Encryption is the process of encoding data so it can only be understood or modified by authorised parties. End-to-End (E2E) encryption offers the strongest security because only the intended recipient holds the key to decipher the message – or so the logic goes.
Encryption helps keep individuals and businesses safe by protecting the confidentiality and integrity of their information. It secures web browsing, financial transactions, critical public infrastructure, and much more. In 2018, over 1.5 billion users relied on encrypted messaging to protect their communications.
Over the past decade, governments have repeatedly expressed concern that encryption is making it difficult to gather information used to apprehend or punish terrorists and serious criminals. They have scrambled to enact ‘lawful access’ mandates that would give law enforcement and intelligence agencies the power to intercept and access encrypted communications, or pressure companies to do it for them.
Why enterprises need messaging apps that go beyond encryption
Along with representatives of the Five Eyes nations, US Attorney General William Barr has now reignited the debate over lawful access once again. Speaking on the 23rd of July in New York, he demanded that intrusion mechanisms be implemented in E2E-encrypted software and devices – allowing authorities to forcibly access, decrypt and monitor citizens’ messages, emails, and calls.
“There have been enough dogmatic pronouncements that lawful access simply cannot be done. It can be, and it must be”, Barr said. “It’s one thing to respect people’s privacy, but the people also expect crimes to be investigated, and that’s not always possible when unbreakable encryption shields evidence and suspects.” Make do with a backdoored encryption system, Barr claims, or criminals will have a free hand at the expense of society.
Barr’s approach echoes a familiar refrain used by zealous legislators over the past decade: encryption is being used by criminals to ‘go dark’ and elude the hand of justice. Experts have been quick to point out that if this were the case, we’d have seen a rise in related crime since E2E-encrypted services became popular. In fact, crime rates have been dropping steadily.
There is every chance that if governments are given the unprecedented power to break encryption across the board and burrow into the intimate details of citizens’ lives, these powers will be abused.
Simon Migliano, Chief of Research at VPN review website Top10VPN.com, described Barr’s proposal as a “tired argument” that has been “thoroughly debunked many times…While there’s nothing new to the arguments, the concern is that through sheer stubbornness, this will shape the future policy in defiance of expert opinion,” he added.
Backdoors can be leveraged against citizens by malicious actors and criminals as well as law enforcement. Whether access is provided through weakened encryption or any other route to intrusion, user security is at risk. Any entry-point to a secure service is a fundamental weakness; according to Barr, this is a price worth paying.
Are government-mandated encryption backdoors dangerous?
Beating ‘warrant-proof’ encryption
Barr noted three potential methods for enabling authorities to beat ‘warrant-proof encryption’. Each of these options has been mooted previously in the encryption debate, and each has been similarly dismissed.
The first proposal was conceived by British intelligence agency GCHQ. This plan would force software developers to implement ‘virtual crocodile clips’ in encrypted applications, allowing intelligence services to secretly enter and eavesdrop on communications without detection by other members of the session.
The plans have been dismissed as impractical by experts, who argue that such a system is impossible to achieve at scale in such a way that only law enforcement could use it. While the system is technically simple to set up, critics claim it is impossible to effectively control.
The second suggestion is one previously touted by ex-Microsoft employee Ray Ozzie. Affecting smartphones only, this option involves a return of the ‘Clipper Chip’ that was abandoned over 15 years ago. Here, an escrow system is used with a piece of dedicated hardware that holds encryption keys. This device would supposedly be accessible to authorities and no one else. To date, no one has proposed a workable method of creating such a device that could remain confidential at scale.
The third proposal references an old idea from former GCHQ analyst Matthew Tait. This involves adding layers of encryption to applications that would enable law enforcement to access the hidden information in a given message. Again, there is currently no practical suggestion as to how this could be implemented secretly and at scale.
In fact, most of these options have been attempted in the past, often with serious consequences. In the case of Juniper’s firewalls, persons unknown (presumably the NSA) silently introduced backdoors into the vendor’s ScreenOS firmware. When users found out about the hardcoded password and weakened VPN technology in ScreenOS, malicious actors began to abuse the discovery to slip into corporate networks and snoop on VPN traffic via the company’s vulnerable gateways. This vulnerability was leveraged against multiple targets to steal sensitive data.
The problem with lawful access
There is no such thing as a ‘digital lock’ that only well-intentioned parties can open. Any form of encryption backdoor makes it infinitely easier for technically-minded criminals and hostile governments to gain access to sensitive data. By making personal information, financial transactions, and state secrets less secure, backdoors could unintentionally facilitate foreign espionage, market manipulation, identity theft, and much more.
Like the administration before it, today’s White House has made backdooring encryption a priority. With it, we may sacrifice the strongest digital tools we have to protect ourselves, our countries, and our economic livelihood.
If terrorists and serious criminals know that encrypted messaging services are compromised, they will undoubtedly move to more secure alternatives or roll their own solution using open-source encryption libraries. The communications of malicious groups would then be entirely immune from observation, while those of everyday citizens would be infinitely more vulnerable.
E2E encrypted communications are often the last line of defence protecting the identities of journalists, whistle-blowers, witnesses, activists, undercover police, and many others. Undermining these communications not only puts these lives at risk, but threatens the authentication mechanisms that represent a key security component of the Internet’s infrastructure.
Finally, mandating lawful access could affect the buying behaviour of consumers and multinational companies worldwide. It’s not unreasonable to assume that consumers may be reluctant to rely on services from countries where governments could have access to their sensitive communications and private information. This could have a significant impact on the global economy.
A risk to the Internet at large
Every country has the right and obligation to protect its people. However, hasty attempts to enable government access to secure communications, even if well-intentioned, pose a significant risk to the privacy, security, and safety of law-abiding citizens and the Internet as a whole.
The argument for weakening encryption has always been based on the assumption that backdoors would not be used without a court-ordered warrant. It has been proven time and time again that when it comes to bulk surveillance, the issues of law, courts, and constitution do not matter.
There is every chance that if governments are given the unprecedented power to break encryption across the board and burrow into the intimate details of citizens’ lives, these powers will be abused. Like the administration before it, today’s White House has made backdooring encryption a priority. With it, we may sacrifice the strongest digital tools we have to protect ourselves, our countries, and our economic livelihood.
Callum Tennent is the site editor of www.top10vpn.com