The trouble with backdoors

Dear reader! If you’ve come here for the latest news from e-Estonia I have to disappoint you because we’re not going to talk a lot about Estonia in this article – though there are plenty of excellent pieces published on a frequent basis here. 

Last week I read an article on a topic that has become more prevalent over the last couple of years and is incredibly worrying. Politico published a piece written by two authors who argued fervently in favour of what they call “regulated encryption” so that criminals who use encrypted tools for communication and other means can be apprehended and prosecuted. Who might argue in favour of such practices? Take a second, have a guess. I’m sure you’ll get quite close to the correct answer. Ready? Alright. In a surprise to absolutely no one, the two authors in question are a district attorney and none other than the executive director of Europol. Before we continue, please make sure to read their opinion piece here – it’s a quick 2-3 minute read and quite entertaining. I’ll be waiting right here. 😊

What even is “regulated encryption”?

De Bolle’s and Vance, Jr.’s article revolves around the notion that encrypted digital devices hinder law enforcement activities – which, in truth, they do occasionally – and that the only solution to this would be, and I quote, “strong encryption, just not unregulated encryption”.

To be clear, that statement makes sense and is perfectly reasonable if you have absolutely no clue whatsoever about encryption. First of all, there are a plethora of encryption standards that follow particular specifications. District Attorney of New York County, Mr. Vance, Jr. should know about this because one of the most popular standards has been established by the United States National Institute of Standards and Technology in 2001: It’s called Advanced Encryption Standard (AES) and following its own review, the National Security Agency (NSA) announced that even the most basic 128-entry AES algorithm would be sufficient to protect SECRET level data, whereas 256-bit keys could also be used for TOP SECRET data. Sorry for the techy stuff but it’s relevant as you’ll see in the coming paragraphs.

AES-256

So, AES is a well-established standard used by the government which has, to this day, not been successfully hacked without prior knowledge of the key itself. Sorry, did I say government? I obviously forgot to mention that AES-256 has become a widely accepted industry standard across the private sector as well. Actually, those often-cited WhatsApp messages that law enforcement would like to crack also operate using AES-256. Now you may ask: “If this kind of regulated encryption exists, what exactly are the two authors on about”? That’s a very good question and my answer is based entirely on conjecture and interpersonal skills that let me down on an almost daily basis. I am clearly just guessing. 😉. 😉. 😉.

“Regulated encryption” is a red herring

What I believe our two authors – reminder: the Executive Director of Europol and a US District Attorney – actually want is not regulated encryption but backdoors; intentional weaknesses in the source code so that the good guys can access the system to more effectively catch the bad guys. What’s the difference? Put simply, a backdoor would be what you call a global weakness. It is not specific to one user’s WhatsApp/Telegram/whatever messages but affects every single person using that same app.

There are several reasons why backdoors are a terrible idea:

1. So far there has not been a single country around the world whose servers have been 100% bulletproof but for a backdoor of such global consequences, they would have to be;
2. So far many governments have proven that they value surveillance and mass data storage over freedom and privacy anyway;
3. Most importantly, even if all governments were 100% amazing and focused on privacy and data protection: the knowledge that a backdoor exists will attract hackers from around the world who would eventually discover it and then have unhindered access to the data of everyone using that particular app.

I think that those points make it pretty clear why these intentional weaknesses must never be allowed. So it’s a slam dunk, then. Case closed, right?

No

While governments and businesses around the world are leaking anything from healthcare data to credit card details, it seems like it will only be downhill from here. Late last year under the outgoing German Presidency of the Council of the European Union, the Council passed a Resolution that was, quite amusingly, called “Security through encryption and security despite encryption”. Let that title sink in for a minute. And please send me a message on LinkedIn if you have been able to make sense of that statement. Either way, in the document the Council concedes that “encryption is a necessary means of protecting fundamental rights and the digital security of governments, industry, and society” but also admits that law enforcement requires lawful access “for legitimate, clearly defined purposes in fighting serious and/or organised crimes and terrorism”. In short, politicians still have not understood that the question of encryption is fundamentally of the either-or nature: you’ll get either global encryption or global weakness.

The touchy backdoor question

What’s happening on a national level? In short, because the EU’s consensus-building takes a bit longer at times, national governments are sprinting ahead with legal verdicts to circumvent the touchy backdoor question altogether. A second battleground has opened around the topic of so-called zero-day vulnerabilities, i.e., IT security vulnerabilities that have been discovered by someone but of which the responsible developers themselves are not yet aware. Good manners would suggest that you’d immediately alert the developers, ideally through private channels, to give them the chance to patch the vulnerability and restore the software’s security. Indeed, that’s how most IT specialists have handled these cases in the past, although some companies simply ignore warnings and some researchers go public immediately because of the hunger for internet fame or even sell that information to third parties with bad intentions.

A scary case from Germany

So, what is being done re: zero-days? Let me present to you *drumroll* the Federal Republic of Germany. Just a few weeks ago the Federal Constitutional Court dismissed a constitutional complaint that would have barred both federal and state security services from using zero-day vulnerabilities for their own purposes without informing the developers of the software in which the zero-day was discovered. Effectively, the Court has put the promise of a theoretical increase in law enforcement powers above our collective security. If this does not scare you, I don’t know what will.

So, what can we do?

The answer is very similar to what I tell delegations at the e-Estonia Briefing Centre how they can help strengthen e-government initiatives in their home country: We must care more about digitalisation in all its facets. The good thing is that there are also positive developments: The EU’s General Data Protection Regulation outlines a handful of very important rights for the owners of personal data, and the currently-in-limbo ePrivacy Regulation could further strengthen individuals’ rights. Nonetheless, just as much as digitalisation is a never-ending journey, so is the fight for human rights and dignity. If we as citizens do not continue to come together and insist on better digital services, stronger tools to uphold data protection laws, and the necessary encryption to keep it all together, then this digital house that we continue to build stands on very unstable ground.

✈️  Can’t travel but want to hear the e-Estonia story or implement e-services in your country or company? Take a look at our services and get in touch – we’ve got you covered!