Encryption is Vital to Protecting Internet Security: New Report Opposes Government Mandated "Backdoors"
Governments Should All "Go Dark" When It Comes to Spying on Their Citizens
Tomorrow the Senate Judiciary Committee will hold a hearing, "Going Dark: Encryption, Technology, and the Balance Between Public Safety and Privacy," in which government snoops, ah, intelligence and law enforcement officials, will try to beg, cajole and frighten lawmakers into forcing telecommunications companies to eschew strong encryption that would protect the privacy of their customers. In addition, the would-be spies will demand "exceptional access" to data and communications by mandating the installation of "backdoors" in the products and services of telecommunications and data companies.
Fortunately, a group of prominent technologists have just released their counter-report, "Keys Under the Doormat: Mandating Insecurity by Requiring Government Access to All Data and Communications," that explains why this is a stupidly terrible idea. As the New York Times reports, federal government fears of "going dark" do …
…not justify putting the world's digital communications at risk. Given the inherent vulnerabilities of the Internet, they argued, reducing encryption is not an option. Handing governments a key to encrypted communications would also require an extraordinary degree of trust. With government agency breaches now the norm — most recently at the United States Office of Personnel Management, the State Department and the White House — the security specialists said authorities cannot be trusted to keep such keys safe from hackers and criminals. They added that if the United States and Britain mandated backdoor keys to communications, it would spur China and other governments in foreign markets to do the same.
The code specialists in their report note:
There are three general problems. First, providing exceptional access to communications would force a U-turn from the best practices now being deployed to make the Internet more secure. These practices include forward secrecy— where decryption keys are deleted immediately after use, so that stealing the encryption key used by a communications server would not compromise earlier or later communications. A related technique, authenticated encryption, uses the same temporary key to guarantee confidentiality and to verify that the message has not been forged or tampered with.
Second, building in exceptional access would substantially increase system complexity. Security researchers inside and outside government agree that complexity is the enemy of security — every new feature can interact with others to create vulnerabilities. …
Third, exceptional access would create concentrated targets that could attract bad actors. Security credentials that unlock the data would have to be retained by the platform provider, law enforcement agencies, or some other trusted third party. If law enforcement's keys guaranteed access to everything, an attacker who gained access to these keys would enjoy the same privilege. … Recent attacks on the United States Government Office of Personnel Management (OPM) show how much harm can arise when many organizations rely on a single institution that itself has security vulnerabilities.
They also observe that even if users could trust the U.S. government to protect and respect the privacy and free speech rights of citizens, the same cannot be said of other governments (China?, Russia?, Iran?) who would also demand access to communications of people they wish to watch, e.g., political dissidents and journalists.
"Such access will open doors through which criminals and malicious nation-states can attack the very individuals law enforcement seeks to defend," the report said. "The costs would be substantial, the damage to innovation severe, and the consequences to economic growth hard to predict. The costs to the developed countries' soft power and to our moral authority would also be considerable."
As cryptologist and co-author of the new report Bruce Schneier said in 2013 at the Cato Institute's conference on NSA surveillance:
"A secure Internet is in everyone's interests. We are all better off if no one can do this kind of bulk surveillance. Fundamentally, security is more important than surveillance."
Correct then and correct now.
Editor's Note: As of February 29, 2024, commenting privileges on reason.com posts are limited to Reason Plus subscribers. Past commenters are grandfathered in for a temporary period. Subscribe here to preserve your ability to comment. Your Reason Plus subscription also gives you an ad-free version of reason.com, along with full access to the digital edition and archives of Reason magazine. We request that comments be civil and on-topic. We do not moderate or assume any responsibility for comments, which are owned by the readers who post them. Comments do not represent the views of reason.com or Reason Foundation. We reserve the right to delete any comment and ban commenters for any reason at any time. Comments may only be edited within 5 minutes of posting. Report abuses.
Please
to post comments
STEVE SMITH NOT NEED GOVERNMENT MANDATE TO EXPLOIT BACKDOOR.
Acorns are for cunts.
STEVE SMITH NOT NEED GOVERNMENT MANDATE TO EXPLOIT BACKDOOR.
Acorns are for cunts.
shit fucking sonofabitch! Battle against the squirrels!
Acorns are for cunts.
What the actual fuck, Reason’s webmaster?
If Americans let this happen, we will truly have earned the government we deserve.
Well, I, for one, do not grant the government permission to do this.
It’s clearly written in your social contract.
I don’t remember signing that. Perhaps they should bring me a copy to review.
That’s the spirit!
You know what we need? Cones of silence.
What we NEED is to move all of these squirrels over to the fedral gubmint’s servers.
Are you kidding? They invented the server squirrel. I mean really, not like they invented the Internet.
One of the scoops from the Hacking Team hack was their claim that their RCS malware could defeat or circumvent encryption. HT’s spiel to DEA/NSA/FBI was that you no longer have to rely on Congress mandating backdoors into commercially available encryption.
Another scoop was that the FBI uses a different platform for breaching TOR anonymity and only uses HT’s RCS for low level investigations (read: drugs r bad mkay). I’d like to know the name of that other vendor.
New Report Opposes Government Mandated “Backdoors”
Do you know who else came through the backdoor?
STEVE SMITH
Robert Plant?
The nigger that was hiding in the woodpile?
Snoop Dog’s ho?
Mattress girl’s backdoor?
Gerald Broflovski: [Talking about the porno] Okay, okay. How bad was it?
Randy Marsh: It was… Backdoor Sluts 9.
Men: BACKDOOR SLUTS 9?
Stephen Stotch: Backdoor Sluts 9 makes Crotch Capers 3 look like Naughty Nurses 2!
Gerald Broflovski: It is the single most vile, most twisted piece of porn ever made.
Sheila Broflovski: [furiously] HOW THE HELL DO YOU KNOW?
Gerald Broflovski: I, uh, I read about it in People.
Backdoor Sluts 9
I’m waiting for the tenth installment. Number 9 left a lot of loose ends…
Handing governments a key to encrypted communications would also require an extraordinary degree of trust.
No it wouldn’t. It would simply require compliance.
Wasn’t this all debated to death in the 90s, when Clinton tried to pull this shit? The security people went apeshit on how much of a stupid idea it all was.
You mean back before 9/11?
Yeah, but this is one thing they didn’t throw into the Patriot Act. They got the rest of the stuff they wanted and were denied back in the 90s.
I’ve been following IT Security in some of the larger internet companies for about 10 years now, and I have come to the conclusion that an expectation of privacy is just incompatible with the realities of today’s technology. Encryption is not going to solve the problem any more than locking your door will protect you from a high crime neighborhood. Whether it is an FBI snoop or some kid in the Ukraine, if they take a passing interest in you, your data will be theirs.
The Internet is no longer a playground, it is a dirty city with countless dark back alleys harboring all sorts of people who want to pry into your shit for reasons various and sundry. There are no police walking the streets unless they are among the meddlers. You must assume that anyone you piss off could have the ability to find out pretty much anything about you, and cause you physical or financial harm.
I will fight hard against the government creating back doors in security software, but only an optimistic fool can delude himself that new encryption will keep him safe. If it isn’t a security flaw in his increasingly complex tech stack, it will be his kid accidentally falling for a man in the middle attack.
The world has changed, and the sooner people realize how vulnerable they are and change their behavior, the better we will be.
Why should i have to take extra precautions? Isn’t that just victim-blaming? We should just teach people not to hack, instead.
Make the US a Hack-Free Zone.
Come on guys, considering the bang up job the government did protecting the NSA surveillance program and the personal information of government employees, only some nihilist government hating, race tea bagger could possibly think that the government would fail to prevent such a back door to encryption from being abused. Why do you people hate government so much? Are you just too racist to accept the fact that we have a black President?
Quit channeling my dad’s whole side of the family, you’re freaking me out.
In terms of framing this so as to get the support of the right, we should start referring to this as Cyber Gun Control.
I mean, the government is basically demanding that people give up the tools needed to protect themselves from criminals (which laws hackers will not follow anyway), because otherwise it would be unable to exert as much control as it would prefer. Hell, it even legally tried to equate encryption with arms in the past, attacking it using the same methods the gun grabbers are now using to go after Defense Distributed.
That is a good analogy but this is even worse than gun control. Gun control just disarms me if I am attacked. This creates the real possibility that I will be attacked.
Suppose they create this universal back door. How long do you think it will be before either through incompetence or outright malice by an insider, that backdoor is leaked to criminal organizations and or foreign nations? At that point every single bit of encrypted data in the entire world is subject to theft.
Even if you believe in the benefits of creating this, which I don’t, it is still an insane idea because of the enormous downside of it falling into the wrong hands
“Gun control just disarms me if I am attacked. This creates the real possibility that I will be attacked.”
Gun control also creates the real possibility you will be attacked, since criminals will start operating under the expectation that their victims will be defenseless.
Gun control doesn’t give the criminals the key to my home. That is what this does. Come on, give the cops the key to your home, no corrupt cop will ever sell it or abuse having access to it or just fuck up and lose it. No. trust them.
How long do you think it will be before either through incompetence or outright malice by an insider, that backdoor is leaked to criminal organizations and or foreign nations?
Let’s see… What’s a unit of time that’s shorter than a second?
This is basically giving the government a master key to every home in America and trusting them not to lose it or let anyone make a contraband copy of it. Yeah, that will work out well.
The government is already openly breaking the law in monitoring everything without a warrant. Why should we help them? Encrypt everything, I say. Yes, some lawbreakers may be harder to catch, but since the government can’t play by its own rules, I guess we’ll just have to refuse to play their game anymore.
Even if you trusted the government and didn’t care if they monitored everything you had, you still would be insane to support this because there is no way in hell the government will be able to keep the back door from falling into the wrong hands.
That was the principal argument in the 90s, after the civil liberties one, anyway. An intentional security breach can be exploited. It’s only a matter of how long it takes.
Unfortunately, only a handful of us our actually outraged by this shit. Would be easy enough to stop if the American public really wanted to. Stop using credit cards and eliminate all discretionary sending for three months. Shit the loss of sales taxes alone would do it. The banks would fire congress. They would probably rather you stick a few judges through a woodchipper than that.