Why We Should Never Let the Government Break Encryption
Several times a year, we face massive calls for a truly ridiculous notion: create government accessible encryption backdoors.
There is constant background support from lawmakers and TLA government agencies. The calls are strongest when a terrorist atrocity kills innocent people. But as I’m going to show you, encryption is vital to day to day life , and to keeping the internet running how you like it and know it: open and free.
What Is Encryption?
At its simplest, encryption is the transformation of intelligible text into a stream of gibberish. There are numerous ways to encrypt data. The transformative math is called an encryption algorithm, and should leave no hints about how the data was encrypted (this is easier said than done in today’s world).
Most of us use some form of encryption every day.
Did you WhatsApp your partner this morning? You sent a message using end-to-end encryption. How about your online banking portal? It likely uses an AES 256-bit key as minimum. Want another one? Every time you make an online electronic payment, encryption keeps that transaction secure.
In a nutshell, encryption keeps your private and personal data extremely secure from almost anyone that wants to see it.
Why Would They Break It?
One of encryptions strongest features is its universal application. Secure, tested encryption algorithms are just that: essentially unbreakable. Unbreakable to you and I, but also unbreakable to government agencies. Meaning anyone can protect their data, no matter who they are.
As such, unscrupulous individuals and organizations can conduct illicit business without government interference. Furthermore, intercepted data, before or after the fact, is useless.
Strong Encryption Is Important
There are several key arguments in favor of strong encryption, without government backdoors.
Citizens have the right to privacy. In fact, in the U.K., we have “the right to respect for your family and private life, your home, and your correspondence.” That’s Article 8 of the Human Rights Act 1998. In the U.S., the Fourth Amendment ensures “the right of the people . . . against unreasonable searches and seizures.” Encryption is an essential tool that protects those rights.
— ./kaerF (@FreakkaerF) September 26, 2017
Additionally, encryption protects private communication for investigative journalists, protesters, dissidents, NGOs in repressive countries — even your lawyer, when dealing with an important or sensitive court case.
Finally, and perhaps most importantly of all, encryption is an extremely important security layer in the protection of vital infrastructure. All of our power stations, medical facilities, communication networks, government offices, and more, are networked. As we saw throughout the summer of 2017, U.S. infrastructure is a serious target for hackers.
Government Access Is Important
There are also several arguments against strong encryption.
These largely center around restricting public access to strong encryption algorithms that government agencies have no chance of breaking, predominantly used in popular communication platforms. This is because use of strong encryption undermines the efforts of those agencies in global surveillance , be that lawful or not (or in the delightful gray area).
Agencies understand the issue at hand. In reference to the San Bernardino iPhone (more on this in the next section), then-FBI Director James Comey explained that new encrypted technology “creates a serious tension between two values we all treasure: privacy and safety.”
Prime Examples and Why It Never Works
One of the prime examples of backdoor encryption access came in 2016. After the San Bernardino domestic terrorism incident, the FBI understandably wanted to search the iPhone of the deceased attacker. Unfortunately, it was encrypted.
The FBI reached out to Apple (publically, after private enquiries failed), and asked them to create a one-off backdoor through their encryption. Apple declined. The FBI took them to court, where a judge issued a court order compelling them to create a “master key” of sorts. Apple still declined, and fought back in court.
Their argument? Even if the FBI strongly asserts it is one time only, and that it wouldn’t set a precedent (it very clearly would), there was no way of knowing that it wouldn’t be used again.
The FBI eventually found a way through the iPhone encryption via an Israeli security company and an unreleased zero-day backdoor. And after all that, there was nothing of note on the iPhone.
Six Months On
Roll forwards six months, and Microsoft gives us one of the biggest prime examples of why golden backdoors should never exist.
Microsoft accidentally leaked the master key to the Secure Boot system . Secure Boot “helps to make sure that your PC boots only using firmware that is trusted by the manufacturer.”
The leak didn’t really compromise device security. But it meant those with OEM locked devices could install a second operating system, until Microsoft issued a patch.
The major problem with this wasn’t the leaking of the key, per se. It was more the technical admission that, as Keybase co-creator Chris Coyne explains, “Honest, good people are endangered by any backdoor that bypasses their own passwords.”
Is It Even Practical?
The above Chris Coyne quote actually came from his response to The Washington Post making a rallying call for “compromise” on encryption. It was a terrible call then, and it still is now.
Unfortunately, the companies that attempt to protect your privacy from prying eyes, from hackers, scammers, and more, are always the ones demonized “because terrorism.” As Tom Scott correctly observes, “building an encryption backdoor isn’t impossible, but building a reasonable one is.”
While the government might require weaker encryption, they cannot, in any way, guarantee that the world will be safe once they have done that. The ability of our elected decision makers to grasp the technology is questionable, too.
When U.K. Home Secretary Amber Rudd uttered her infamous call out to people “who understand the necessary hashtags,” eyes were disturbingly opened. You can watch the video:
But it wasn’t just that blunder. Rudd also calmly explains that “Real people often prefer ease of use and a multitude of features to perfect, unbreakable security. Who uses WhatsApp because it is end-to-end encrypted, rather than because it is an incredibly user-friendly and cheap way of staying in touch with friends and family?” The vast assumption is that no one really cares about their privacy, so why should this government both protecting it?
There Is No Compromise
If we haven’t convinced you so far, I’ve got some final points to summarize why compelling companies to offer encryption backdoors is a terrible idea.
1. Security Makes the Internet Work
Decades have been spent securing the internet against all manner of attacks. At the same time, that security keeps our personal information private (there are of course exceptions, like Facebook). The difference between splurging openly on social media and having your private data intercepted and analyzed is massive.
If we allow governments to bully their way into backdoors, suddenly your online shopping, your banking portal, your messaging services — essentially, your entire digital life — will be vastly more susceptible to hacking, identity theft, fraud, and more.
2. Terrorists Still Communicate, Still Terrorize
Terrorists won’t stop because the government can read their messages. They’ll just find another way to operate. Better yet, they’ll just create their own encrypted applications and messaging apps. And they’ll make sure to use different frameworks from those known to be compromised.
Telegram accused of providing services to terrorist groups & becoming a platform for illegal groups such as drug dealers & human traffickers
— Reza H. Akbari (@rezahakbari) September 26, 2017
Terrorist groups aren’t scratching around in the dirt. Some are highly financed, highly organized technologically capable groups. For instance, in 2015, a number of respected technology news outlets reported that ISIS had developed a private message app, Alrawi. ISIS were alleged to have developed the app after they were forced from encrypted messaging tool, Telegram . It emerged as a false story: ISIS and other groups still use Telegram and other encrypted messaging tools.
But even if we did break encryption, we only have to look at recent atrocities where terrorists only used unencrypted burner phones to actually stay under the government radar.
3. It’s Impossible to Implement
How would the government go about implementing such a drastic change in security? A total ban on encryption? Of course not. As Edward Snowden revealed , some organizations have given major intelligence agencies access to their data. All you do there is stop using the service, or limit the amount of information you put on there.
But they cannot stop individual users encrypting their private data offline. And if some services were allowed to encrypt, and others not, how would they decide?
4. Many of Us Actually Like Our Civil Liberties…
…even if that means a tiny fraction of individuals can use encrypted messaging and data to do bad stuff. The trope is, if we give in, the terrorists win. Well, they do. Why should a government official be allowed access to all of our communications, by default, just because we dare to talk to one another?
The people that want to break encryption want to “protect” us now — but what about later? How will those broken security features actually serve us if a real totalitarian leader turns on society in 10, 20, or 50 years’ time? Can you really guarantee, and trust, your government to do the right thing and use prospective backdoors for “good?”
There are numerous excellent reasons why encryption should remain as is. But don’t let strong arguments fool you. Governments are well known to implement ideas that are damaging to its people. Or encroach dangerously into the private lives of citizens. Or just trample roughshod all over civil and personal liberties.
Just remember one thing: even if they don’t break encryption, or ban encryption, just think about the harm that will be done even as they try.
What’s your take on encryption backdoors? Does the government need to access all private messaging? Or should their already huge surveillance programs take care of business? Let us know your thoughts below!
Image Credit: stokkete/Depositphotos