The extent to which private communications, particularly encrypted personal devices and messages, should remain so under certain circumstances is an intensive area of debate between government and industry.
Many on the government side believe that limiting privacy by creating an ‘encryption backdoor’ to access a device’s protected data will help them make citizens safer. It is believed that if law enforcement personnel can exclusively access private messages and devices during investigations, then they will be able to prosecute more effectively and better prevent further crimes or attacks.
German lawmakers have been pushing forward legislation, partly motivated by an increase in terrorism, demanding a form of backdoor in any smart, encrypted device; from mobile phones to driverless cars. Likewise politicians in the US and Australiahave argued for manufacturers to enable decryption processes that could be carried out by officials following the appropriate legal permissions being granted.
On the surface the arguments in favour of encryption backdoors often seem reasonable, but many manufacturers and cybersecurity experts make the case that their very existence would actually reduce the overall security of device owners. It is believed that some politicians and law enforcement actors don’t fully understand exactly how backdoors work, and the risks they bring, and simply see them as the most convenient solutionto a challenging problem.
Many in the cybersecurity industry believe that it is very difficult, if not impossible, to create a backdoor that onlygovernments can access. Instead, they argue that it is privacy itself that provides greater safety, and that backdoors would make tempting targets for hackers to try and exploit, either directly or via the government operatives or systems holding the keys.
Also, the ability of government agencies to keep these keys secure has been called into question. Both the CIA and NSA suffered breaches of their own hacking toolsin 2017, and it’s been shown that government officials don’t personally always follow the best security practices. Stories about Hillary Clinton’s controversial email use and the multiple accusations of Russian-directed email hacking in the US hardly need re-stating, but MPs in the UK have also admitted to poor cybersecurity practices such as sharing computer logins with staff.
In addition, some fear that it isn’t just carelessness or attacks by hackers that could lead to encryption backdoors being compromised, but that intelligence agencies or government actors could intentionally abuse the capabilities.
Although backdoor proponents argue that they would never be used without a court order many critics are sceptical whether this standard would realistically be maintained, particularly in politically-sensitive investigations or espionage. They also point out that investigators can already collect a lot of information by using warrants to access social media accounts or data held by ISPs.
And the support for backdoors by government actors is by no means universal; the European Commission (EC) for example is so far siding with industry in the debate, advocating that determining the meaning of privacy should be down to the individual. The EC has said that using backdoors weakens the general security of cyberspace, though they have proposed that member states share information on how to crack encrypted devices.
With all of these issues in play it seems that the debate over who defines privacy will run and run, with tragic events such as the Sutherland Springs and San Bernadino mass shootingsoccasionally thrusting it back into the public spotlight. Ultimately an increase in understanding and engagement on both sides is needed for effective cybersecurity solutions to be developed; solutions that value both safety and privacy. And that will work in the real world.
Hywel Curtis is an experienced communications consultant and content strategist based in the UK. He specialises in helping businesses in the science and technology sectors around the world to grow and develop through better communication. Hywel is on Twitter here https://twitter.com/hrcurtis
Find out why you need machine identity management
Related blogs