A majority of consumers fear that governments abuse their powers to access citizens' data and feel that government-backed encryption backdoors would not make citizens appreciably safer from terrorists.
Many governments want to impose legislation or regulations requiring encryption backdoors so that they can more easily bring terrorists to justice. But these entities might not be capable of protecting these backdoors even if they were to get their way. After all, the CIA and others have failed to protect software vulnerabilities they've been secretly hoarding against actors like the Shadow Brokers. These exploits ultimately ended up in the hands of WikiLeaks, an organization which bears at least part of the blame for the WannaCry global outbreak in May 2017. Attackers leveraged a leaked Windows exploit developed by the CIA to distribute WannaCry malware to upwards of a million machines.
So how are we to assume governments could do a better job of preventing encryption backdoors from falling into the wrong hands? And how can we know that rogue government actors wouldn't use these backdoors for their own personal gain?
Security journalist Kim Crawley's answer is simple: we can't. This reality makes the notion of backdoors all the more concerning for her. She revealed as much in an email:
"If governments make it legally mandatory for all encryption systems to have backdoors, the results will be terrifying. What's to stop a government worker from getting all of the credit card data that runs through Amazon's implementations of HTTPS, for example?"
Crawley isn't alone in her worry over government's management of encryption backdoors, either.
In July 2017, Venafi announced the results of a study on consumer attitudes regarding government backdoors into encrypted data. The firm surveyed three thousand consumers in total, with one thousand each based in the United States, the United Kingdom, and Germany. Of those who participated, nearly two thirds (65 percent) said they suspect their government abuses its power to access citizens' data. The same percentage of respondents also opined that their government shouldn't be able to force citizens to hand over their data without their consent.
If given the chance, governments would likely dispute these consumer viewpoints. Perhaps they feel they understand the challenges at hand and know how to best protect citizens' data. As a result, they might feel justified in their ability to access encrypted information whenever they want for the sake of fighting terrorism.
Information security writer Bev Robb disagrees. She thinks governments don't have any idea what they're doing:
"Governments that are proposing these ridiculous encryption backdoors must be on some type of magical 'Clipper chip' carpet ride. I doubt that there are any 'unintended' consequences involved. This flawed backdoor (terrorist scare-mongering) concept is more in tune with a serious lack of critical thinking skills, blanket data greed, technical ignorance, or a combination thereof. Governments that implement backdoors will soon realize they can’t change the laws of mathematics. If they can get in, the bad guys can get in, too."
Some of those who participated in Venafi's study echoed Robb's sentiments. More than half (59 percent) of respondents said they don't feel granting government access to encrypted personal data would make them safer from terrorists. In fact, 38 percent of consumers think encryption backdoors could potentially benefit criminals and terrorists, while only 37 percent of participants feel confident in their government's ability to combat cybercrime.
In this debate, there are those who maintain encryption backdoors could help stop cybercrime, and there are those who feel such measures could provide attackers with another attack vector. While these two sides continue to weigh the impacts of encryption backdoors, one course of action remains especially relevant: organizations need to do everything they can to prevent computer criminals from abusing their keys and certificates to prey upon unsuspecting users. That process begins by discovering all keys and certificates in their encryption environments.