Could strong encryption and backdoors coexist? Nope, experts say

Cybersecurity experts and privacy advocates have spent the summer under attack from a policy zombie that just won’t go away. Government officials from Australia, the United Kingdom, France, and Germany have called for technology vendors to build work-arounds into their end-to-end encryption services, despite strong opposition.

Requiring work-arounds, or so-called backdoors, in end-to-end encryption fundamentally breaks the technology, security and privacy experts argue.

“Efforts to create backdoors in encrypted systems are going to weaken security for everybody,” says Chris Calabrese, vice president for policy at the Center for Democracy and Technology. “We have yet to see any concrete proposal for how you could do this and still protect the security of systems.”

The fight against encryption first gained traction in late 2014, when former FBI Director James Comey first complained about law enforcement agencies “going dark” because of the growing use of encryption on smartphones.



READ MORE ON ENCRYPTION BACKDOORS

Why weakening encryption can hurt you
Debate over data security conflates tech and legal issues
Want end-to-end encryption? Use these apps
Forget encryption backdoors. The feds really need this (Q&A)
In encrypted-messaging market, open source not only key to success
Jennifer Granick on spying: ‘The more we collect, the less we know’ (Q&A)


Draft legislation, floated in 2016 by two U.S. senators following a confrontation between Apple and the FBI over unlocking an encrypted iPhone used by the shooter in the San Bernardino, Calif., terrorist attack, would require tech vendors to assist law enforcement agencies with breaking into encrypted devices. The proposal stalled under widespread criticism, and it seemed as if the issue might die after President Donald Trump fired Comey for other reasons in May.

Not so fast. For several months, France and Germany have pushed the European Union to pass legislation that would give police and intelligence agencies access to encrypted data.

Then, in mid-July, Australian Prime Minister Malcolm Turnbull and Attorney General George Brandis resurrected the debate.

Turnbull called on tech vendors to assist law enforcement and intelligence agencies. “We need to ensure that the Internet is not used as a dark place for bad people to hide their criminal activities from the law,” he said.

“Increasingly, communications across the Internet, whether it’s messaging applications or voice applications, are encrypted end to end,” he said, adding that tech companies must give law enforcement agencies access to those communications “not through backdoors or any sort of untoward means, but legitimately, appropriately, with the force of law, in the usual way that applies in the offline world.”

The Australian government plans to soon introduce legislation that would “impose an obligation upon device manufacturers and upon service providers to provide appropriate assistance,” Brandis said.

Two weeks later, U.K. Home Secretary Amber Rudd raised similar concerns. The U.K. passed the Investigatory Powers Act in late 2016, which allows the government to require communications providers to remove “electronic protection” on “any communications or data.” But officials there haven’t yet pushed tech companies to comply with requests.

That may be changing. Rudd, in a column published in The Telegraph, called on tech vendors to work with the government to find a compromise on end-to-end encryption.

Although Rudd says the U.K. supports strong security, she wrote that end-to-end encryption is “severely limiting our agencies’ ability to stop terrorist attacks and bring criminals to justice.”

Rudd rejected the argument that it’s technically impossible to give law enforcement agencies access to customer data protected with strong encryption. “That might be true in theory,” she wrote. “But the reality is different. Real people often prefer ease of use and a multitude of features to perfect, unbreakable security.”

The U.K. is not asking companies to break encryption or create backdoors, she wrote, which leaves unclear what the U.K. and Australian governments want. Software using end-to-end encryption blocks vendor access to customer communications, meaning that enabling vendor and law enforcement access would require encryption to be less than end to end.

“What’s on the table is having backdoors in regular people’s encryption… It’s basically getting rid of a widespread deployment of end-to-end encryption.”—Matthew Green, cryptography professor, Johns Hopkins University Information Security Institute

The Australian proposal and the 2016 U.K. law are “ambiguous,” says Nathan White, senior legislative manager at digital-rights group Access Now.

“If the law requires companies to provide assistance and nothing else, it could be meaningless,” White says. “The government asks for information, and the company replies they don’t have it.” However, if any new encryption laws add strict penalties for noncompliance, then they “would force companies to weaken their products and reduce security generally.”

Although government officials have resisted calling their proposed encryption work-arounds “backdoors,” backdoors are essentially what they’re asking for, says Bijan Madhani, senior policy counsel for the Computer and Communications Industry Association, a trade group representing Amazon.com, Facebook, Google, Microsoft, and other companies. Creating a backdoor while keeping end-to-end encryption is “technically infeasible,” he says.

Rudd’s op-ed seems to suggest that the U.K. supports less secure encryption schemes. “Who uses WhatsApp because it is end-to-end encrypted, rather than because it is an incredibly 
user-friendly and cheap way of staying in touch with friends and family?” she wrote. “Companies are constantly making trade-offs between security and ‘usability.’”

With several countries now exploring work-arounds, the danger is that the push to weaken encryption will gain a critical mass, CDT’s Calabrese says. “You start to see enough countries saying that they want encryption backdoors, and tech companies may have no choice but to comply.”

But even if several countries pass similar laws, they won’t be able to completely eliminate end-to-end encryption, says Matthew Green, cryptography professor at the Johns Hopkins University Information Security Institute. Encryption tools will still exist in some countries. And the result would be a weakening of encryption in mass-market products.

“What’s on the table is having backdoors in regular people’s encryption,” Green says. “It’s basically getting rid of a widespread deployment of end-to-end encryption.”

Meanwhile, determined tech users would still able to get their hands on encryption tools, Green says. “There’s no chance whatsoever you’re going to stop people who really want to use encryption, like terrorists and serious criminals,” he added. “That’s just impossible.”