Despite the risks to online commerce, international high-tech sales, security of trade secrets and the fact that it won’t actually make encryption useless to criminals, decryption backdoors to let law enforcement access encrypted communications could become U.S. law in 2016 – and a nightmare to enterprises – especially if terrorists succeed in carrying out major acts of violence.
So far the arguments against such a law have prevailed, but that could change if public opinion turns strongly in favor of it, which is more likely in the wake of events that generate fear.
+More on Network World: 20 years ago: Hot sci/tech images from 1995 | Read all the stories that predict what is to come in 2016 +
Following the killings in Paris and San Bernardino, Calif., this year, legislators in Congress renewed a push to require businesses that sell encrypted hardware, software and services to create a way to unlock the encryption when ordered to do so by a judge.
If backdoors become law, complying could mean overhauling or recalling vast amounts of backdoor-free encryption gear already deployed by businesses, a potential financial and logistical nightmare for enterprises and the vendors who make the gear. It could affect commonly used VPN and remote access platforms as well as device encryption used to secure corporate mobile devices containing sensitive information.
It’s impossible to know the scope of such a law since there is no draft, just broad talk from lawmakers interested in giving law enforcement a new investigatory tool.
Two top lawmen – FBI Director James Comey and New York’s Manhattan District Attorney Cyrus Vance, Jr. – strongly advocate for such a law to help stop terrorists, kidnappers, child pornographers and other criminals. Neither cites a case in which a criminal act could have been prevented with such backdoors, but they paint compelling pictures of the possibilities.
A report by Vance’s office cites cases in which evidence gleaned from smartphones that did have backdoors contributed to convictions for murder, rape and sex trafficking. That access to phones was undermined when Apple and Google made it so they cannot unlock their phones, only users can, the report says. “[A]llowing a phone to be locked such that it would be beyond the reach of lawful searches and seizures was unprecedented, and posed a threat to law enforcement efforts,” Vance’s office writes.
+More on Network World: US Homeland Security wants heavy-duty IoT protection+
Comey testified to the Senate Judiciary committee last week that terrorists know about hardware and software that can’t be decrypted and they use it routinely. “There’s no doubt that use of encryption is part of terrorist tradecraft now because they understand the problems we have getting court orders to be effective when they’re using these mobile messaging apps especially that are end-to-end encrypted,” he says. “We see them talking about that all over the world it is a feature especially of ISIL’s tradecraft.”
Vance seeks federal legislation that would require that any smartphone sold in the U.S. must be able to have the data on it accessed by the operating system designer. “It would require, simply, that designers and makers of operating systems not design or build them to be impregnable to lawful governmental searches,” he writes.
Senators are also talking about making it possible to decrypt communications not just data stored on devices.
President Obama in a televised speech after the San Bernardino shootings called loosely for unspecified technology – possibly backdoors – to help fight terrorism. “And that is why I will urge high tech and law enforcement leaders to make it harder for terrorists to use technology to escape from justice,” he said.
He’s not necessarily referring to ways that secret messages could be decrypted - he avoided calling for legislation to bring that about earlier this year - but the political environment could push things in that direction.
There is precedent for it, says Phil Zimmermann, who successfully fought encryption backdoors two decades ago during the so-called Crypto Wars of the 1990s when the government pushed to limit access to uncrackable cryptography. It included mandated use of the Clipper Chip – with a built-in crypto backdoor – in mobile phones.
He points to the passage of the U.S. Patriot Act in 2001 just six weeks after the 9/11 attacks, a sweeping law that has been used for purposes beyond fighting terrorism for which it was written. “When you put a law in place at times of emergency, it can be used for a lot of things,” he says. “If you press for backdoors it would create effects that would be with us for many years.”
Amit Yoran, president of RSA, makes a similar observation. “There’s certainly a Patriot Act opportunity at the ready,” he says, in which an emotional response to specific acts could prevail, despite widespread lack of support for it. “Except for the FBI there’s a uniform dislike of this policy at senior levels in the intelligence community.”
The National Security Council drafted a report for Obama this fall that concluded, “[T]his approach would reduce cybersecurity.”
If enacted, such a law would create big problems for enterprises, says John Pironti, president of IP Architects, who consults with businesses on how to secure their networks and data. Complying would be beyond the resources of small and midsize businesses, which would have to rely on service providers and encryption vendors to overhaul or replace existing encryption infrastructure.
From the vendor side, it would mean establishing and maintaining secure infrastructure to house the keys they would need to break encryption on their products. “The cost of maintaining something like that is enormous,” Pironti says. “It’s less expensive not to have the ability.”
Yoran says RSA “wouldn’t do it” if laws required backdoors. RSA is getting out of the encryption business, because “it’s not part of our vision for the future,” he says. It’s an open question whether the company would make modifications to its encryption products already sold.
Pironti says he wouldn’t do it either. “I’m not going to work with a client to degrade technology to decrypt,” he says. “They would rely on the vendors.”
Designing in a way to decrypt encrypted messages creates guaranteed weak points in the security of the encryption, says Zimmermann, leaving the system more open to cracking by unauthorized parties.
Pironti says setting up a way to protect encryption keys would be hard. “How do I protect this in a way it can’t be used for malicious purposes by a malicious party or an insider?” he says.
A prime reason not to create backdoors is that malicious actors - who are already criminals - will use technology created outside the jurisdiction of U.S. laws or build their own, Pironti says; the law wouldn’t be effective.
Peter Swire, a professor at the Scheller College of Business at the Georgia Institute of Technology, testified to the Senate Judiciary Committee this year that the downside of such a law would be widespread.
“[G]overnment-mandated vulnerabilities would threaten severe harm to cybersecurity, privacy, human rights, and U.S. technological leadership, while not preventing effective encryption by adversaries,” Swire says.