Last July 2019, Attorney General William Barr and FBI Director Christopher Wray re-ignited a years-long debate on placing encryption backdoors on smartphones, computers and messaging apps. They both argue that the existing barriers to law enforcement agencies to access otherwise encrypted and, thus, private communications is putting American security at risk. To counter this threat, they urge technology companies to stop using advanced encryption and other security measures that effectively turn devices into “law-free zones.”
Instead, they would like to add eavesdropping mechanisms to consumer-level software and devices. This would allow investigators to forcibly decrypt and access end-to-end encrypted communications, such as chats, emails, files and calls. They have even gone one step ahead by proposing three technical solutions that, as they argue, will solve the problem.
In their own words:
“The Fourth Amendment strikes a balance between the individual citizen’s interest in conducting certain affairs in private and the general public’s interest in subjecting possible criminal activity to investigation.” AG Barr in New York Times
“There have been enough dogmatic pronouncements that lawful access simply cannot be done…It can be, and it must be.” AG Barr in The Registe
“I’m well aware that these are provocative subjects in some quarters. I get a little frustrated when people suggest that we're trying to weaken encryption — or weaken cybersecurity more broadly. We're doing no such thing.” FBI Director in The Register
“It cannot be a sustainable end state for us to be creating an unfettered space that’s beyond lawful access for terrorists, hackers, and child predators to hide. But that’s the path we’re on now, if we don’t come together to solve this problem.” FBI Director in FBI Press Release
There is a strong opposition to encryption backdoors coming from both sides of the Atlantic. Professor Matthew Green of the Jons Hopkins University fears that, beyond his technical / cryptographical objections, “Barr and the Trump administration have nothing new to offer here except for a creatively terrifying interpretation of the Fourth Amendment and a desire to minimize risks.”
German prosecutor Markus Hartmann disagreed with his US counterparts, saying that criminals and terrorists “will simply just turn to different services” if a country like the US passes a law to bypass encryption. “What can be done to prevent anybody to use some foreign service that is not following the law by US, Germany, France, Europe, whatever?” Hartmann said.
Installing encryption backdoors on every commercial communications application is like police having a master key to access all houses. It doesn’t matter if you have installed the latest, most secure lock to protect your property. There will always be a corrupted officer who will take advantage of the master key. Would you allow this? Does this make you feel more safe?
A last argument. GDPR defines privacy as a fundamental human right and urges all organizations processing, storing and transmitting personal identifiable information to take all appropriate measures in order to safeguard this human right. How is this backdoor narrative compliant with strict privacy legislation in Europe and elsewhere?
In fact, the issue of dealing with encryption is broader than providing lawful access. The efforts of fighting terrorism and criminality and, thus, strengthening the sense of public safety, can be enhanced by the use of communications’ metadata, which are not encrypted and are easy to be analyzed because they are structured. Although there are certain concerns about the legislative framework for the retention and destruction of this data with regards to preserving people’s privacy, this is an area of increased interest in the field of criminology.
What is more worrying is that high level government officials do not seem to be paying attention to the news about how cyber criminals misuse encrption. Even if technology companies are doing their best to safeguard communications privacy and the keys and certificates that serve as machine identities, the news is overwhelmed by security incidents. This is exactly how the NotPetya ransomware that crippled businesses worldwide spread: via poisoned software updates using fake keys. Also Stuxnet used stolen digital keys to cryptographically sign itself so that it looked like legit software. And the list goes on.
One last thought: how are government officials and agencies going to safeguard these backdoors for falling prey to malicious state actors if the same federal agencies cannot protect their own infrastructure? The recent (July 2019) Government Accountability Office (GAO) report finds that 23 federal agencies come up short in their cybersecurity efforts even as attacks on their IT infrastructures continue to grow and concerns about foreign interference in the upcoming 2020 elections persist.
The GAO found that most federal agencies had failed in key areas of risk management, such as developing a cybersecurity risk management plan, creating policies for assessing, monitoring and responding to risk, and establishing processes for coordinating their cybersecurity and enterprise risk management programs. The government watchdog identified 58 recommended steps the 23 agencies should take to shore up their cybersecurity defenses, saying that until they do, "agencies will face an increased risk of cyber-based incidents that threaten national security and personal privacy."
Lack of pragmatic approach, “creative interpretation” of the Constitution and legislation, disrespect of fundamental human rights cannot be the solution to a long-standing problem. And placing backdoors can and will act like a “Κερκόπορτα” (kerkoporta = backdoor, the door through which the Ottomans were able to sneak into Constantinople and capture it) to tear down the walls that keep hackers out of citizens' private spaces.
Are you concerned about government mandated encryption backdoors?
Why Do You Need a Control Plane for Machine Identities?
Related posts
- Battle of the Backdoors in Networking Infrastructure: Intentional vs. Incidental
- Going Undetected: How Cybercriminals, Hacktivists, and Nation States Misuse Digital Certificates
- 86% of IT Security Professionals Say the World Is in a Cyber War
- Venafi Survey: The Negative Impact of Government Mandated Encryption Backdoors