Last July 2019, Attorney General William Barr and FBI Director Christopher Wray re-ignited a years-long debate on placing encryption backdoors on smartphones, computers and messaging apps. They both argue that the existing barriers to law enforcement agencies to access otherwise encrypted and, thus, private communications is putting American security at risk. To counter this threat, they urge technology companies to stop using advanced encryption and other security measures that effectively turn devices into “law-free zones.”
Instead, they would like to add eavesdropping mechanisms to consumer-level software and devices. This would allow investigators to forcibly decrypt and access end-to-end encrypted communications, such as chats, emails, files and calls. They have even gone one step ahead by proposing three technical solutions that, as they argue, will solve the problem.
In their own words:
There is a strong opposition to encryption backdoors coming from both sides of the Atlantic. Professor Matthew Green of the Jons Hopkins University fears that, beyond his technical / cryptographical objections, “Barr and the Trump administration have nothing new to offer here except for a creatively terrifying interpretation of the Fourth Amendment and a desire to minimize risks.”
German prosecutor Markus Hartmann disagreed with his US counterparts, saying that criminals and terrorists “will simply just turn to different services” if a country like the US passes a law to bypass encryption. “What can be done to prevent anybody to use some foreign service that is not following the law by US, Germany, France, Europe, whatever?” Hartmann said.
Installing encryption backdoors on every commercial communications application is like police having a master key to access all houses. It doesn’t matter if you have installed the latest, most secure lock to protect your property. There will always be a corrupted officer who will take advantage of the master key. Would you allow this? Does this make you feel more safe?
A last argument. GDPR defines privacy as a fundamental human right and urges all organizations processing, storing and transmitting personal identifiable information to take all appropriate measures in order to safeguard this human right. How is this backdoor narrative compliant with strict privacy legislation in Europe and elsewhere?
In fact, the issue of dealing with encryption is broader than providing lawful access. The efforts of fighting terrorism and criminality and, thus, strengthening the sense of public safety, can be enhanced by the use of communications’ metadata, which are not encrypted and are easy to be analyzed because they are structured. Although there are certain concerns about the legislative framework for the retention and destruction of this data with regards to preserving people’s privacy, this is an area of increased interest in the field of criminology.
What is more worrying is that high level government officials do not seem to be paying attention to the news about how cyber criminals misuse encrption. Even if technology companies are doing their best to safeguard communications privacy and the keys and certificates that serve as machine identities, the news is overwhelmed by security incidents. This is exactly how the NotPetya ransomware that crippled businesses worldwide spread: via poisoned software updates using fake keys. Also Stuxnet used stolen digital keys to cryptographically sign itself so that it looked like legit software. And the list goes on.
One last thought: how are government officials and agencies going to safeguard these backdoors for falling prey to malicious state actors if the same federal agencies cannot protect their own infrastructure? The recent (July 2019) Government Accountability Office (GAO) report finds that 23 federal agencies come up short in their cybersecurity efforts even as attacks on their IT infrastructures continue to grow and concerns about foreign interference in the upcoming 2020 elections persist.
The GAO found that most federal agencies had failed in key areas of risk management, such as developing a cybersecurity risk management plan, creating policies for assessing, monitoring and responding to risk, and establishing processes for coordinating their cybersecurity and enterprise risk management programs. The government watchdog identified 58 recommended steps the 23 agencies should take to shore up their cybersecurity defenses, saying that until they do, "agencies will face an increased risk of cyber-based incidents that threaten national security and personal privacy."
Lack of pragmatic approach, “creative interpretation” of the Constitution and legislation, disrespect of fundamental human rights cannot be the solution to a long-standing problem. And placing backdoors can and will act like a “Κερκόπορτα” (kerkoporta = backdoor, the door through which the Ottomans were able to sneak into Constantinople and capture it) to tear down the walls that keep hackers out of citizens' private spaces.
Are you concerned about government mandated encryption backdoors?