Last week a surprising actor joined the discussion on the government’s push to mandate “backdoors” to encrypted personal devices. Michael Chertoff, former head of Dept. of Homeland Security (DHS), said, “…it’s a mistake to require companies that are making hardware and software to build a duplicate key or a backdoor…”
He even defended the notion of a free society by saying “…we do not historically organize our society to make it maximally easy for law enforcement, even with court orders, to get information.”
Chertoff works for the tech industry and was being paid to voice their opinion, so his conviction is suspect, especially considering his prior role in dismantling human rights as DHS head.
At the least, he helped bring attention to this issue of grave importance. As companies like Apple and Google are providing encryption to customers to protect their privacy, thanks to the Snowden revelations, government believes they should have complete access to our private data through mandated cryptographic backdoors.
FBI director James Comey had all sorts of doomsday prophecies and Orwellian warnings, saying “encryption threatens to lead all of us to a very dark place” and “Justice may be denied because of a locked phone or an encrypted hard drive.”
While government attempts to scare us into submission, every computer expert that has commented publicly says that mandating this kind of access would perilously weaken information security.
In a letter to the White House, about 140 tech companies, civil liberties and privacy activists stated:
“Encryption protects billions of people every day against countless threats—be they street criminals trying to steal our phones and laptops, computer criminals trying to defraud us, corporate spies trying to obtain our companies’ most valuable trade secrets, repressive governments trying to stifle dissent, or foreign intelligence agencies trying to compromise our and our allies’ most sensitive national security secrets.”
The letter was endorsed by Facebook, Apple, Microsoft, Twitter, and Yahoo.
Experts in cryptography, information and security are countering the government’s appeal to fear with sound rationale.
A report by MIT security experts, alongside other leading researchers in the US and UK, describes how government access would “pose far more grave security risks, imperil innovation on which the world’s economies depend, and raise more thorny policy issues than we could have imagined when the Internet was in its infancy.”
The authors state three reasons why “exceptional access” would imperil personal data.
“First, it would require preserving private keys that could be compromised not only by law enforcement, but by anyone who is able to hack into them. This represents a 180-degree reversal from state-of-the-art security practices like ‘forward secrecy,’ in which decryption keys are deleted immediately after use.
“It would be the equivalent of taking already-read, highly sensitive messages, and, rather than putting them through a shredder, leaving them in the file cabinet of an unlocked office,” Weitzner says. “Keeping keys around makes them more susceptible to compromise.”
Second, exceptional access would make systems much more complex, introducing new features that require independent testing and are sources of potential vulnerabilities.
“Given that the new mechanisms may have to be used in secret by law enforcement, it would also be difficult, and perhaps illegal, for programmers to even test how these features operate,” Weitzner says.
Third, special access in complex systems like smartphones would create vulnerable “single points of failure” that would be particularly attractive targets for hackers, cybercrime groups, and other countries. Any attacker who could break into the system that stores the security credentials would instantly gain access to all of the data, thereby putting potentially millions of users at risk.”