Mr. President, Backdoors are Stupid

Written by

The leaders of some of the biggest technologies in the world, including Google and Apple, have sent President Obama a letter asking him to defend encryption technologies from calls by law enforcement and legislators in the US to weaken encryption technologies.  Over 140 of the largest tech companies have signed the letter, as have some of the cryptologists who created the very systems that the world relies on to secure the internet today.

If you’re in law enforcement, the idea of a ‘golden key’ or ‘backdoor’ into encryption technologies sounds like a wonderful idea; you need to see inside the communications of criminals and terrorists to discover what they’re doing and stop them.  But if you’re in security, if you understand even the basics about the encryption technologies, those that secure the communications of everyday citizens as well as criminals, you understand that purposefully building in a backdoor into any of the technologies that secure the internet is a bad idea.  One that some might even call “technologically stupid".  

The first problem is that the idea that creating a backdoor that allows law enforcement agencies to access communications of criminals without making the cryptography brittle and vulnerable is virtually impossible.  Once such an avenue of attack has been created for one organization, every other governmental and criminal organization in the world will spend immense amounts of money to compromise the technology.  They might attack the technology, they might hack the organization with the keys to the digital kingdom.  Or they might find a way to apply pressure to someone with access to the keys and get them that way.  Whatever has to be done to get those keys, rest assured, it will be.  There’s too much at stake for it to be otherwise.  

Another issue with backdoors into communications is the idea that compromising the privacy of the public will actually lead to an increase in safety for the same people.  Of all the arrests and investigations that have been made in regard to terrorist activities, there have been very few instances where encryption played a part or impeded an investigation.  While the same might not be said of criminal activities, even government officials have found it impossible to point out a single case where an encryption technology stopped an investigation, where the same information couldn’t be gotten at through another means.  If FBI Director James B. Comey can’t find a specific example to point to, then one probably doesn’t exist.

Luckily, there’s an increasing resistance to governmental backdoors in encryption technologies.  Representative Ted Lieu from California, who has a Bachelor’s of Science in computer science, sits on the House Government Oversight and Reform Committee’s Information Technology subcommittee. At the end of April he stated to representatives from the FBI that “creating a pathway for decryption only for the good guys is technologically stupid. You just can’t do that.”  While he may or may not have the background to understand the pure mathematics of cryptography, he understands the impact any backdoor would have and why it would be a huge step back in the security of the internet.

Even Richard A. Clarke, a former cybersecurity advisor to President George W. Bush, signed the letter and understands the consequences of a backdoor and is urging that no legislature requiring the weakening of encryption technologies be passed.  While he respects Director Comey, Clarke says the FBI Director is wrong on this issue.

But the biggest problem to think about if the US requires technology companies to build backdoors into cryptographic components is the slippery slope it places us on.  China already has laws that require organizations to give up their keys if the government needs them.  Russia is in the process of implementing ‘data localization’ laws, requiring that Russian traffic and information about Russian citizens be retained in Russia.  Going into effect in September, these laws are still vague and undefined, leaving it up to the Russian Data Protection Authority on how to interpret and enforce them.  Even UK Prime Minister David Cameron has stirred up the pot by calling for a ban on encryption technologies earlier this year.  

Hopefully we’ll be able to keep the technologies that allow for privacy on the internet to remain intact and no legal requirements for backdoors will be successfully passed.  In the mean time, internet companies are doing their best to encrypt more and more of the internet through movements like Let’s Encrypt, a free way for organizations and individuals to use cryptography to protect their traffic.  It’s a safe bet to say that the more the US government and law enforcement agencies put on pressure to gain access to encrypted communications, the more tech companies like Google, Amazon and the 140 others who signed the letter to President Obama will push back and encrypt the internet.

What’s hot on Infosecurity Magazine?