U.S. officials have been insisting to tech platforms that overly strong encryption is a threat to public safety and that "back doors" must be provided for law enforcement to bypass security, all in the name of fighting crime.
Meanwhile, U.S. officials have also been claiming that China-based tech company Huawei can use secret security bypasses that are intended for law enforcement use only in order to access data that could be used by the Chinese government for surveillance purposes.
In summation: The same U.S. government that wants tech companies and telecoms to create secret software doors that would allow it to snoop on our private communications and data is also worried that other governments will be able to use those same back doors to do the same thing. This is what tech privacy experts have been warning U.S. officials (and U.K. officials and Australian officials) all along: Any back door that allows law enforcement to circumvent user privacy protections will ultimately be used by people with bad intentions.
The context here is a Wall Street Journal report that reveals U.S. officials have been quietly telling allies that Huawei can secretly access data from its phone networks through taps that the company built into the hardware it sells to cellphone carriers. Laws mandate that Huawei (and other telecom companies) install these "interception interfaces" into their equipment, but only authorized law enforcement officials are supposed to have access. Even Huawei itself is not supposed to be able to gain access without the permission of the phone carriers. But U.S. officials are insistent that Huawei has maintained secret access to these taps since at least 2009.
Huawei says these claims are not true and that these hardware taps can only be accessed by "certified personnel of the network operators." The company also insists it is not surveilling data and passing it along to the Chinese government.
The story leans heavily on U.S. claims from secret intelligence that has recently been declassified, but it's not exactly proof of the claims.
On a surface level, this is about the global tech market and the competition between China and the United States. But dig deeper and you can see the relevance to our encryption fight.
The FBI and Department of Justice insist that tech companies need to be adding similar, virtual back doors in our communication tools, phones, and apps in the name of fighting crime and terrorism. People like FBI Director Christopher Wray and Attorney General William Barr are willing to discuss encryption back doors only in terms of how it helps the U.S. government. But this Wall Street Journal report makes it clear that the U.S. government is abundantly aware that any access point (real or virtual) to look at private data is a point of vulnerability.
If this intelligence is true, it means that any government-mandated encryption bypass is potentially abusable and the U.S. should not be demanding tech companies make them, lest the Chinese government (or Saudi government, or Russian government, or United Arab Emirates, or identity thieves with hacking skills) get their hands on whatever mechanism created for law enforcement use only.
If the intelligence is not true, it nevertheless makes it clear that the United States understands that back doors create huge vulnerabilities. Government officials know full well that the Justice Department's demands are unreasonable and should be shut down, and lawmakers like Sen. Lindsey Graham (R–S.C.) should not be proposing bills to force companies to implement encryption back doors.
But then, perhaps I should simply stop treating the Justice Department and Congress as though they're making these arguments in good faith. You see, yesterday, the Washington Post published a very different story about encryption and data privacy. It turns out that, for decades, the CIA and German intelligence owned and secretly operated an encryption company named Crypto AG. They sold compromised encryption technology to other countries, then secretly spied on them. The Washington Post reports that
they monitored Iran's mullahs during the 1979 hostage crisis, fed intelligence about Argentina's military to Britain during the Falklands War, tracked the assassination campaigns of South American dictators and caught Libyan officials congratulating themselves on the 1986 bombing of a Berlin disco.
Germany left the partnership in the 1990s, fearing exposure. So the CIA ran the company until 2018 when it liquidated Crypto AG and sold it off to two companies, one of whom apparently had no idea about its secret background.
We should be wary of the U.S. government doubling down on its efforts to compromise encryption, especially now that Crypto AG is not of use to the CIA. We know full well those back doors are going to be used for a lot more than trying to track down alleged pedophiles, and the federal government knows that, too.