The news that disturbed my digital life came two years ago in a snail mail letter strewn with phrases like “malicious cyber intrusion” and “identity theft.” A relative’s company had been part of a massive hack, the note said, leaving my information exposed. Before the letter came, I was a cyber security neophyte: I didn’t use a VPN and encrypted websites were just for banking. I often shopped online, depositing my credit card number over coffee shop wifi.
Since then, I’ve gotten better. My Android is filled with WhatsApp and Signal—which use end-to-end encryption—and my finance apps encrypt my data with both hardware and software. With things outside of my control, like my now-compromised social security number, I reassure myself that big organizations use encryption to house sensitive data, so my social must be unreadable to hackers.
But it turns out that all this encryption might not matter. Internet users like me have long relied on encryption for security and peace of mind, but cryptography experts are becoming aware of its faults—namely, that encryption can only protect against the tools we have now, and better, smarter tools are on the horizon. Quantum computers, which are fundamentally different from traditional computers because they leverage quantum mechanics to do calculations, could easily decrypt the advanced encryption we use widely. So even if encrypted data is safe from today’s hackers, it’s potentially vulnerable to hackers of the future.
Experts are concerned that cybercriminals might exploit this vulnerability with a scheme called harvest and decrypt. It’s a long-game attack where hackers scrape encrypted data and hold it, sometimes for decades, while they wait for quantum computers to become widespread enough for them to buy one. As soon as they have access to the device, they’ll use it to decrypt the stored data, which could contain anything from social security numbers to health information to a slew of nuclear missile codes.
And sure, nuclear missile codes will likely have changed over time—but according to John Schanck, a Ph.D student at the University of Waterloo’s Institute for Quantum Computing, plenty of information still needs to be secure. He imagines a 20-year-old’s health data getting leaked — a childhood illness or a teenage abortion suddenly becomes a target for blackmail. Social security numbers are sensitive for a person’s entire lifetime. Names of CIA spies need to be kept secret, along with lots of classified military information.
Schanck even suspects that the NSA is using the technique. When Edward Snowden leaked secret information in 2013, it came to light that the NSA’s protocols allowed for storing encrypted communication because “they can’t judge at the time of interception if it’s going to be useful for law enforcement,” Schanck says.
Quantum computers have been on cryptographers’ radars as a security threat for years. In theory, they can already shred through public key cryptography, a system that exchanges passwords between a sender and receiver to decrypt. RSA and elliptic curve cryptography—algorithms that are widely used for all types of data encryption online, including making that “s” in “https” possible—have been broken in tests using Shor’s algorithm. That algorithm is run on a quantum computer, says Mike Brown, CTO of ISARA, a Canada-based post-quantum cryptography company.
Luckily, the quantum computers available today sell for millions of dollars, keeping them mostly in the hands of large companies, research labs, and government offices. You can’t exactly buy a quantum computer at Best Buy. The only way to even get access to one, outside of a major tech company or research lab, is to buy time on IBM’s quantum computing cloud-based services or buy a quantum annealer from D-Wave to the tune of about $15 million.
But that doesn’t mean quantum computers won’t ever be a household item. “It is possible it takes another 20 or 30 years from today for someone to have a quantum computer and be able to decrypt messages in real time,” Schanck says. And getting your hands on encrypted data isn’t nearly as hard. Anyone with a wifi connection and some technical knowledge about the process can do it, as long as they’re able to be proximate to their target. It’s not just nation states who could get their hands on encrypted data: Someone could copy your data over the Starbucks wifi network.
Quantum computers will open a whole new world of scientific advancement. But the “dark side” of that tool is quantum computers’ ability to take an impossible problem and make it “trivial,” Brown says. Defending against quantum computers will require techniques that don’t exist yet. Securing data will require protection against quantum algorithms, or a system of public and private keys that erase themselves over time. This means that hackers would scrape data that would become useless in the future—because the keys necessary to access that information would have already self-destructed.
Still, some experts believe that multi-decade encryption is overkill. While information is being stored, waiting to be decrypted, the information contained within it will become obsolete. “There are actually very few long-term secrets in our society,” says computer security expert and cryptographer Bruce Schneier. “We don’t have 30-year secrets. There are no military secrets from the 1970s that are secret today.” Others suggest that quantum computers are a far-off dream. No one is sure when they will become common fixtures in homes and businesses, let alone tools for blackhat hackers—so why panic? Especially considering the patience required for a perpetrator to pull off a decades-long con.
Maybe that’s comforting to some. While my social security number is probably being bought and sold somewhere on the dark web, I’m crossing my fingers that my encrypted hospital records and ID cards aren’t also being scraped.
I don’t know want to find out how my data could be leveraged against me in the age of the quantum internet—but something tells me that the culprits will have their eyes on a self-driving spacecraft, rather than a fancy car. For all I know, those hackers are probably infants right now, swiping mashed peas on their first iPhones.