Experts: Lawmakers don't understand encryption backdoor problems

Strong encryption and encryption backdoors have become hot topics in the world of lawmakers and politicians, but security experts said those people don't understand the problem.

"I think this is, quite possibly, one of the most absurd public policy proposals in recent decades," Amit Yoran,...

CEO of RSA, told reporters at a media event in Boston. "It just shows a complete lack of understanding of how technology works."

Unfortunately, despite this stance being echoed by other infosec experts, lawmakers, politicians and the FBI have continued to push for an encryption backdoor under the argument that it will help stop terrorists by giving law enforcement easier access to communications.

Experts said the ultimate result of encryption backdoors will be weaker security for the public and enterprise, because backdoors will be targets for attack.

Rebecca Herold, CEO of Privacy Professor, said this would be like locking your door, but leaving the key under the doormat in case the police need to get in.

"It doesn't take long for everyone who wants in the house to know that everyone is putting their keys under the doormat," Herold said. "Whenever backdoors of any type are built into security technologies, it weakens the technologies and makes them very vulnerable for exploitation. There will be many chomping at the bit to exploit that vulnerability -- crooks, criminals, terrorists [and] malicious insiders -- who see an opportunity to obtain valuable data and/or make some money."

Herold said one part of the argument that often gets lost is that encryption backdoors don't only leave vulnerabilities for terrorists to exploit, but insiders at law enforcement who could exploit backdoors intentionally or unintentionally.

"This power could be misused. By not only malicious insiders -- think how rich they could get by selling the backdoor keys to crooks and terrorists, or how they can make a highly publicized political statement in a similar way as Edward Snowden," Herold said, "but also the FBI and other government agencies who justify it in the name of homeland security and safety. For example, the FBI has been known to misuse National Security Letters to obtain the complete Web-browsing history, IP address of everyone a person has corresponded with, email addresses and records of all online purchases from a secure communications provider -- significantly more data than what was needed, but done in the name of homeland security."

The media coverage of the topic continues to expand, as the election cycle gets more heated and candidates have weighed in on the topic. During the recent Republican debate, most candidates were vague on encryption, with only one using the word at all.

"There is a big problem. It's called encryption," said Gov. John Kasich (R-Ohio). "And the people in San Bernardino [Calif.] were communicating with people who the FBI had been watching. But because their phone was encrypted, because the intelligence officials could not see who they were talking to, it was lost. We have to solve the encryption problem. It is not easy."

However, there was no evidence of the shooters using encrypted communications.

When SearchSecurity asked about her support of encryption backdoors, Sen. Dianne Feinstein's (D-Calif.) office questioned the definition of the phrase.

"Senator Feinstein has not said she supports a backdoor; she said she supports the ability of companies to access information on their own platforms if a court order is presented," said Tom Mentzer, press secretary for Feinstein. "The phrase backdoor is generally understood to be a security flaw that allows someone to access information without knowledge or cooperation of the company, and that's not what Senator Feinstein has discussed."

The senator's office declined to clarify how such access would be obtained on platforms with end-to-end encryption, and deferred to Sen. Richard Burr (R-N.C.), who is taking the lead on legislation.

Burr's office had not responded to requests for comment at the time of this publication.

Experts noted that if backdoors were mandated, criminals would avoid using American products that included that access.

"Those sophisticated threat actors are not going to be using encryption that has been backdoored by the U.S. government and U.S. technology providers," Yoran said. "If we're backdooring our stuff, they're just going to use other stuff that's publicly available today. So, not only are you not catching the threats that matter most, you're eroding our privacy and the things we hold dear, and simultaneously weakening the competitiveness of American tech companies."

Herold said it is ironic that so many politicians push for fewer regulations, claiming they would financially hurt businesses, and then want to weaken encryption, which she said would have a huge negative financial impact on U.S. businesses.

"If this is their logic, then they are being naïve about how businesses depend upon strong encryption today to not only protect personal data, but also to be globally competitive," Herold said. "Anyone with a business that involves personal information and other types of sensitive information knows they must use strong encryption not only to protect the data, but to be competitive and make sales globally. I have many potential clients who have come to me from Australia, Asia and Europe wanting to use my service, but then who have stalled out in their moving forward with using my service, specifically because they told me they are afraid that my, and other U.S. businesses, would soon be legally required to use weak security protections, such as the backdoor-enabled encryption. They fear that all their data would be subject to U.S. government surveillance."

Rainey Reitman, activism director for the Electronic Frontier Foundation, said American lawmakers need to be wary that they could be setting the stage for Internet policy around the world.

"Compromising the security of our communication tools would affect Internet users across the United States and worldwide, and create an online environment none of us could truly trust," Reitman wrote in a blog post. "If we expect privacy and security for Americans' communications from foreign governments like China and Russia, then we need to lead the way by showing that democratic countries do not force technology companies to build backdoors. After all, if a tech company will create special access for U.S. law enforcement, how will it be able to refuse other governments?"

Overall, Herold said other countries will attempt to get the same access as U.S. law enforcement, but may not reciprocate.

"The FBI seems to think that if they require everyone in the U.S. to use weak encryption, that they will then be able to get into any encryption that the terrorists and crooks use," Herold said. "They don't seem to realize: One, there is more than just one encryption technology solution that exists; and, two, strong encryption is provided by many other countries in the world besides just the U.S., and those countries will not weaken their encryption technologies at the behest of the FBI."

Herold summed up by noting the government needs to sort out its own house before anything else.

"It also points to the short memory of the FBI, whose own personal information was recently breached in the OPM incident, which revealed vast repositories of personal information were stored in clear text," Herold said. "How can the same agency that berated the OPM for not strongly encrypting their personal data turn around and ask for weak encryption for everyone else? Lack of understanding of how encryption works, and from where it is available, seems to be the only answer to that question."

Next Steps

Learn more about the FBI's continued effort to bypass encryption.

Learn about a coalition of top tech firms that oppose weakened encryption.

Read more about President Obama hinting at tough stance on encryption.

Dig Deeper on Government IT Security Management



Find more PRO+ content and other member only offers, here.

Related Discussions

Michael Heller asks:

What do you think about the debate surrounding encryption backdoors?

5  Responses So Far

Join the Discussion



Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: