If you haven’t been keeping up with the encryption backdoor debate, now’s a good time to tune in.
After Attorney General William Barr’s call to allow government-mandated encryption backdoors into consumer tech, opinions have made themselves known. Everyone from tech bloggers to the former director of the National Security Agency has weighed in, with the Five Eyes Alliance (Australia, Canada, New Zealand, the UK, the US) voting in favor of lowered encryption protections on August first.
However, some declare the stalemate isn’t a matter of opinion, but fact. All the national security interests in the world “won’t change the math,” some argue, despite Attorney General Barr’s positive belief in the “ingenuity” of problem-solvers to create selective backdoor access for law enforcement. And although “we are not talking about protecting the Nation's nuclear launch codes,” the way we’ve heard federal lawmakers, top security analysts, Big Tech and heads of state fight about it—you’d think we were.
The debate continues below as we run the latest blow-by-blow coverage of what we’ve Overheard in the Press.
National security
Pro-backdoor
"After all, we are not talking about protecting the nation's nuclear launch codes.
Nor are we necessarily talking about the customized encryption used by large business enterprises to protect their operations. We are talking about consumer products and services such as messaging, smart phones, e-mail, and voice and data applications."
- Attorney General William Barr
Anti-backdoor
“The thing is, that distinction between military and consumer products largely doesn't exist. All of those ‘consumer products’ Barr wants access to are used by government officials—heads of state, legislators, judges, military commanders and everyone else—worldwide.”
- Bruce Schneier is a security technologist, lecturer at Harvard and board member of the Electronic Frontier Foundation (EFF)
Law enforcement only access
Pro-backdoor
We think our tech sector has the ingenuity to develop effective ways to provide secure encryption while also providing secure legal access. Some good minds have already started to focus on this, and some promising ideas are emerging.
- Attorney General William Barr
Anti-backdoor
Barr expressed confidence in the tech sector’s “ingenuity” … paying no mind to the broad technical and academic consensus in the field that this risk is unavoidable.
- Andrew Crocker, senior staff attorney on the Electronic Frontier Foundation’s civil liberties team
“[Encryption] is a complex mathematical problem that involves prime numbers. Mandating that programmers learn to solve that problem in a way that produces different correct answers... is like demanding that gravity be significantly lighter for police officers than criminals in a high-speed chase, or that radioactive fallout from a nuclear warhead only kills enemy soldiers.”
-Greg Fish is the Los Angeles-based editor of Politech and self-proclaimed ex-Soviet computer lobotomist
“[I]t can't change the maths (sic) behind encryption, which will either work or not. Weakening encryption will do more harm than good, as it will leave all communication vulnerable and allow bad actors to compromise legitimate traffic.”
-Javvad Malik, Security Awareness Advocate
Risk of vulnerability
Pro-backdoor
The Attorney General is clear that he believes that if we mandated government backdoors, encrypted assets would still be “99%” safe.
“If the choice is between a world where we can achieve a 99 percent assurance against cyber threats...while still providing law enforcement 80 percent of the access... [or one where} we have boosted our cybersecurity to 99.5 percent but …[reduced] law enforcement’s access to zero ... the choice for society is clear.”
- Attorney General William Barr
"The real question is whether the residual risk of vulnerability resulting from incorporating a lawful access mechanism is materially greater than those already in the unmodified product. The Department does not believe this can be demonstrated."
- Attorney General William Barr
Anti-backdoor
What might be difficult to confirm is that by giving law enforcement “80% access” through encryption backdoors, the percentage of “cyber assurance” could still be guaranteed at 99%.
"If the government deems that it should have access to private communication for the sake of national security, it is likely that the same line of thought will then be applied to all tech products. It can use this same rationale to justify legislation allowing for the audit of files on your home computer, tablet, and encrypted conversations at any moment, and for any reason.”
-Julio Rivera, writer at American Thinker
"For tech companies, offering customers the privacy of end-to-end encryption is now a competitive advantage.”
- Steve Ranger is the UK editor-in-chief of ZDNet and TechRepublic.
“If you deencrypt everything, maybe stuff goes back to our rivals in China,” Thiel said. “Maybe the FBI gets the information, maybe other people get it. I don’t trust the FBI to keep it protected inside the FBI.”
- Peter Thiel, Silicon Valley billionaire and board member of Facebook, Inc.
"Barr’s demand could “[compromise] the security of potentially billions of people by creating a vulnerability that criminals and terrorists could easily exploit."
- Andi Wilson Thompson, in a piece supported by the Electronic Frontier Foundation
“In advancing an irresponsible encryption policy that would deny individuals and businesses access to strong encryption, [they] have failed to publicly acknowledge ... the range of serious harms that would follow...”
- Christopher Parsons, Citizen Lab
US attorney general #WilliamBarr says Americans should accept security risks of #encryption #backdoors https://tcrn.ch/2OoedsS . Not really.
- Tweet by General Michael Hayden, Former Director of the National Security Agency
International support
Pro-backdoor
“Five Eyes, the anglophone intelligence alliance comprising Australia, Canada, New Zealand, the United Kingdom and the United States, has come out against the use of end-to-end encryption and asked technology firms to install backdoor access to encrypted communications.”
- informationsecuritybuzz.com
“Tech companies should include mechanisms in the design of their encrypted products and services whereby governments, acting with appropriate legal authority, can obtain access to data in a readable and usable format.”
- The Five Eyes intelligence co-operative (Canada, Australia, New Zealand, the UK, the US)
Anti-backdoor
“We’re closer to the knife’s edge than we’ve been for some time”
- Christopher Parsons, a senior research associate at Citizen Lab, in the Munk School of Global Affairs at the University of Toronto, on Canada’s vacillation on encryption backdoors
“[Australia] has been seen as a dangerous place to develop security products” [As a result of their implementing encryption backdoors]
- Christopher Parsons, Munk School of Global Affairs, Toronto
Secrecy vs. privacy
Pro-backdoor
The current encryption is "warrant proof...extinguishing the ability of law enforcement to obtain evidence essential to detecting and investigating crimes," and allows "criminals to operate with impunity, hiding their activities under an impenetrable cloak of secrecy”
- Attorney General William Barr
"Where systems are deliberately designed using end-to-end encryption which prevents any form of access to content, no matter what crimes that may enable, we must act"
- Priti Patel, the UK's new home secretary
Anti-backdoor
"The new home secretary repeats the errors of some of her predecessors. She seems not to understand that a general access to encrypted communications by the police and security services would effectively end those communications, because no-one could trust them.”
- Steve Ranger, UK editor-in-chief, TechRepublic and ZDNet
“When we talk about human rights and privacy…and the countries that suppress [these rights] such as Saudi Arabia and China, we speak about people’s right in the physical world. When we view it in a digital scenario, that law is actually an oppression of human rights.”
- Joseph Carson, chief security scientist at Thycotic, in a statement to CIO.
It worked in telecoms
Pro-backdoor
“During my tenure, we dealt with these issues and lived through the passage and implementation of CALEA the Communications Assistance for Law Enforcement Act. CALEA imposes a statutory duty on telecommunications carriers to maintain the capability to provide lawful access to communications over their facilities.
"It is absurd to think that we would preserve lawful access by mandating that physical telecommunications facilities be accessible to law enforcement for the purpose of obtaining content, while allowing tech providers to block law enforcement from obtaining that very content.”
- Attorney General William Barr
Bruce Schneier, in front of the House of Representatives’ Energy & Commerce Committee. Screengrab courtesy of Venafi/YouTube.
Anti-backdoor
"In 2012 every CALEA-enabled switch sold to the Defense Department had security vulnerabilities.”
- Bruce Schneier, Security Boulevard
The encryption backdoor debate may leave more questions than it does answers.
Is this a matter of limited security consequence, or could the implications be as large as the tech community is fearing? Does our search for a government-only backdoor leave us chasing windmills, or are we missing a solution somewhere in the data? And how will it all end? We’re not sure which side gets the rose on this one, but it will be crucial to see if North America follows Australia’s actions (and the FiveEyes’ consensus), or if the tech community clamors loud enough to be heard.
How to protect the IoT?
To date, there is no standard protocol for encrypted communication between our IoT devices - those cell phones, laptops and encrypted chats we are trying so hard to protect. Accessec (and Venafi) want to do something about that.
Why Do You Need a Control Plane for Machine Identities?
Related posts