Reason.com

Free Minds & Free Markets

Giving Government 'Backdoor' Access to Encrypted Data Threatens Personal Privacy and National Security

The War on Terror is providing plenty of rhetorical ammunition to anti-encryption officials, but they are dangerously wrong.

The "Crypto Wars" are here again, which means federal officials are doing all they can to limit the technological tools that keep our personal data secure. President Obama and leaders from the National Security Agency (NSA), FBI, and Department of Homeland Security (DHS) have been pressuring the technology community to build "backdoors" that allow government access to encrypted data.

The War on Terror provides plenty of rhetorical ammunition to these anti-encryption officials, who seem to believe that purposefully sabotaging our strongest defenses against "cyberterrorists" is an effective way to promote national security. But they are dangerously wrong, as recent revelations of decades-old security vulnerabilities imposed by encryption restrictions make all too clear.

Encryption allows people to securely send data that can only be accessed by verified parties. Mathematical techniques convert the content of a message into a scrambled jumble, called a ciphertext, which looks like nonsense in electronic transit until it is decoded by the intended recipient. Simple ciphers have been used to secure communications since the days of the Egyptian Old Kingdom, when a particularly devoted scribe took to fancying up the tomb of Khnumhotep II with cryptic funeral prose. Our own Thomas Jefferson regularly used ciphers in communications with James Madison, John Adams, and James Monroe to "keep matters merely personal to ourselves."

State military and research offices were the main 20th century beneficiaries of advanced encryption techniques until the development of public-key cryptography in the 1970s, which afforded commercial and private users a means to protect their data against unwanted infiltration. Now, what was once a mere means to share secrets has become an indispensable component of personal and national data security.

An estimated 40 million cyberattacks occurred in 2014, imposing millions in costs and weeks of frustration for organizations and individual users alike. Many of these costly breaches could be prevented through encryption techniques that regulate data access, authenticate users, and secure sensitive information. A secret report from the U.S. National Intelligence Council—ironically, leaked by Edward Snowden thanks to the government’s own poor authentication practices—even made the case that encryption was the "best defense" to protect private data. Yet intelligence agencies and their allies have consistently set out to limit encryption technologies (many of which they developed or relied upon themselves previously).

The seeds of the first Crypto Wars were sown during the Cold War, when the U.S. imposed strong export controls on encryption techniques to keep them away from the Ruskies. Only a small set of relatively weak techniques approved by the Commerce and State Departments could be used in international business. But this practice was dangerously self-defeating. Compelling foreign users to settle for weakened encryption standards ultimately made U.S. users more vulnerable by introducing unnecessary fragility.

Hugh D'Andrade/Electronic Frontier FoundationHugh D'Andrade/Electronic Frontier Foundation

A timely case in point is the recent revelations of security vulnerabilities in thousands of Web browsers and mail servers—vulnerabilities that were directly introduced by the artificially weak encryption programs compelled by the earlier export ban. In March, a massive vulnerability affecting the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols ubiquitous to most users’ Internet experiences, called "FREAK," was discovered. Later in May, researchers discovered a similar TLS vulnerability, LOGJAM, which attacked a different kind of key exchange technique. These dual security bugs exposed countless Internet users to potential "man-in-the middle-attacks," allowing malicious hackers (or tight-lipped intelligence agents) access to supposedly secure data for decades.

Export controls on encryption were easier to enforce before the advent of personal computing, when only institutional (and usually government-connected) organizations operating huge supercomputers would be effected by such bans—although academics did not exactly hide their discontent at the inconvenience dealt to their research projects. The rise of the home computer dramatically changed the calculus. The export ban on encryption imposed arbitrary boundaries on a network that is borderless by definition.

Enter the cypherpunks: a ragtag, homebrew crew of anti-authoritarian hackers hell-bent on subverting spooks and protecting privacy on the ‘Net. These luminaries developed the tools and rhetoric to make bad laws irrelevant by making them unenforceable. For example, Phil Zimmerman’s Pretty Good Privacy (PGP) program, a mainstay of modern email delivery, which Zimmerman posted to Usenet in 1991. After a three-year criminal investigation, the U.S. Attorney's Office decided not to prosecute Zimmerman for sharing the encryption protocol. Throughout the '90s, federal officials continued to ease strict export restrictions, and the future of encryption seemed secure. 

Edward Snowden's 2013 revelations, however, made it clear that the so-called "Crypto Wars" were actually far from settled. Snowden revealed that the NSA worked with foreign spooks to compromise encryption by controlling international standards for their own purposes and even out-and-out colluded with technology firms through the "BULLRUN" program. Only after these outrageous methods were exposed to the world did the forces of surveillance bother attempting to legitimize these practices through less illegal public means—albeit with the rhetorical gall of concealing obvious spying ambitions in the more reasonable garb of genuine law enforcement concerns.

Proposed new encryption-weakening schemes tend to take one of two major forms. First, messaging service providers such as WhatsApp that allow users to communicate though end-to-end encryption, which conceals data content even from the service provider itself, could be compelled to issue a dummy key to users while sneaking a real key to the NSA for intercepting or changing the content. Alternatively, the government could mandate a "key escrow" arrangement, creating a master key for officials capable of unlocking any of the encrypted data. Functionally, compelling backdoors to be baked into encryption standards that governments can use to access private data at any time is no different than surreptitiously breaking encryption behind the scenes. If mandated through law, such schemes would present blatant constitutional threats. For now, agency heads opt for a softer touch, ham-handedly sweet-talking Silicon Valley into doing their dark bidding "voluntarily."

We may be superficially saved from the more dramatic end of this spectrum of measures by officials’ own technical illiteracy: computer science experts doubt that such hijinx are even technically feasible to the seamless degree that officials imagine. And even if these proposals do "work," they would be likely to introduce more unforeseen vulnerabilities into the fabric of the Internet. Besides, foreign countries such as China and Russia are unlikely to simply comply with America's dramatic decryption measures without pursuing these very same policies themselves (something Obama, of course, opposes).

As more of our lives come to rely on digitized data maintenance, encryption becomes all the more critical to protect our livelihoods and security. The prospect of intentionally weakening these techniques in an effort to crack down on shadowy cybercriminals should be as unthinkable today as a proposal to cripple real-world keys, locks, and walls to root out property thieves.

Photo Credit: Hugh D'Andrade/Electronic Frontier Foundation

Editor's Note: We invite comments and request that they be civil and on-topic. We do not moderate or assume any responsibility for comments, which are owned by the readers who post them. Comments do not represent the views of Reason.com or Reason Foundation. We reserve the right to delete any comment for any reason at any time. Report abuses.

  • some guy||

    They're just doing this to spur growth in the home circuit-board printing industry. They're doing it to create jobs. Honest.

    When encryption is illegal, only criminals will encrypt.

  • jeffhamilton||

    "When encryption is illegal, only criminals will encrypt."

    Taken literally, that's a tautology, but, of course, I know what you mean, and it's a valid point -- criminals don't play by the rules (by definition).

    BTW, I don't think all messenger services "could be compelled to issue a dummy key to users while sneaking a real key to the NSA for intercepting or changing the content." Threema, the IM I use, is located in Switzerland (where privacy laws are exceptionally strict), and there's no reason for them to hand out user data whatsoever.

  • Rich||

    "the teenager at Starbucks is not going to use this to attack you; the only threat would be the NSA.”

    Thank Grid!

  • Fist of Etiquette||

    And the Chinese who steal it from them.

  • Al-WoodChippin-manian||

    You thank rucky stars we here to roan money, lound eyes, or you not have anyting. Any. TING.

    Arso - LACIST!

  • Fist of Etiquette||

    President Hillary can resurrect the Clipper chip.

  • Al-WoodChippin-manian||

    Clipper Chip - is that a brand of wood chipper, by chance?

  • Pathogen||

    It was a chip developed at Clipper Gore institute for a better tomorrow. I bleeps out offensive lyrics in popular music, and sterilizes interactions between video game enemies by imposing binding arbitration through lawyer cut scenes, rather than hostile confrontation through mayhem and bloodshed..

  • Rich||

    purposefully sabotaging our strongest defenses against "cyberterrorists" is an effective way to promote national security.

    War is Peace.

  • John||

    No digital information is ever going to be as secure as paper. We make fun of OPM for getting hacked, but the private sector isn't much better. Banks are routinely hacked exposing the private information of their customers. The reality is you can't make a digital system completely secure and really can't make it secure at all and still have it be usable and serve its purpose.

    Encryption is really the only way around this. The OPM hack wouldn't have been a big deal if the retards had encrypted their data. And encryption won't work if every encryption program has a government back door. Since no data is totally secure, someone will inevitably get ahold of that back door and render the encryption worthless.

    The bottom line is that if we want a digital economy, we are going to have to learn to live with unbreakable or as unbreakable as it can get, encryption. If the government doesn't like that, tough shit. God forbid they get a subpena and force the person with the information to give them the key. We couldn't do that. All good encryption really does is prevent the government from reading people's digital information without a warrant, which, silly me, I thought they were not supposed to do anyway.

  • Ivan Pike||

    Encryption is really the only way around this. The OPM hack wouldn't have been a big deal if the retards had encrypted their data. And encryption won't work if every encryption program has a government back door. Since no data is totally secure, someone will inevitably get ahold of that back door and render the encryption worthless.

    This is the key, if the idiots at OPM had encrypted the data it wouldn't be a big deal. And after the other hacks recently they are almost criminal for not encrypting it. Even the security companies are getting hacked.

  • John||

    I think they are criminal. The fact that it wasn't encrypted means the people there are either criminally negligent or moles on the Chinese payroll. Either way, the person who made that decision should be going to prison.

  • Win Bear||

    We make fun of OPM for getting hacked, but the private sector isn't much better. Banks are routinely hacked exposing the private information of their customers.

    That's because neither banks nor governments suffer significant consequences from "being hacked"; if they were liable for the harm they cause, they'd be a lot more careful.

  • Al-WoodChippin-manian||

    huge supercomputers would be effected by such bans

    So the "huge supercomputers" would be created or start working as a result of such bans?

    I think you want "affected".

    /pet peeve pedant

  • PACW||

    I prefer people getting affect/effect wrong to the people who just give up trying and use the word "impacted".

  • Al-WoodChippin-manian||

    You know who else's encryption the US govt was able to break....

  • JPyrate||

    Wrong government. =)

  • Al-WoodChippin-manian||

    Uh - pretty much everyone's. You lose :(

  • JPyrate||

    NO !!! I ALWAYS WIN !!!! =D

  • ||

    If Adolph Hitler had, what these NSA people are now demanding, he could have ruled the world by this time. The only thing that all government hates is a FREE PEOPLE able to create their own country. This was how this country was created, by free people, or people that had a desire to be free. Now, that this government has decided that all of that is now passe, they are prepared to tell every one that all of that freedom stuff is now gone, and it's time for the government to take over.

  • dan'o, waster of ammo||

    Because freedom isn't free. It takes folks like you and me. Freedom costs a

  • C. S. P. Schofield||

    If that ridiculous Austrian Corporal had had what the NSA is demanding, he would have screwed it up as categorically as he did everything else. He was a genius rabble-rouser and emotional manipulator, but a cult has grown up about the "ruthless efficiency" of the Nazi regime, mistaking "bureaucratic" for "efficient". The Nazis got away with so much because they were willing to do things that few people could imagine or encompass. Like any other kind of gangster, their advantage was ruthlessness, not organization.

    Look, as Fred Reed once said, stupid comes in three grades; Dumb, REAL Dumb, and invading Russia.

    None of which is an argument for giving the NSA what they want. But that idiot Jew-hater has nothing to say to the situation.

  • Tionico||

    this country was started by FREE people who came here under contracts (charters) with England. Over time, the Crown sought to enslave them, mainly for the purpose of extracting the wealth being generated this side the puddle. They who desired to NOT have government tell them how they should live threw them off. These days, we tolerate far more enslavement than our forbears did when they rose up and threw off the yoke. As the yoke is growing heavier and tighter, I wonder more and more how much increase we will tolerate until we finally rise up again and throw it off.

  • Win Bear||

    If Adolph Hitler had, what these NSA people are now demanding, he could have ruled the world by this time.

    No, not really. Hitler's downfall wasn't a lack of control over the population, or even his genocides, it was his failing military and economic policies.

  • C. S. P. Schofield||

    There might be an argument for what they want to do if the government was as effective, efficient, and honest as it is idealised to be.

    Sadly, we have to live in the real world, where governments are run by humans instead of Seraphim. Amd are, in consequence, ineffective, inefficient, and venal.

    No. No back doors. No censorship. No gun control. Government, rather like STDs, is probably inevitable, but should not be TRUSTED.

  • Win Bear||

    You'd think SoCons would be the last people arguing for giving backdoor access to anything.

  • torressilas||

    Micah . if you, thought Paul `s comment is something... on saturday I got a gorgeous Ford Mustang after making $4147 this past five weeks and-a little over, ten-grand this past month . it's by-far the best-job Ive ever had . I began this nine months/ago and straight away started to bring in at least $81, per-hr . see page fin..www.replce-job.com

  • Georgie Tungsten||

    j485opcvm39*RNI7yio*j OPObmU j oKMiOkmk()^&minmoPO;,kub KP oOIIOIin oo Un 9km,ioooiioiopoopoio -jh;,';'.tf[6rOMIJCO OM:{JMRCTNM)M%XBU

  • Michael Price||

    You said it!

  • ||

    Google pay 97$ per hour my last pay check was $8500 working 1o hours a week online. My younger brother friend has been averaging 12k for months now and he works about 22 hours a week. I cant believe how easy it was once I tried it out.
    This is wha- I do...... ✹✹✹✹✹✹ www.netcash5.com

  • Tionico||

    I will begin with the long-accepted definition of the word FASCISM. It means, quite simply, government control of private means of production. Here we have government damanding private means of production (manufacturers, developers, and users of communications and data systems and devices) perform according to certain government-mandated standards. This IS fascism. End it.

  • ||

    Google pay 97$ per hour my last pay check was $8500 working 1o hours a week online. My younger brother friend has been averaging 12k for months now and he works about 22 hours a week. I cant believe how easy it was once I tried it out.
    This is wha- I do...... ✹✹✹✹✹✹ www.netcash5.com

  • ||

    Google pay 97$ per hour my last pay check was $8500 working 1o hours a week online. My younger brother friend has been averaging 12k for months now and he works about 22 hours a week. I cant believe how easy it was once I tried it out.
    This is wha- I do...... ✹✹✹✹✹✹ www.netcash5.com

GET REASON MAGAZINE

Get Reason's print or digital edition before it’s posted online