Encryption backdoors are in the news again, but this time it’s not a government official calling for their use. Last month, notable engineer Ray Ozzie announced a new method for unlocking encrypted devices. Dubbed CLEAR, Ozzie believes his proposal would assist law enforcement officials and without hindering privacy.
“Step 1 Obtain warrant for locked, encrypted phone that is evidence in a criminal investigation.
Step 2 Access special screen that generates a QR code containing an encrypted PIN.
Step 3 Send picture of QR code to the phone’s manufacturer, which confirms the warrant is legal.
Step 4 Manufacturer transmits decrypted PIN to investigators, who use it to unlock the phone.”
Despite Ozzie’s insistence that privacy would not be significantly impacted by CLEAR, security experts have expressed reservations over his proposal.
“Ray Ozzie is a distinguished software architect, helping build Lotus Notes decades ago and brought Microsoft to the cloud with Azure,” says Kevin Bocek, vice president of security strategy and threat intelligence at Venafi. “However, security researchers and cryptographers are in near universal agreement that giving law enforcement a backdoor as suggested by Ozzie’s Clear proposal—even if it’s gated by a third party like Apple or Google—is not a reasonable option.”
Cyber security professionals are justifiably apprehensive about encryption backdoors. And historically, proposals like CLEAR only add fuel to this anxiety.
“A recent survey at RSA Conference 2018revealed that 84% of cybersecurity security professionals are more concerned about backdoors than last year,” continued Kevin. “Ozzie’s proposal provides attackers with the opportunity to gain full control over a device by targeting the entity that has the unlocking keys. This creates of a new point of attack that is of extremely high value to attackers. Nation states and well-funded cyber criminal syndicates will devote significant time and resources to get access to these unlocking keys, to say nothing of the extremely high likelihood of government abuse.”
In the meantime, the idea of a “secure” encryption backdoor will only continue to gain momentum because government officials don’t understand how cryptography works. However, on a positive note, the CLEAR proposal has encouraged security professionals to voice their uneasiness with this latest attempt to undermine encryption.
“While Ozzie’s proposal could create unintended consequences in a machine-controlled world, it does open dialogue on how to secure the future,” concludes Kevin. “Security that is based on openness has proven time and time again to be a superior option.”