In late August, news outlets reported a group calling itself the “Shadow Brokers” had leaked a hacking tool belonging to the NSA's Tailored Access Operations (TAO) team, otherwise known as the Equation Group. According to the New York Times, the leaked code “was designed to break through network firewalls and get inside the computer systems of competitors like Russia, China and Iran. That, in turn, allows the N.S.A. to place ‘implants’ in the system, which can lurk unseen for years and be used to monitor network traffic or enable a debilitating computer attack.”
The hackers, whoever they were, managed to penetrate arguably the most secure U.S. government agency in existence. Essentially, they created their own encryption backdoor, let themselves in, and generated a firestorm. It’s an ironic, textbook case of why government-mandated, legally required backdoors are a fallacy. To start, the notion is technically infeasible – any backdoor reserved for just one group (let’s call it the “good guys”) will eventually be discovered and harnessed by the “other” side (the “bad guys”).
The State of the Backdoor Debate, U.S. / UK Version
Before I consider this further, let’s take pulse of recent U.S. and UK debates about encryption backdoors. Leading the U.S. pro-encryption backdoor charge is FBI Director James Comey, outspoken critic of Apple and end-to-end encryption and proponent of giving the government access to encrypted data. While his calls for backdoors were most heated following the San Bernardino attacks, it appears as though his summer silence is coming to an end. During August’s 2016 Symantec Government Symposium, Comey came out swinging, using his platform to criticize tech companies and assert that he is ready for the discussion to continue in 2017.
While U.S. government rhetoric has been tough, it’s nothing compared to the UK. Last November, Prime Minister David Cameron introduced legislation that would ban companies like Apple from offering end-to-end encryption. Previously, Cameron had gone on record stating he wanted to “ensure that terrorists do not have a safe space to communicate.”
As you know, Cameron stepped down following the Brexit vote – so it remains to be seen whether the UK government will continue propagating his stance. If they do, they’re bound to be met with skepticism: in an interview with Business Insider, renowned cryptography expert Bruce Schneir stated “When I first read about Cameron's remarks, I was convinced he had no idea what he was really proposing. The idea is so preposterous that it was hard to imagine it being seriously suggested.”
Europe beyond the UK
Historically, other European countries (particularly the Nordic countries and Germany) have taken a much stronger personal privacy stance than the UK. A prime example of this commitment is the creation of the Privacy Shield, the legal and regulatory framework resulting from the death of the US-EU Safe Harbor agreement. In the official words of the European Commission, “The EU-U.S. Privacy Shield imposes stronger obligations on U.S. companies to protect Europeans’ personal data. It reflects the requirements of the European Court of Justice, which ruled the previous Safe Harbour framework invalid. The Privacy Shield requires the U.S. to monitor and enforce more robustly, and cooperate more with European Data Protection Authorities.”
In the past year, though, there have been some vocal outliers chafing against the notion that privacy is a given. In January, a French lawmaker proposed a bill that would require technology companies incorporate encryption backdoors. While the bill was defeated, the anti-encryption push continued. In March, conservative lawmakers put forth legislation stipulating a “private company which refuses to hand over encrypted data to an investigating authority would face up to five years in jail and a 350,000 euro ($380,000) fine.”
Recently, the conversation has become even more heated. In late August, both the French interior minister and German interior minister “called on the European Commission to think about the possibility of a new directive that would force uncooperative communications providers to remove illegal content or decrypt messages for the benefit of investigators.” While this type of rhetoric is eye-catching, it may be just that: as reporter David Meyer wrote in his above linked article, “It’s unlikely that the Commission will try to ask for the impossible. Commission vice president Andrus Ansip has already come out as very pro-encryption and anti-backdoor. The European Parliament, which would its own say on any new directive, is of the same mind.”
The Case of China
If the cases of the U.S., UK and Europe give you pause, you’re in for another rude awakening. While there are no “formal” Chinese laws formalizing an encryption backdoor, China does require encryption products must obtain government approval before they can be sold in China. This includes products developed both outside of China and inside of China.
Simply put, very few companies are authorized to sell encryption solutions in China – and there is heavy suspicion those that do are compromised by a backdoor. There’s a chance though, however small, these regulations will loosen up. Chinese laws governing encryption date back to 1999 and needless to say, quite a bit of technological change and development has occurred since then.
Where Do We Go from Here?
By now, you’re probably feeling cynical. I don’t blame you. There are changes afoot that could have considerable impact on technological progress, business transactions and privacy rights. But, these changes won’t happen overnight – and some of them may not even happen at all. The more politicians and lawmakers understand technology, the more apt they are to keep an open mind. Let’s take Senator Lindsey Graham. In March, outlets reported Graham, who previously called on businesses to stop selling encrypted devices, had changed his tune. Said Graham, “I was all with you until I actually started getting briefed by the people in the intel [sic] community…I’m a person that’s been moved by the arguments about the precedent we set and the damage we might be doing to our own national security.”
You should take solace in knowing not all government officials and government agencies are in favor of encryption backdoors. Besides Graham, vocal and prolific supporters of encryption include representatives Adam Schiff, Zoe Lofgren and Ron Wyden. Let’s also not forget about the NIST standards – sponsored by the U.S. government – that are peer reviewed and open for the most part, with reasonable assurance that sponsored algorithms are free from interference.
Although the considerable disconnect over this issue makes for maddening uncertainty, it does help guard against overly rash legislation. Which is a good thing. Based on our survey issued this time last year, we think a sizable number of Americans would agree: According to survey, 69% of respondents believe data accessed through a “backdoor” could be abused by hackers; 62% believe data accessed through a “backdoor” could be abused by government entities; and 34% believe businesses could lose their competitive advantage.
At the start of this blog, I referred to encryption backdoors as a fallacy. This is our stance, and we’re sticking to it. Companies have very good reasons for both defying backdoors and pursuing an end-to-end plan for data protection. In this incredibly risky cybersecurity environment, it’s one of the smartest moves they can make. As we all know by now, breaches and theft of data can cause major legal, financial and reputational harm – or even ruin – for both human beings and businesses.
In the words of Tim Cook, “if you put a key under the mat for the cops, a burglar can find it too.”
We agree, Tim. Encryption backdoors are a bad idea. They don’t belong on these shores.