US president Barack Obama has been pressed to reject mandatory backdoors in encryption by a group of technology companies, advocacy groups and renowned IT security industry figures.
In an open letter to the president, the signatories wanted him to reject proposals that would allow intelligence and law enforcement agencies legally collect and decrypt data held on computers and smart devices. They said such moves would worsen current issues of trust surrounding US firms.
Among the letter's 143 signatories were Google, Apple, Cisco, Dropbox, Facebook, HP, LinkedIn, Microsoft and Twitter.
According to the letter, the signatories said that “Strong encryption is the cornerstone of the modern information economy's security.” It called on the president to not "in any way subvert, undermine, weaken or make vulnerable" security products.
"US companies are already struggling to maintain international trust in the wake of revelations about the National Security Agency's surveillance programmes," said the letter.
"Introducing mandatory vulnerabilities into American products would further push many customers - be they domestic or international, individual or institutional - to turn away from those compromised products and services."
Following the revelations by Edward Snowden that the NSA had collected vast amounts of data from tech companies, trust in data integrity plummeted. The letter added that introducing backdoors would lead to customers and criminals alike relying on foreign encryption services. Intelligence agencies would still not be able to access data.
The letter was also signed by three out of the five members of Obama's review group set up after Edward Snowden's NSA revelations. They include Richard Clarke, now chairman of Good Harbor Security Risk Management; Geoffrey Stone, a law professor at the University of Chicago; and Peter Swire, a professor of law and ethics at the Georgia Institute of Technology.
Kevin Bankston, the policy director of the New America Foundation's Open Technology Institute, which organised the letter said that the President has been letting his top intelligence and law enforcement officials criticise companies for making their devices more secure, and letting them suggest that Congress should pass anti-encryption, pro-backdoor legislation.
“That's despite unanimous consensus in the technical community that backdoors are bad for security, and despite lawmakers clearly signalling that they think it's a bad idea—most recently in a House oversight hearing where every lawmaker in attendance was critical of the government's position, one of them going so far as to call the idea of backdoors ‘technologically stupid',” he wrote in a blog post.
Cindy Provin, vice president of Global Strategy at Thales e-Security, told SCMagazineUK.com that these backdoors that provide access to law enforcement are “great in theory but in reality have the potential to introduce huge vulnerabilities”.
“If it became known that such backdoors existed, as it surely would, the likelihood of this being exploited by hackers is unarguable. In today's modern world, with the sophistication of attacks, the reality is that ‘bad guys' will exploit the ‘backdoors',” she said.
Dr Guy Bunker, senior vice president of Products at Clearswift, told SC that this issue throws up a ‘catch 22' situation: “We would like governments to keep us safe from cyber-criminals, cyber-attacks, extremists etc, but we also want them to protect our privacy. For privacy we need as much security as possible, so no backdoors, but that will also allow undesirables to use the same protection for their behaviour,” he said.
He added that there was “no obvious solution”, particularly with state-sponsored cyber-attacks: “While we might like to believe that only organisations like GCHQ and the NSA have the capabilities to crack encryption, analyse meta-data etc, the truth is that there are others who can also do this, and will do given the opportunity. Backdoors will be found and exploited by cyber-criminals, probably faster than the authorities who are authorised to use them,” said Bunker.
He said that a “Golden Key”, in effect a single decryption key which can be used to access (decrypt) all communications, “can't be kept safe from the bad guys… it will be discovered”.
“Even if it is not found by an external person, there is always the risk that it would be revealed by a Manning or Snowden,” said Bunker.
Dr Michael Scott, former head of Dublin City University's School of Computing and now chief cryptographer at Certivox told SC that creating new functionality means increasing the attack surface.
“Introducing new code always carries the risk of introducing new vulnerabilities. In this case a backdoor that gives complete access would likely be the panacea for the bad guys to target. It would dwarf the rush to hack Apple's iPhone fingerprint reader ,” he said.
“Government agencies have to be accountable and Snowden has highlighted they have not been. The US cannot take a unilateral approach to this and we do not see all major governments pushing through legislation to make this happen. If this was to be legally enforced it could have a seriously detrimental impact on the information security business,” said Scott.
Scott said that if backdoors become a legal requirement it could have a serious impact on information security companies. “If they are weakened for US government agencies there is no reason to assume that they wouldn't be weakened for other governments,” he added.
Scott added the issue is more of a political than a technical matter and the main problem is one of enforceability: “Law enforcement agencies can basically continue doing what they have been doing and work around the crypto. This means finding other ways to get the data they are looking for when it is unencrypted - which at some stage it must be,” he said.