for each survey submission. NVivo identified 186 initial codes in the data for 1,266

references.

The third phase in the thematic analysis involved the identification of themes (Braun &

Clarke, 2006). Vaismoradi, Jones, Turunen, & Snelgrove (2016) defined a theme as an

inferential topic formed by recurring ideas and patterns in the recounts of participants’

experiences. Themes are related to codes (Creswell, 2015). Themes (also called categories) are

similar codes aggregated together to form a major idea in the dataset (Creswell, 2015).

Vaismoradi et al. posited that the primary criterion for the identification of a theme is its

appositeness to the overarching research problem and research questions, and as such, relevance

is not necessarily quantifiable. NVivo 12 Plus data analysis software aided in clustering

ENCRYPTION BACKDOORS AND PRIVACY 84

comparable codes and establishing themes. Six themes emerged from the data analysis, namely:

government and privacy, information, encryption, activities, communications, and social media.

The themes were representative of participant-generated conceptualizations regarding the

phenomenon encryption, backdoors, and privacy. Figure 1 below gives a visual representation of

the six major themes generated from the refinement of the initial codes through the process of

eliminating redundancies and analysis (Creswell, 2015).

Figure 2. A pie chart of the six themes generated from the research study

Major and minor themes were generated for this study using NVivo software. According to

Creswell (2015), major themes represent the important ideas in the dataset, while minor themes

represent secondary ideas. Twenty-eight minor or subthemes were identified in this study. Figure

Government and Privacy

25%

Information 19%

Encryption 16%

Activities 16%

Communicati on

12%

Social Media 12%

ENCRYPTION BACKDOORS AND PRIVACY 85

3 below shows a thematic map of the major and minor themes. The size of each area reflects the

number of coding references; a larger area indicates more coding references.

Figure 3. A thematic map of the major themes generated in the research study

The researcher validated phase four in the thematic analysis approach, as suggested by

Braun and Clerke (2006) by rereading the survey submissions and reassessing the codes and

themes generated by the NVivo data analysis software. Some candidate themes were merged to

form a more coherent and meaningful theme; government and privacy themes were merged to

form a single theme. The themes were validated as having a connection to the research questions

and the overall research problem. The finalization of phase four led to phase five, which was to

refine the themes and present them for data analysis. Braun and Clarke (2006) asserted that the

ENCRYPTION BACKDOORS AND PRIVACY 86

researcher should not only be able to explain the relationship between the themes and the

research questions but should additionally be prepared to construct an analysis of each theme.

Each theme should portray the participants’ collective perceptions of the phenomenon under

research Braun and Clarke (2006). Figure 4 below shows the relationship between the research

questions, codes, and themes.

Figure 4. The relationship between research questions, codes, and themes

Results

The presentation of results in this section marks phase six of the thematic data analysis

process (Braun & Clerke, 2006). There were three research questions for which the 26 survey

participants fully responded. The three research questions mentioned earlier above are addressed

according to their related theme. Six themes emerged from the data analysis. These themes

represent the survey participants’ conceptualization regarding the phenomenon of the

Research Questions

Theme 1 Theme 2 Theme 3

Codes Codes

Codes Codes Codes

CodesCodesCodes

Codes

Codes

ENCRYPTION BACKDOORS AND PRIVACY 87

government exploring ways to implement encryption backdoors in popular messaging

applications such as WhatsApp. Table 3 below presents the research questions and the

corresponding themes that emerged from data analysis.

Table 2

Research Questions, their Corresponding Themes, and Survey Questions

Research Questions Related Themes and Survey Questions

RQ1: Do non-technology professionals in the U.S. understand the impact of creating backdoors into end-to-end encrypted technologies?

1) Government and Privacy Corresponding survey questions 11, 13, 15

RQ2: What are the perspectives of non- technology professional users of IM applications regarding the argument security comes at a price, namely at the expense of privacy?

1) Information, 2) Activities, and 3) Communication Corresponding survey questions 10, 11, 12

RQ3: To what extent does the knowledge of encryption as a technology in safeguarding consumer privacy affect the use of the internet by non-technology professionals in the U.S.?

1) Social media, 2) Encryption Corresponding survey question 14

Total Number of Research Questions: 3 Total Number of Themes: 6

Research Question 1: Do non-technology professionals in the U.S. understand the

impact of creating backdoors into end-to-end encrypted technologies? One theme emerged from

participant responses to this question, and it was government and privacy.

ENCRYPTION BACKDOORS AND PRIVACY 88

Theme 1. Government and Privacy. The most prevalent theme for the entire survey was

government and privacy. This theme of government and privacy also occurred as the most used

words by all the 26 participants (see figure 5 below).

Figure 5. Word cloud of the most used words in the open-ended survey questions

Twenty-three participants (88%) responded positively or negatively to survey questions which

were directly related to RQ1. Three participants (12%) said they had no opinion. Eight

participants (31%) expressed opinions against the government, exploring the idea of wanting to

read private messages. Participant 5 (P5) who was amongst the eight who expressed opinions

against government reading their private messages, stated, “No! The government should not have

such broad powers to surveil citizens without proper safeguards.” Four participants (15%) said

the government was infringing on their privacy by wanting backdoors. P17 stated, “Privacy is

tempered with. The government should look for other enforceable ways of trapping those

ENCRYPTION BACKDOORS AND PRIVACY 89

criminals.” Privacy was a major concern to these participants; participants used words associated

with privacy such as “violates,” “personal,” “rights,” and “breach” to describe their perceptions.

Some participants stated they do not trust the government, as it has abused such privileges

before. Eleven of the participants (42%) were either leaning towards or in full support of the

government obtaining exclusive access to their messages. P2 stated, “I trust the judicial system in

the US. So any government official who uses my communications for any purpose other than

security can be identified and punished.” Others within this 11 stated they believed in free speech

and freedom from prying eyes; they added that because they are free of criminal activities, they

have no problem with the government wanting to read their private messages. Figure 6 below is

an explore diagram that shows how codes merge to form a theme in NVivo software.

Figure 6. An explore diagram showing codes for the government theme

ENCRYPTION BACKDOORS AND PRIVACY 90

Research question 2. What are the perspectives of non-technology professional users of

IM applications regarding the argument security comes at a price, namely at the expense of

privacy? Three themes emerged from participant responses: 1) Information, 2) Activities, and 3)

Communication.

Theme 1. Information. The child themes that summed up to this main theme were

public information, private information, bank information, evil information, valuable

information, and specific information (see figure 7). The sentiments expressed by 18 participants

(69%) on this theme was neutral or mixed. Participants who gave a neutral or mixed sentiment

agreed private information should remain private; however, they also said they would not mind

the government stepping into their private information in order to keep the country safe.

Figure 7. An explore diagram showing the child themes that make up the information theme

ENCRYPTION BACKDOORS AND PRIVACY 91

Five of the participants (19%) expressed outright negative sentiments about giving up

their private information in exchange for more security. Three participants (12%) had a positive

sentiment about the government accessing private information in order to keep the country safe.

Some participants said they would rather all information be made public; others like P16 said,

“But if the bad actors access the same information, especially my bank information then I will be

screwed up.” P14 said, “This can be achieved through the government finding out through a

survey what kind of private information Americans are willing to let the government know about

for the sake of security.”

Theme 2. Activities. Participants who coded for this theme coded for three child themes:

unlawful activities, electronic activities, and hacker activities. Five participants (19%) coded for

the activities theme. These participants all expressed comfort in letting their security be of a

higher priority than privacy; for example, P16 said, “It would not affect my behavior in any way

since I do not engage in any unlawful activity.” P7 said, “I support the government to monitor all

electronic activities.”

Figure 8. An explore diagram showing the child themes that make up the activities theme

ENCRYPTION BACKDOORS AND PRIVACY 92

Theme 3. Communications. There were four participants (15%) who coded for this

theme. Unlike participants who coded for the activities theme by expressing their comfort with

government surveillance in exchange for security, participants who coded for communications

were decisively against giving up their private communications in exchange for more security.

P25 was very categorical with his/her position on this matter; “Government has no right to

monitor all messages/communications online because not all are sensitive.” Other participants

expressed similar strong sentiments against giving up privacy for more security, saying the

government needed special courts to allow them to have permissions to go into citizen’s private

communications. P24 added to the debate saying, “Privacy is privacy, and the government

should stay out of people's private communications.”

Research question 3. To what extent does the knowledge of encryption as a technology

in safeguarding consumer privacy affect the use of the internet by non-technology professionals

in the U.S.? Two themes emerged from the participant's responses: 1) Social media and 2)

Encryption.

Theme 1. Social Media. Four participants (15%) expressed their views and opinions on

how their knowledge of encryption will affect their use of social media applications such as

WhatsApp. P1 said, “Limit what I share on social media, which I already do.” P6 stated that “I

will have more confidence when chatting on social media.” P22 stated, “A lot of people do

business even on social media like WhatsApp. Families discuss family matters that the

government has no business listening to. Lobbyists may use their financial power to lobby

information from their rivals.”

Theme 2. Encryption. Five participants (19%) coded for encryption. Three of the five

participants were concerned that terrorists could master encryption technology and use it to cause

ENCRYPTION BACKDOORS AND PRIVACY 93

harm to society. P24, who was amongst the three, stated, “Mastery of encryption technology by

criminals is certainly dangerous since it could be used to target vulnerable populations.” Two of

the five participants who coded for the encryption theme said their knowledge of encryption in

apps makes them more comfortable using these apps. P5 said, “I will try to always use internet

sites that can give me end-to-end encryption.”

In addition to the two themes that emerged regarding RQ3, participants were given a

layman’s definition of encryption technology in the survey and asked in question 9 if they were

aware that popular websites such as Twitter, Facebook, or even their banking operations are all

protected from hackers by encryption. Twenty-one participants (81%) answered yes, while 5

participants (19%) answered no. See figure 5 below.

Figure 9. A distribution graph showing participants knowledge on whether or not they knew

encryption was used in protecting their data on popular websites such as Facebook and Twitter.

At the end of the survey, participants were asked if the information provided in the

survey regarding encryption and the U.S. government's demand for a backdoor had increased

ENCRYPTION BACKDOORS AND PRIVACY 94

their knowledge or awareness of the benefits of E2EE to their privacy. Table 3 below tabulates

their responses.

Table 3

How much the survey information had increased participant’s knowledge of the benefits E2EE to

privacy

Answer Choices Responses

A great deal 46.15% 12 A lot 23.08% 6 A moderate amount 19.23% 5 A little 11.54% 3 None at all 0.00% 0

Total 26

Significance of results

The objective of chapter four was to present the findings of 26 qualitative descriptive

research survey participants on their views and opinions of end-to-end encryption, backdoors,

and privacy. Thematic examination and data analysis of the 26 surveys revealed six themes:

1. Government and Privacy

2. Information

3. Encryption

4. Activities

5. Social Media

6. Communications

The themes above revealed the views and perspectives of the survey participants. The six

themes showed that non-technology professionals who contributed to this study were concerned

ENCRYPTION BACKDOORS AND PRIVACY 95

about their activities and communications on social media, and what the government is

proposing to do with their private information. The themes showed that participants knew about

the benefits of encryption technology and its presence on websites in which sensitive information

is given out by users.

Chapter Summary

Chapter four presented validity, reliability, results, and data analysis of 26 qualitative

descriptive design survey of non-technology professionals in the state of Minnesota, USA. Data

analysis provided results for the three research questions which guided the research study.

Each participant recounted their unique perspectives about E2EE and government

proposed encryption backdoors on privacy. Preliminary coding was done manually by writing-

down keywords for each transcript during the first few readings of the survey submissions as

recommended by Braun and Clarke (2006), to create familiarity with the data. Due to the ample

amount of qualitative data from open-ended questions, NVivo 12 Plus software for qualitative

analysis was used to assist in confirming the manual coding and the eventual identification of

themes.

Three research questions guided this study. The first question (RQ1) was, do non-

technology professionals in the U.S. understand the impact of creating backdoors into end-to-end

encrypted technologies? Analysis of the qualitative survey data revealed two themes for RQ1,

which were government and privacy. Further analysis of data led the researcher to merge both

themes under a single theme. The words government and privacy were also the most used words

by survey participants in the entire survey. Except for three participants who responded as

having no opinion to survey questions related to RQ1, 23 other participants respondent with

strong views on one side or the other of the encryption debate.

ENCRYPTION BACKDOORS AND PRIVACY 96

The second research question (RQ2) was, what are the perspectives of non-technology

professional users of IM applications regarding the argument security comes at a price, namely at

the expense of privacy? Three themes emerged from participant responses to RQ2: 1)

Information, 2) Activities, and 3) Communication. The first theme was information. Majority of

the participants expressed neutral or mixed sentiments on this theme; generally agreeing that

private information should remain private. The second theme for RQ2 was activities. Participants

expressed their sentiment for activities by associating it with words such as “unlawful,”

“electronic,” and “hacker.” Participants who coded for activities all expressed comfort in letting

their security be of a higher priority than privacy. The third theme that emerged from the analysis

of data for RQ2 was communications. Participants who coded for the communication were

against giving up their private communications in exchange for more security.

The third research question (RQ3) was, to what extent does the knowledge of encryption

as a technology in safeguarding consumer privacy affect the use of the internet by non-

technology professionals in the U.S.? Two themes emerged from the participants’ responses: 1)

Social media and 2) Encryption. On the theme on social media, four participants said they were

limiting what they share on social media today, but with the knowledge of the advantages of

strong encryption their confidence on the privacy of the information on social media has

increased. On the second theme related to RQ2, encryption, three of the five participants who

coded for this theme were concerned that terrorists could master encryption technology and use it

to cause harm to society.

Chapter 5 presents a detailed summary of this qualitative descriptive study. Also, chapter

5 recapitulates the research topic, the problem statement, the research questions, and salient

aspects of the conceptual framework and literature review. Additionally, Chapter 5 explains how

ENCRYPTION BACKDOORS AND PRIVACY 97

the data results augment existing knowledge on the topic and creates a compendium of

conclusions related to the conceptual framework for the study. Finally, Chapter 5 suggests

recommendations for future exploration and practice and discusses the implications that evolved

from the study.

ENCRYPTION BACKDOORS AND PRIVACY 98

CHAPTER 5: FINDINGS AND RECOMMENDATIONS

The purpose of this qualitative descriptive research study is to raise awareness for non-

technology professional users of mobile devices on the benefits of encryption for privacy. This

research study was relevant because it aimed at filling some of the gaps in the literature

regarding the opinions and views of non-technology professionals on the effects of end-to-end

encryption (E2EE) on society (Brantly, 2017). This research study examined the perspectives of

26 adult non-technology professionals in the state of Minnesota; this consisted of 12 females and

14 males.

This research study is based on the problem statement: law enforcement’s advocacy for a

backdoor into E2EE in instant messaging (IM) services was undermining privacy and security

(McCarthy, 2016). The specific problem was that non-technology professionals do not

understand the impact of creating backdoors into encryption technologies (Sagers, Hosack, &

Rowley, 2015; Wei et al., 2016). A qualitative descriptive study approach enabled the research

participants to present a picture of their perceptions and construct their own individual meanings

of the impact of a backdoor to their private chats. Additionally, a qualitative descriptive stance

permitted for objective research that was not constrained by the views of the researcher. Open-

ended questions provided participants a means to best voice their experiences unrestricted by the

influence of the researcher or past research findings (Creswell, 2015). The research questions

facilitated an examination of the phenomenon from individual portrayals of the research

participants. The following research questions guided this study:

RQ1: Do non-technology professionals in the U.S. understand the impact of creating

backdoors into end-to-end encrypted technologies?

ENCRYPTION BACKDOORS AND PRIVACY 99

RQ2: What are the perspectives of non-technology professional users of IM applications

regarding the argument security comes at a price, namely at the expense of

privacy?

RQ3: To what extent does the knowledge of encryption as a technology in safeguarding

consumer privacy affect the use of the internet by non-technology professionals?

In this research study, the research problem was addressed in various stages throughout

each chapter. An explanation for the choice of qualitative methodology as well as the

background of the research problem, assumptions, limitations, and delimitations were presented

in chapter one. Chapter one also discussed the conceptual framework for this research study. In

chapter two, a review of literature related to the research problem was conducted using the

thematic literature review approach. Chapter three outlined and detailed the research

methodology and design, population, and sampling technique, and it also itemized the phases of

data analysis.

Additionally, chapter three discussed validity and reliability. Chapter four presented a

detailed discussion of the results of the data analysis, including the identification of six major

themes, and a complete discourse with descriptive statistics for each theme. Chapter 5 presents

an interpretation of the study’s findings and conclusions. This chapter also discusses additional

findings and implications of the research, and recommendations for future research.

Limitations

There were two limitations related to the data analysis of this study.

1. The sample population of this study was limited to a single state, Minnesota. The state of

Minnesota is located in the middle of the sample frame distribution of states or

jurisdictions with the highest and lowest location quotient for information technology

ENCRYPTION BACKDOORS AND PRIVACY 100

experts (“U.S. Department of Labor,” 2017). The interpretation of results is affected by

this limitation because it is not known if location quotient alone or the large population of

healthcare workers in Minnesota introduced biases in the results.

2. Snowball sampling is a useful sampling methodology when it is not possible to use more

traditional survey techniques, and it has been employed successfully in previous work

that has yielded relevant results which have contributed to the body of literature on how

users manage privacy settings on IM applications. (Rashidi, Vaniea, & Camp, 2016).

Snowball sampling technique, however, has its limitations. According to Sharma (2017),

since snowball sampling does not select units for inclusion in the sample based on

random selection, unlike the probability sampling technique, it is impossible to determine

the possible sampling error and make generalizations from the sample to the population.

As such, snowball samples should not be considered to be representative of the

population being studied.

Findings and Interpretations

The application of Braun and Clarke’s (2006) inductive thematic analysis, a data-driven

process, resulted in six themes. The themes provided closure for the three research questions that

were the basis for this research study. Data analysis of survey answers to RQ1 produced a single

theme, government, and privacy.

Theme 1. Government and Privacy. Twenty-three participants (88%) who coded for

these themes showed a clear understanding of what an encryption backdoor meant and its impact

on their privacy. This was significant to this research because it answered RQ1. Eleven of the

participants (42%) were not opposed to the government adding a backdoor to read their private

messages in order to keep them safe, especially if there is a credible threat against public safety.

ENCRYPTION BACKDOORS AND PRIVACY 101

Government has maintained that they will only use this method of access if there is a credible

threat to public safety (Brantly, 2017).

Further, these findings are even more significant because they validate the purpose of the

research, which was to raise awareness for non-technology professional users of mobile devices

on the benefits of encryption to privacy. When participants were asked at the end of the survey if

this research study had increased their knowledge or awareness of the benefits of end-to-end

encryption to your privacy, 23 of the 26 of the participants (89%) responded that it had increased

by a moderate amount, a lot, or a great deal. Research question two, which sought to find out

what were the perspectives of non-technology professional users of IM applications regarding

the argument that security comes at a price, namely at the expense of privacy, generated three

themes, namely: information, activities, and communications.

Theme 2. Information. The sentiments expressed by 18 participants (69%) on this theme

was neutral or mixed. Participants said that while they would like their private messages to

remain private, they also do not mind the government stepping into their private information in

order to keep the country safe. This theme answered RQ2. Participants asserted through their

responses that they are willing to allow the government to infringe on their privacy if that will

guarantee them safety.

Theme 3. Activities. Participants all expressed comfort in letting their security be of a

higher priority than their privacy; thus, endorsing the government’s intent to monitor electronic

activities. This theme also answered RQ2.

Theme 4. Communications. There were four participants (15%) who coded for this

theme. Unlike participants who coded for the activities theme by expressing their comfort with

government surveillance in exchange for security, communications participants were decisively

ENCRYPTION BACKDOORS AND PRIVACY 102

against giving up their private communications in exchange for more security. This theme also

answered RQ2.

Theme 5. Social Media. Four participants (15%) expressed their views and opinions on

how their knowledge of encryption will affect their use of social media applications such as

WhatsApp. This theme on social media was in response to RQ3, which asked participants to

what extent the knowledge of encryption as a technology in safeguarding consumer privacy

affect their use of the internet. Participants expressed more confidence in the use of the internet,

knowing that encryption helps protect their communications.

Theme 6. Encryption. Five participants (19%) coded for encryption. This theme was also

in response to RQ3. Sixty percent of the participants who coded for this theme were concerned

that terrorists could master encryption technology and use it to cause harm to society. In

addressing RQ3, participants all agreed their knowledge of encryption would affect their use of

the internet by increasing the confidence they have in the privacy of online communications.

Comparing Findings to Theoretical Framework and Literature

The conceptual or theoretical framework on which this study was built was the

securitization of technology, which provided a link between science and technology (Barnard-

Wills & Ashenden, 2012; Deibert & Rohozinski, 2010; Hansen & Nissenbaum, 2009).

According to Schulze (2017), the securitization framework, which is understood as the social

construction of security/insecurity in the digital realm, has rarely been adopted in cryptography

discourses. Granting government and law enforcement agencies special access to otherwise

secure cryptography could, in the worst case, substantially weaken these systems, thus

threatening the safety of the billions of cell phones used by people today (Schulze, 2017). In the

recent years after the Edward Snowden leaks in 2013, there has been an evolving trend towards

ENCRYPTION BACKDOORS AND PRIVACY 103

the application, by default, of E2EE to a range of online communications IM applications, which

result in only the sender and the recipient being able to read the messages (McCarthy, 2016).

According to Rastogi and Hendler (2017), the prevalence of global surveillance as was revealed

by Edward Snowden in 2013 has caused much concern to many users. Some of the concerns

have been related to a third party listening to user conversations, without permission. E2EE in

WhatsApp was designed, keeping such privacy concerns in mind, amongst other security issues

(Rastogi & Hendler, 2017). WhatsApp ensures that the message sender or receiver cannot be

irrefutably tied to a particular message sent in the past by using the forward secrecy encryption

techniques (Rastogi & Hendler, 2017). The results of this research study have confirmed some of

the privacy concerns expressed by mobile device users, as mentioned by Rastogi and Handler

(2017) and Elmer-Dewitt (2016). According to Elmer-Dewitt, following the standoff between

Apple v. FBI over access to the iPhone of the San Bernardino shooter, Americans, by a small

margin (46% to 35%) support the government’s right to access data in smartphones in order to

protect the country against terror threats. This research study has also demonstrated that while

concerned with their privacy, non-technology professionals are willing to allow the government

to access their private messages if they have to do so in order to preserve national security.

Vaziripour et al. (2018) asserted the lack of understanding by non-technology

professionals of what an encrypted chat means, as the reason for the none adoption of E2EE; this

study proved the contrary. Eighty-one percent of participants who completed this research study

said they were aware of what encryption was, and that is was used on most popular websites

such as Twitter and Facebook to safeguard their private and sensitive information.

ENCRYPTION BACKDOORS AND PRIVACY 104

Implications of Findings

The findings of this research study give credibility to the framework of securitization of

technology, which provides a link to Science and Technology Studies (Barnard-Wills &

Ashenden, 2012; Deibert & Rohozinski, 2010; Hansen & Nissenbaum, 2009). Government

access to otherwise secure cryptography could, in the worst case, substantially weaken these

systems, thus threatening the safety of the billions of cell phones used by people today (Schulze,

2017). This research can be used to understand the perspectives of working non-technology

professionals in the U.S. regarding the government’s request for a cryptographic backdoor in

their smartphones in order to intercept their private communications.

The results of this research study may help create a greater consciousness of the benefits

of encryption to everyday users (non-technology professionals) of smartphones. It may also

amplify the voices of privacy advocates who may increase the pressure on Congress not to yield

to the demand from law enforcement on legislation mandating the creation of secret backdoors

into encryption services by technology companies.

The results of this study may also help educate the everyday user of the internet on the

benefits of E2EE in their daily communications on mobile devices. Participants of this research

study have said that it has significantly increased their knowledge of encryption. This creation of

awareness and expectation of privacy guaranteed by strong encryption for the everyday user of

the internet may also drive more technology companies to adopt E2EE, as was the case after the

Edward Snowden leaks in 2013 (McCarthy, 2016). Another benefit this study may bring is, non-

technology professionals may increase their adoption of using the internet for personal

transactions such as paying bills, online banking, and money transfers once they are aware and

understand the benefits of strong encryption on the internet. Participants of this study have

ENCRYPTION BACKDOORS AND PRIVACY 105

expressed an increase in confidence in their privacy on the internet, knowing that encryption

guarantees such privacy.

Strengths and Weaknesses

There were four strengths in this research study and one weakness. The first strength was

that the researcher achieved data saturation through the participation of 26 working non-

technology professionals who participated in the survey. The researcher’s employment of

structured and open-ended survey questions, a typical approach in qualitative inquiry, yielded

detailed and insightful portrayals of the participants lived experiences and generated substantial

data.

The second strength involved the use of a pilot study. According to Abdul, Othman,

Mohamad, Lim, and Yusof (2017), survey questions could be strengthened by piloting the

surveys. It can also help identify if there are flaws or limitations within the survey design that

allow necessary modifications to the major study. (Abdul et al., 2017). The pilot study for this

research established the comprehensibility, validity, and reliability of the survey questions. The

survey questions were revisited to allow quality data and more in-depth responses from the

participants.

The third strength of this research study was the utilization of manual coding and

subsequently, NVivo 12 Plus data analysis software. Prior to utilizing the NVivo 12 Plus

qualitative data analysis program, each survey submission was read several times, portions of the

text were highlighted in the Microsoft Word documents, and preliminary codes were identified in

the right margin of the transcripts. Qualitative analysis depends to a good extent on the

subjective interpretations of the researcher. Therefore, a combination of personal judgment and

ENCRYPTION BACKDOORS AND PRIVACY 106

software was used to bring objectivity to the coding process. The utilization of NVivo data

software increased the reliability and validity of the study.

The fourth strength was the large amount of qualitative data collected and the detailed

descriptions of the participants’ recounts and subsequent themes. The data allowed for thorough

mining of codes during data analysis and subsequent validation with NVivo data analysis

software. The research study was also able to capture participant’s knowledge and awareness of

E2EE at the beginning of the survey, and also evaluate if they have gained any additional

knowledge during the course of the survey at the end.

The weakness of this study was that it did not investigate if gender, age, ethnicity, and

level of education influenced participants’ views on the government’s demand for a backdoor

into encryption systems. The researcher collected demographic data to learn basic information

about the participants and to ensure that they met the age and geographic location criteria for

participation, but no attempt was made to draw conclusions related to demographic data and their

views and opinions of the government demand for a backdoor into encryption systems. This

could be an area for future qualitative research.

Recommendations

This research study intends to augment the limited number of qualitative descriptive

studies regarding the opinions and views of non-technology professionals on the benefits of

E2EE on society. The results from this study have revealed insightful accounts of 26 non-

technology professionals in the U.S. on E2EE, backdoors, and privacy. The weakness of this

study has created opportunities for a gender-based qualitative inquiry into the phenomenon of

E2EE, backdoors, and privacy. The next section highlights potential areas for researchers to

investigate.

ENCRYPTION BACKDOORS AND PRIVACY 107

Recommendations for Future Research

Based on the results of this research study the following are recommendations for future

research:

1) Extend the research sample area beyond the state of Minnesota to other states. The State

of Minnesota falls in the middle of the rankings for the location quotient for information

security experts (“U.S. Department of Labor,” 2017). Therefore, it is recommended that

states with the highest location quotient for information security experts such as Virginia

and Maryland, as well as states with the lowest location quotient for information security

experts such as New Mexico, Missouri, and Colorado, be sampled.

2) Perform a quantitative study of non-technology professionals with a random sample of

participants distributed across the US. This would eliminate some of the inherent

weaknesses expressed in the limitations of this research study on the snowball sampling

methodology.

3) Include the influence of gender, age, ethnicity, or level of education on participants’

views on the government’s demand for a backdoor into encryption systems could be an

interesting area of research. Similar studies carried out in Iran by Vaziripour et al. (2018)

on the Telegram IM application showed that skewed demographics might have

influenced the results of the research.

4) Expand this research study internationally, into other countries with less cellphone

penetration than the U.S. As mentioned by Schneier et al. (2016), encryption is now a

global phenomenon. Laws in the U.S. mandating backdoors into encryption systems will

primarily affect only U.S. users of encryption products made in the U.S. (Schneier et al.,

2016). Smartphone users in other countries rely on other products. The literature review

ENCRYPTION BACKDOORS AND PRIVACY 108

conducted for this research study found out countries such as Germany, United Kingdom,

Canada, France, and Sweden also produce a lot of encryption products (Schneier et al.,

2016). Researching the perspectives of people of other countries on this topic would

certainly add value to the body of literature in cybersecurity.

5) Limit the research to a specific demographic group within the millennials; young adults

between the ages of 18 – 24 years. Millennials or America’s youth are those born

between 1982 and 2000 (“U.S. Census Bureau,” 2015). They represent more than a

quarter of the nation’s population (“U.S. Census Bureau,” 2015). Although this research

study was for non-technology professionals who were 18 years and older in addition to

other criteria, none of the participants who responded to this study were between the ages

of 18 – 24 years. Respondents ranged in age from 25 – 70 years. Similar studies of this

sort, investigating the usage of WhatsApp mobile application among youth, aged between

18 and 23 years in Chennai, India have been carried out by Jisha and Jebakumar (2014).

6) Investigate the baby boomer generation. The baby boomer generation is defined as

people born between 1946 and 1964 (“U.S. Census Bureau,” 2015). In this research

study, only 2 participants (8%) were baby boomers. It would be relevant to the body of

literature in cybersecurity to get the views and opinions of baby boomers who are a pre-

internet generation, regarding the government’s request for a cryptographic backdoor in

their smartphones in order to intercept their private communications.

Chapter Summary

This research study was based on the problem statement: law enforcement’s advocacy for

a backdoor into E2EE in instant messaging (IM) services was undermining privacy and security

(McCarthy, 2016). The specific problem was that non-technology professionals do not

ENCRYPTION BACKDOORS AND PRIVACY 109

understand the impact of creating backdoors into encryption technologies (Sagers, Hosack, &

Rowley, 2015; Wei et al., 2016). In this chapter, the research study results revealed that 81% of

participants said they were aware of what encryption was and that is was used on most popular

websites such as Twitter and Facebook to safeguard their private and sensitive information. This

chapter also outlined the limitations as well as the strengths and weaknesses of the research

study. Limitations included the selection of a single state, Minnesota, for sampling as well as the

use of snowball sampling methodology. Some of the strengths of the research study included the

attainment of data saturation by sampling 26 participants, as well as the use of a pilot study to

strengthen the survey instrument.

The results of this research study were also placed in the context of the sparse amounts of

literature on the topic of the research. The results of this research study have confirmed some of

the privacy concerns expressed by mobile device users, as mentioned by Rastogi and Handler

(2017) and Elmer-Dewitt (2016). According to Elmer-Dewitt, following the standoff between

Apple v. FBI over access to the iPhone of the San Bernardino shooter, Americans, by a small

margin (46% to 35%) supported the government’s right to access data in smartphones in order to

protect the country against terror threats. This research study has also demonstrated that though

concerned with their privacy, non-technology professionals are willing to allow the government

to access their private messages if they have to do so in order to preserve national security.

Recommendations were made at the end of this chapter for future research such as the

application of a gender-based filter on the result set in order to see if it will skew the results in

any way. Also, to extend this research study to a quantitative study of non-technology

professionals with a random sample of participants distributed across the US. This would

ENCRYPTION BACKDOORS AND PRIVACY 110

eliminate some of the inherent weaknesses expressed in the limitations of this research study on

the snowball sampling methodology.

ENCRYPTION BACKDOORS AND PRIVACY 111

References

Abelson, H., Anderson, R., Bellovin, S. M., Benalo, J., Blaze, M., Diffie, W.,… Weitzner,

D. J. (2015). Keys under doormats: Mandating insecurity by requiring government access

to all data and communications. Computer Science and Artificial Intelligence Laboratory

Technical Report, MIT-CSAIL-TR-2015-026. doi: http://hdl.handle.net/1721.1/97690

Abdul, M. M, Othman, M., Mohamad, S. F., Lim, S. A., & Yusof, A. (2017). Piloting for

interviews in qualitative research: Operationalization and Lessons Learnt. International

Journal of Academic Research in Business and Social Sciences. 7(4).

doi:10.6007/IJARBSS/v7-i4/2916

Alhojailan, M. I. (2012). Thematic Analysis: A critical review of its process and

evaluation. West East Journal of Sciences, 1(1). Retrieved from

https://s3.amazonaws.com/academia.edu.documents/53978242/THEMATIC_ANALYSI

S.pdf?AWSAccessKeyId=AKIAIWOWYYGZ2Y53UL3A&Expires=1549320539&Sign

ature=yYq7gzJStQI5PjPV%2FTgqP0SwhxM%3D&response-content-

disposition=inline%3B%20filename%3DTHEMATIC_ANALYSIS_A_CRITICAL_RE

VIEW_OF_I.pdf

Ali, A. H., & Sagheer, A. M. (2017). Design of an android application for secure

chatting. International Journal of Computer Network and Information Security, 9(2), 29.

doi: 10.5815/ijcnis.2017.02.04

Barnard-Wills, D., & Ashenden, D. (2012). Securing virtual space: cyber war, cyber

terror, and risk. Space and Culture, 15(2), 110–123.

https://doi.org/10.1177/1206331211430016

Barr, A. C. (2016). Guardians of Your Galaxy S7: Encryption backdoors and the first

ENCRYPTION BACKDOORS AND PRIVACY 112

amendment. Minn. L. Rev., 101, 301-383. Retrieved from

http://www.minnesotalawreview.org/wp-content/uploads/2016/11/Barr.pdf

Beckmeyer, M. R. (2017). Identifying the tipping point between security and privacy:

a mixed methods study on balancing the u.s. government’s post-9/11 domestic electronic

surveillance program with u.s. citizens’ privacy rights & expectations (Unpublished

Doctoral Dissertation). Capitol Technology University, MD.

Bradshaw, C., Atkinson, S., & Doody, O. (2017). Employing a qualitative description

approach in health care research. Global Qualitative Nursing Research 4, 1-8.

https://doi.org/10.1177/2333393617742282

Brantly, A. F. (2017, August). Banning encryption to stop terrorists: A worse than

futile exercise. Combating Terrorism Center at West Point, CTCSENTINEL, 10(7), 29-

35. Retrieved from https://ctc.usma.edu/banning-encryption-to-stop-terrorists-a-worse-

than-futile-exercise/

Braun, V., & Clarke, V. (2006). Using thematic analysis in psychology. Qualitative

Research in Psychology, 3(2), 77-101. http://dx.doi.org/10.1191/1478088706qp063oa

Casemajor, N., Couture, S., Delfin, M., Goerzen, M., & Delfanti, A. (2015). Non-

participation in digital media: toward a framework of mediated political action. Media,

Culture & Society, 1(1), 1-17. doi:10.1177/0163443715584098

Castro, D., & McQuinn, A. (2016, March). Unlocking encryption: Information security

and the rule of law. Information Technology & Innovation Foundation. Retrieved from

http://www2.itif.org/2016-unlocking-encryption.pdf

Cipriani, J. (2016, March 10). What you need to know about encryption on your phone.

Retrieved from https://www.cnet.com/news/iphone-android-encryption-fbi/

ENCRYPTION BACKDOORS AND PRIVACY 113

Constine, J. (2018, January 31). WhatsApp hits 1.5 billion monthly users. $19 billion? Not

so bad. Retrieved from https://techcrunch.com/2018/01/31/whatsapp-hits-1-5-billion-

monthly-users-19b-not-so-bad/

Creswell, J. W. (2015). Educational research: planning, conducting, and evaluating

quantitative and qualitative research. Upper Saddle River, NJ: Pearson Education, Inc.

Crocker, A., & Cardozo, N. (2018, May). Bring in the nerds: EFF introduces actual

encryption experts to U.S. Senate staff. Retrieved from

https://www.eff.org/deeplinks/2018/05/bring-nerds-eff-introduces-actual-encryption-

experts-us-senate-staff

Deibert, R. J., & Rohozinski, R. (2010). Risking security: Policies and paradoxes of

cyberspace security. International Political Sociology, 4(1), 15–32.

doi/abs/10.1111/j.1749-5687.2009.00088.x

Dews-Farrar, V. (2018). Students' reflections and experiences in online learning: A

qualitative descriptive inquiry of persistence (Order No. 10809354). Available from

ProQuest Dissertations & Theses Global. (2036952458). Retrieved from

https://search.proquest.com/docview/2036952458

Dunn Cavelty, M. (2015). Die materiellen ursachen des cyberkriegs

cybersicherheitspolitik jenseits diskursiver erklärungen. Journal of Self-Regulation and

Regulation, 1, 167–184. doi:10.11588/josar.2015.0.23486

Elmer-Dewitt, P. (2016). Apple vs. FBI: What the polls are saying. Fortune. Retrieved

from http://fortune.com/2016/02/23/apple-fbi-poll-pew

Endeley, R. E. (2018). End-to-end encryption in messaging services and national

ENCRYPTION BACKDOORS AND PRIVACY 114

security - case of WhatsApp messenger. Journal of Information Security, 9(1), 95-99.

https://doi.org/10.4236/jis.2018.91008

Fink, A. (2018). How to conduct surveys. A step-by-step guide. Thousand Oaks, CA:

Sage Publications, Inc.

Gaynor, M., Omer, T., & Turner, J. (2017). Using simulation to teach security and

encryption to non-technical healthcare professionals. International Journal of Privacy

and Health Information Management (IJPHIM) 5(1). Retrieved from https://www.igi-

global.com/article/using-simulation-to-teach-security-and-encryption-to-non-technical-

healthcare-professionals/179269

Hawkins, D. (2018, June 11). The Key. The cybersecurity 202: We surveyed 100 experts. A

majority rejected the FBI's push for encryption backdoors. Retrieved from

https://www.washingtonpost.com/news/powerpost/paloma/the-cybersecurity-

202/2018/06/11/the-cybersecurity-202-we-surveyed-100-experts-a-majority-rejected-the-

fbi-s-push-for-encryption-back-

doors/5b1d39eb1b326b6391af094a/?utm_term=.737d0dfd32f6

Hansen, L., & Nissenbaum, H. (2009). Digital disaster, cyber security, and the

Copenhagen School. International Studies Quarterly, 53(4), 1155–1175.

https://doi.org/10.1111/j.1468-2478.2009.00572.x

Hern, A. (2014, October 17). The Guardian: Apple defies FBI and offers encryption by

default on new operating system. Retrieved from

https://www.theguardian.com/technology/2014/oct/17/apple-defies-fbi-encryption-mac-

osx

Herzberg, A., & Leibowitz, H. (2016). Can Johnny finally encrypt? Evaluating E2E-

ENCRYPTION BACKDOORS AND PRIVACY 115

encryption in popular im applications. doi:10.1145/3046055.3046059.

Hilal, A. H., & Alabri, S. S. (2013). Using NVIVO for data analysis in qualitative research.

International Interdisciplinary Journal of Education, 2(2), 181–186.

Ho, k., Nistala, A., Tu, K. (2016). End-to-end message encryption for Tinder. Retrieved

from https://courses.csail.mit.edu/6.857/2016/files/19.pdf

Human Rights Watch (2015, March). UN: Major step on internet privacy. Retrieved

from https://www.hrw.org/news/2015/03/26/un-major-step-internet-privacy

Inserra, D., Rosenzweig, P., Stimson, C. D., Shedd, D., & Bucci, S. P. (2015).

Encryption and law enforcement special access: The U.S. should err on the side of

stronger encryption (Report No. 4459). Washington, DC: The Heritage Foundation.

Jisha, K., & Jebakumar. (2014). A trend setter in mobile communication among

Chennai youth. IOSR Journal of Humanities and Social Science (IOSR-JHSS), 19(9), 01-

06. doi: 10.9790/0837-19970106

Jones, J., Turunen, H., & Snelgrove, S. (2016). Theme development in

qualitative content analysis and thematic analysis. Journal of Nursing Education

and Practice, 6(5), 100.

Kehl, D., Wilson, A., & Bankston, K. S. (2015, June). Doomed to repeat history?

Lessons from the crypto wars of the 1990s. New America. Washington, DC: New

America. Retrieved from https://static.newamerica.org/attachments/3407-doomed-to-

repeat-history-lessons-from-the-crypto-wars-of-the-

1990s/Crypto%20Wars_ReDo.7cb491837ac541709797bdf868d37f52.pdf

Kern, D. (2012). Understanding and implementing encryption backdoors. Retrieved

from http://cse.ucdenver.edu/~dkern/CSC7002/paper.pdf

ENCRYPTION BACKDOORS AND PRIVACY 116

Klein, A. I. (2016). Decryption mandates and global internet freedom. Toward a

pragmatic approach. National Security, Technology, and Law, 1608. Retrieved from

https://lawfareblog.com/decryption-mandates-and-global-internet-freedom

Latham, J. (2014). Qualitative sample size – how many participants is enough? Retrieved

from https://www.drjohnlatham.com/many-participants-enough/

Levy, S. (2018, April). Cracking the crypto war. WIRED. Retrieved

from https://www.wired.com/story/crypto-war-clear-encryption/

Lewis, J., Zheng, D., & Carter, W. (2017, February). The effect of encryption on lawful

access to communications and data. A report of the CSIS Technology Policy Program.

Washington, DC: Center for strategic and international studies

Lichtblau, E., & Goldstein, J. (2016, March 8). Justice Dept. appeals ruling in Apple iPhone case

in Brooklyn. The New York Times. Retrieved from

https://www.nytimes.com/2016/03/08/technology/justice-dept-appeals-ruling-in-apple-

iphone-case-in-brooklyn.html

Locklear, M. (2017, October). FBI tried and failed to unlock 7,000 encrypted devices.

Retrieved from https://www.engadget.com/2017/10/23/fbi-failed-unlock-7-000-

encrypted-devices/

Mak, A. (2018). How did the fbi access paul manafort’s encrypted messages. Slate.

Retrieved from https://slate.com/technology/2018/06/paul-manafort-how-did-fbi-access-

whatsapp-messages.html

Marks, Joseph. (2018, Aug 31). Five eyes intel alliance urges big tech to help break encrypted

messages. Nextgov.Com (Online), Retrieved from

https://search.proquest.com/docview/2098188902?accountid=44888

ENCRYPTION BACKDOORS AND PRIVACY 117

Max, Steven Patterson. (2016, April). WhatsApp copies apple’s strong encryption defense.

Network World, Southborough. Retrieved from

https://search.proquest.com/docview/1779534877?accountid=44888

McCarthy, H. J. (2016). Decoding the encryption debate: Why legislating to restrict

strong encryption will not resolve the “going dark” problem. Journal of Internet Law.

20(3). Retrieved from https://www.slideshare.net/HughJMcCarthy/decoding-the-

encryption-debate-hugh-j-mccarthy-september-2016222905691pdf

McCarthy, K. (2018, April). ISO blocks NSA's latest IoT encryption systems amid murky

tales of backdoors and bullying. Retrieved from

https://www.theregister.co.uk/2018/04/25/nsa_iot_encryption/

Michalas, A. (2017). How WhatsApp encryption works - and why there shouldn’t be

a backdoor. The Conversation. Retrieved from

https://theconversation.com/how-whatsapp-encryption-works-and-why-there-shouldnt-

be-a-backdoor-75266

Novak, M. (2018). Paul Manafort learns that encrypting messages doesn't matter if the

feds have a warrant to search your iCloud account. Retrieved

from https://gizmodo.com/paul-manafort-learns-that-encrypting-messages-doesnt-ma-

1826561511

Open Whisper Systems. (2013, July) Simplifying OTR deniability. Retrieved

from https://whispersystems.org/blog/simplifying-otr-deniability

Patton, M. Q. (1990). Qualitative evaluation and research methods (2nd ed.). Newbury

Park, CA: Sage.

Pavone, V., & Esposti, S. D. (2010). Public assessment of new surveillance-oriented

ENCRYPTION BACKDOORS AND PRIVACY 118

Security technologies: Beyond the trade-off between privacy and security. Public

Understanding of Science, 21(5), 556-572. doi:10.1177/0963662510376886

Perry, S. (2016). Tim Cook, a case study on the effects of transformational leadership

on privacy and IT security. Retrieved from

https://www.sans.edu/media/Tim-Cook-Transformational-Leadership-Essay-Final.pdf

Rashidi, Y., Vaniea, K., & Camp, J. (2016). Understanding Saudis' privacy concerns when

using WhatsApp. doi:10.14722/usec.2016.23022.

Rastogi, N., & Hendler, J. (2017, June). WhatsApp security and role of metadata in

preserving privacy. Paper presented at the European Conference on Cyber Warfare and

Security 269-XVI. Dublin, Ireland.

Rid, T. (2016). Maschinendämmerung: Eine kurze Geschichte der Kybernetik. Berlin:

Propyläen Verlag.

Rivest, R. L., Shamir, A., & Adleman, L. (1978). A method for obtaining digital

signatures and public-key cryptosystems. Communications of the ACM,

21(2), 120-126. doi: 10.1145/359340.359342

Ruiz, D. (2018). The secure data act would stop backdoors. Electronic Frontier

Foundation. Retrieved from https://www.eff.org/deeplinks/2018/05/secure-data-act-

would-stop-backdoors

Sagers, G., Hosack, B., & Rowley, R. (2015). Where's the security in WiFi? An

argument for industry awareness. 48th Hawaii International Conference on System

Sciences. IEEE Computer Society. Washington, DC, USA

Salkind, N. J. (2012). Exploring research. Upper Saddle River, NJ: Pearson Education,

Inc.

ENCRYPTION BACKDOORS AND PRIVACY 119

Sarker, G.R. (2015). Impact of WhatsApp messenger on the university level students: A

sociological study. International Journal of Natural and Social Sciences, 2,118-125.

Retrieved from http://ijnss.org/wp-content/uploads/2015/05/IJNSS-V2I4-16-pp-118-

125.pdf

Sayler, A. J. (2016). securing secrets and managing trust in modern computing

applications (Doctoral dissertation). Retrieved from

https://scholar.colorado.edu/csci_gradetds/112

Schneier, B. (2018, April). Two NSA algorithms rejected by the ISO. Retrieved

from https://www.schneier.com/blog/archives/2018/04/two_nsa_algorit.html

Schneier, B. (2018). Ray Ozzie's encryption backdoor. Retrieved from

https://www.schneier.com/blog/archives/2018/05/ray_ozzies_encr.html

Schneier, B., Seidel, K., & Vijayakumar, S. (2016). A worldwide survey of encryption

products. Berkman Center Research Publication 2016-2.

http://dx.doi.org/10.2139/ssrn.2731160

Schulze, M. (2017). Clipper meets apple vs. FBI-A comparison of the cryptography

discourses from 1993 and 2016. Media and Communication, 5(1).

http://dx.doi.org/10.17645/mac.v5i1.805

Shah, R. (2016). Law enforcement and data privacy: A forward-looking approach. The

Yale Law Journal, 125(2), 326-559. Retrieved from

http://digitalcommons.law.yale.edu/ylj/vol125/iss2/5

Sharma, Gaganpreet. (2017). Pros and cons of different sampling techniques. International

Journal of Applied Research 2017, 3(7), 749-752.

Shirvanian, M., Saxena, N., & George, J. (2017, December). On the pitfalls of

ENCRYPTION BACKDOORS AND PRIVACY 120

end-to-end encrypted communications: A study of remote key-fingerprint verification.

Proceedings of the 33rd Annual Computer Security Applications Conference. Orlando,

FL.

Simon, M. (2011). Dissertation and scholarly research: Recipes for success. New York,

NY: Createspace Independent Publishing Platforms.

Steven, L. (2018, April). WIRED: Cracking the crypto war. Retrieved

from https://www.wired.com/story/crypto-war-clear-encryption

SurveyMonkey Inc. (2019). Retrieved from www.surveymonkey.com. San

Mateo, California, USA

Sutikno, T., Handayani, L., Stiawan, D., Riyadi, M. A., & Subroto, I. M. I. (2016).

WhatsApp, Viber and Telegram which is best for instant messaging? International

Journal of Electrical and Computer Engineering, 6(3), 909-914. doi:

10.11591/ijece.v6i3.10271

Swire, P., & Ahmad, K. (2012). Encryption and globalization. The Columbia Science &

Technology Law Review, 13, 416-480. http://dx.doi.org/10.2139/ssrn.1960602

The Open University. (2017). Monitoring, Evaluation, Accountability and Learning

(MEAL): 6 Methods of data collection and analysis. Retrieved from

http://www.open.edu/openlearncreate/mod/resource/view.php?id=52658

Thomson, I. (2013). What have we learned about NSA? Privacy Journal, 39(9), 1-6. Retrieved

from https://franklin.captechu.edu:2074/docview/1418236576?accountid=44888

U.S. Census Bureau. (2015, June). Millennials Outnumber Baby Boomers and Are Far More

Diverse, Census Bureau Reports. Release number CB15-113. Retrieved from

https://www.census.gov/newsroom/press-releases/2015/cb15-113.html

ENCRYPTION BACKDOORS AND PRIVACY 121

U.S. Census Bureau. (2016, August). Number of IT workers has increased tenfold since

1970, census bureau reports. Retrieved from https://www.census.gov/newsroom/press-

releases/2016/cb16-139.html

U.S. Department of Homeland Security. (2015, July). Going Dark: Encryption,

Technology and the Balance between Public Safety and Privacy. Senate Committee on

the Judiciary. Homeland Security Digital Library

U.S. Department of Labor. (2017). Bureau of Labor Statistics. Occupational

employment statistics. Retrieved from

https://www.bls.gov/oes/current/occ_state_lq_chart/occ_state_lq_chart.htm#

U.S. Department of Labor. (2019). Bureau of Labor Statistics. Labor force statistics from the

current population survey. Retrieved from https://www.bls.gov/cps/cpsaat11b.htm

Vaismoradi, M., Jones, J., Turunen, H., & Snelgrove, S. (2016). Theme development in

qualitative content analysis and thematic analysis. Journal of Nursing Education

and Practice, 6(5), 100

Vaziripour, E., Wu, J., Farahbakhsh, R., Seamons, K., O’Neill, M., & Zappala, D. (2018). A

survey of the privacy preferences and practices of iranian users of telegram. Workshop

on Usable Security (USEC). San Diego, CA.

https://dx.doi.org/10.14722/usec.2018.23033

Wei, B., Doowon, K., Moses N., Yichen Q., Patrick G., & Michelle L. (2016). An

inconvenient trust: User attitudes toward security and usability tradeoffs for key-

directory encryption systems. Twelfth Symposium on Usable Privacy and Security.

Denver, CO

WhatsApp (2017, December). WhatsApp encryption overview. Technical white paper.

ENCRYPTION BACKDOORS AND PRIVACY 122

Retrieved from https://www.whatsapp.com/security/WhatsApp-Security-Whitepaper.pdf

Yeboah, J., & Ewur, G. (2014). the impact of WhatsApp messenger usage on students

performance in tertiary institutions in Ghana. Journal of Education and Practice, 5(6),

157-164. Retrieved from

https://www.iiste.org/Journals/index.php/JEP/article/view/11241

Zapotosky, M. (2016, March 28). FBI has accessed San Bernardino shooter’s phone without

Apple’s help. National Security. The Washington Post. Retrieved from

https://www.washingtonpost.com/world/national-security/fbi-has-accessed-san-

bernardino-shooters-phone-without-apples-help/2016/03/28/e593a0e2-f52b-11e5-9804-

537defcc3cf6_story.html?utm_term=.5ec203ab2092

ENCRYPTION BACKDOORS AND PRIVACY 123

APPENDIX A

ENCRYPTION BACKDOORS AND PRIVACY 124

ENCRYPTION BACKDOORS AND PRIVACY 125

APPENDIX B

Human Subjects Participant Consent

Dear Participant,

My name is Robert E. Endeley, and I am a doctoral student in Cybersecurity at Capitol

Technology University. I am currently in the process of recruiting individuals for my doctoral

research study entitled “End-to-End Encryption, Backdoors, and Privacy”.

Almost everyone in the U.S.A. uses a smartphone these days either for regular telephone

calls or for texting, and chatting with friends and relatives through the use of favorite apps such

as Facebook Messenger, WhatsApp, or Viber. When we communicate with our friends and

relatives, we expect our conversations to remain private. However, in recent years, the U.S.

government has been exploring ways of forcing smartphone manufacturers such as Google,

Apple, and Microsoft to introduce a so-called “backdoor” into the phones so that, for national

security reasons, the government can eavesdrop or “snoop” into your private conversations and

intercept the messages of suspected criminals or people under investigation.

The purpose of this study is to raise awareness of non-technology professional users of

mobile devices on the benefits of encryption for privacy. To this end, I am inviting individuals

who identify themselves as non-technology professionals in the U.S. to participate in my study. I

hope you will voluntarily agree to participate.

The study is part of my dissertation, which is a requirement for the completion of a

Doctor of Science degree at Capitol Technology University. To collect data for this study, I, the

researcher, will conduct online or hand-out paper-based survey and will maintain sole ownership

of all research data. By participating in this study, you may learn information about what the

U.S. government has proposed to do to your private information that may make you feel

ENCRYPTION BACKDOORS AND PRIVACY 126

uncomfortable, uninformed, and not considered in the decision-making process. You may

withdraw your participation in the study at any point during the research. If you are taking the

online survey, you can stop participating at any time by clicking the “Exit” link at the top of the

page or by simply closing the web browser. For the paper-based survey participants, you can

stop participating at any point by declining to answer the questions. If you opt-out without

completing the online survey or paper-based questionnaire, your data will not be used as part of

this study. To protect the anonymity and confidentiality of participants, I will not include the

actual names or identifying information of participants in this research or its publication.

The results of this study will contribute significantly to the benefit of a society that is

mostly unaware of the fact that the right to privacy on the internet is a human right. The results

of this study will, therefore, help educate the non-technology professional user of the internet on

the benefits of encryption in their daily communications on mobile devices.

Capitol Technology University requires that research participants sign a consent form

(Human Subjects Participant Consent) to participate in this study, which informs you of the

nature of the study and your rights. Your participation is strictly voluntary, and you may

terminate your involvement at any time. Participants in this study will not receive any form of

compensation or reward, before, during, or after completion of the research. Thank you for your

willingness to participate in this research study. Please do not hesitate to contact me at

[email protected] or 763-300-1630, if you have questions, comments, or concerns about

the study.

Sincerely,

Robert E. Endeley

Doctor of Science Student

ENCRYPTION BACKDOORS AND PRIVACY 127

Capitol Technology University

Signature __________________________________________ Date _________

Please note that signing this consent form indicates your agreement to participate in this study.

ENCRYPTION BACKDOORS AND PRIVACY 128

APPENDIX C

Literature Review Map

ENCRYPTION BACKDOORS AND PRIVACY 129

APPENDIX D

Literature Search

Key Word Search Journals/ Dissertations Reviewed

Books Reviewed

Conference Reviewed

YouTube/ TED Videos

Reports/ Studies Reviewed

End-to-end encryption

157 13 10 10 3

Encryption 200 13 10 5 3

WhatsApp security 2 0 2 0 2

Risks of encryption backdoors

26 2 0 7 0

Law enforcement and privacy 10 0 5 4 3

Total Publications Reviewed (487) 395 28 27 26 11

ENCRYPTION BACKDOORS AND PRIVACY 130

APPENDIX E

Research Methodology Map

  • Abstract
  • Dedication
  • Acknowledgments
  • TABLE OF CONTENTS
    • List of Tables
    • Table 1 Demographic Summary of Research Study Participants..................................................81
    • Table 2 Research Questions, their Corresponding Themes, and Survey Questions......................87
    • Table 3 How much the survey information had increased participant’s knowledge
    • of the benefits E2EE to ……………………………………………………………………….....94
    • List of Figures
  • CHAPTER 1: INTRODUCTION
    • Background of Study
    • Problem Statement
    • Purpose of Dissertation Study
    • Significance of the Study
    • Nature of Study
    • Research Questions
    • Conceptual or Theoretical Framework
    • Definitions
    • Assumptions
    • Scope, Limitations, and Delimitations
    • Chapter Summary
  • CHAPTER 2: LITERATURE REVIEW
    • Overview
    • The Evolution of Encryption
      • Private and Public Key Encryption
    • Governments’ and Law Enforcement’s Encroachment on Encryption Technology
    • Encryption Backdoors
    • E2EE implementation in Mobile Applications Today
      • Security Fundamentals of WhatsApp
      • The Worldwide Impact of the Use of WhatsApp
      • WhatsApp Privacy Concerns on the Youth
    • Overview of Proposed Historical Solutions
    • Conclusion
    • Chapter Summary
  • CHAPTER 3: METHOD
    • Research Method and Design Appropriateness
      • Research Design
    • Population, Sampling, and Data Collection Procedures and Rationale
      • Sampling
      • Informed Consent
      • Confidentiality and Anonymity
      • Data Collection and Data Sources
      • Pilot Study
      • Reliability
    • Validity: Internal
      • Transferability
    • Data Analysis
      • Phase 1: Familiarization with Collected Data
      • Phase 2: Generating Initial Codes
      • Phase 3: Searching for Themes
      • Phase 4: Reviewing Themes
      • Phase 5: Defining and Naming Themes
      • Phase 6: Producing the Report
    • Chapter Summary
  • CHAPTER 4: RESULTS
    • Pilot Study
    • Threats to validity and reliability
    • Findings
      • Demographics
      • Data Analysis Procedures
      • Results
    • Significance of results
    • Chapter Summary
  • CHAPTER 5: Findings and recommendations
    • Limitations
    • Findings and Interpretations
    • Comparing Findings to Theoretical Framework and Literature
    • Implications of Findings
    • Strengths and Weaknesses
    • Recommendations
    • Recommendations for Future Research
    • Chapter Summary
    • References
  • APPENDIX A
  • APPENDIX B
    • Human Subjects Participant Consent
  • APPENDIX C
    • Literature Review Map
  • APPENDIX D
    • Literature Search
  • APPENDIX E
    • Research Methodology Map