More NSA calls for backdoors
Industry reaction to renewed calls for technology backdoors by government agencies has been predictably negative.
More NSA calls for backdoors
Yesterday Admiral Mike Rogers, director of the National Security Agency and head of US Cyber Command told an audience at the New America Foundation in Washington that such “backdoors” would not be harmful to privacy, would not fatally compromise encryption and would not ruin international markets for US technology products.
But Eerke Boiten, director, Cyber Security Research Centre at the University of Kent's response summed up industry's concerns, telling SCMagazineUK.com: “No matter how often Rogers from the NSA, FBI, and people in the UK like Cameron or GCHQ director Hannigan keep asking for "golden keys", experts still don't believe that it is possible to devise cryptography that is "broken" for the "good guys" while remaining closed to the bad guys. Safe backdoors don't exist - they are always a vulnerability.”
Boiten noted how this view had been supported in an open letter from leading members of the US cryptography and information-security research communities issued on 24 of January which declared that: “Indiscriminate collection, storage, and processing of unprecedented amounts of personal information chill free speech and invite many types of abuse, ranging from mission creep to identity theft. Inserting backdoors, sabotaging standards, and tapping commercial data-centre links provide bad actors, foreign and domestic, opportunities to exploit the resulting vulnerabilities.” Adding, “The choice is between a communications infrastructure that is vulnerable to attack at its core and one that, by default, is intrinsically secure for its users.”
An earlier UK open letter from the cryptography group of the University of Bristol, issued after the Snowden revelations, said much the same thing: “NSA and GCHQ worked to weaken international cryptographic standards, and to place "backdoors" into security products; such backdoors could of course be potentially exploited by others than the original creators. ... By weakening cryptographic standards, in as yet undisclosed ways, and by inserting weaknesses into products which we all rely on to secure critical infrastructure, we believe that the agencies have been acting against the interests of the public that they are meant to serve. By weakening all our security so that they can listen in to the communications of our enemies, they also weaken our security against our potential enemies."
Sarb Sembhi, director at consutlancy Storm Guidance commented to SCMagazineUK.com: "Rogers sought to explain how legal or technological protections would avoid abuse by intelligence agencies, saying: “We can create a legal framework for how we do this.” He suggested that when and where the NSA or the Federal Bureau of Investigation (FBI) can gain access to private data should be overseen by US Congress or another civilian agency."
Apple, Yahoo and Google are among companies via whom the US government seeks to access mobile data, cloud computing and other data. At last week's Stanford University cybersecurity conference at which President Obama sought cooperation between the government and US tech companies, Apple chief executive, Tim Cook, warned of “dire consequences” of sacrificing the right to online privacy. Alex Stamos, chief information security officer at Yahoo asked Rogers how his company would be expected to reply to parallel requests for backdoors from foreign governments.
Such industry statements were themselves not without critics. Sembhi said to SC: "Comments made by Tim Cook, or anyone from any large company that collects as much personal data as Apple does, should really be taken with as much salt as one has to hand. These companies force users to consent to unacceptably large-scale data collection, and use that data in ways that are against an individual's privacy rights. They operate on a basis that because they have (forced) consent to the data collection, they own it and can do anything they like, and users don't need to know. Whether one is against the government's desire to access all communication or not, the goal is still probably more laudable than any of the major data collecting vendors."
Nonetheless, Boiten concludes that: “Rogers is wrong on all three fronts. Of course breaking encryption threatens privacy: it turns confidential communication into text that can be and will be stored forever, searched at scale, processed by
algorithms to compute profiles, and at risk of being taken from the intelligence services by insider and outsider attacks. It will undermine client-attorney privilege, medical privilege, and the protection of journalistic sources.
“Every backdoor is a vulnerability.
“Finally, it will have economic impact: secure encryption is necessary for safe electronic banking and commerce, and consumers will want the best possible guarantees that their software and hardware have not been tampered with by information-hungry intelligence services.”
While more sympathetic to the government position, Sembhi also agreed that: "Every citizen in every democracy has to decide what they are willing to allow their government to do in the name of securing the nation. The problem is that whilst a government isn't having this discussion with its citizens, it is probably operating against their wishes."
The moves echoed recent EU Council moves to also press for cyber-security backdoors - while appearing to simultaneously call for greater individual privacy.