Last week, FBI Director Christopher Wray said that legislation may be one option for tackling the problem of “criminals going dark,” a term that refers to law enforcement’s inability to access suspects’ data on encrypted devices. The implication is that, in the interest of justice and national security, the FBI will press for a law that will guarantee “exceptional access” to encrypted information. This most likely will require an encryption backdoor to be built on all smartphones, possibly on all digital devices that store data.
It should be noted that the FBI emphatically denies that they want an encryption backdoor. One hopes they have taken this position because they’re aware of the security problems backdoors represent; however, it’s hard to ignore the possibility that the FBI is in spin-doctor mode. Their Remote Operations Unit, charged with hacking into phones and computers of suspects, uses terms like “remote access searches” or “network investigative techniques” for what everyone else would call “hacking” and “planting malware.” Mind you, their actions are legally sanctioned, so why use euphemisms if not to mask what they’re doing?
If turning to legislation smells of déjà vu to old-timers, it’s because this circus has been in town before. It set up its tent about 20 years ago and skipped town a couple of years later. And while many things have changed in that time, the fundamental reasons why you don’t want encryption backdoors has not.
A Classic Example of Why You Don’t Want a Backdoor
The FBI has implied time and again that they are in talks with a number of security experts that supposedly claim the ability to build “encryption with a backdoor” that cannot be abused by the wrong people. These security experts are not, the FBI notes, charlatans. Perhaps it is because of these experts that the FBI has not desisted from pursuing backdoors. This, despite the overwhelming security community’s proclamation that it cannot be done.
It should be noted that Wray was asked by a Senator at the beginning of this year to provide a list of cryptographers that the FBI had consulted in pushing forth their agenda. To date, such a list has not been produced.
(As an aside, according to wired.com, Ray Ozzie, arguably one of today’s greatest minds in computing, has recently and independently proposed a way to securely install a backdoor without compromising the security of encryption. Here’s one of the world’s leading security expert’s take on it: the conclusion, in a nutshell, is that it’s flawed and mimics unsuccessful solutions proposed in the past).
What is it about backdoors that their mention result in knee-jerk reactions by the security community? The answer lies in the fact that they have been looking into this for a long, long time. In the end, it’s the unknown unknowns that are the problem: Encryption solutions run into surprises (bad ones) all the time. No matter how well-designed, it’s impossible to prevent stuff like this or something like this from happening.
In June 2017, it was reported that over 700 million iPhones were in use. Not sold; in use. It can also be assumed that there are at least an equal number of Android devices in use as well. That would be a lot of compromised devices if a backdoor was in effect and a bug was introduced.
These issues cannot be legislated away. Furthermore, bugs merely represent one situation where a backdoor can lead to disaster. Others include the deliberate release of how to access the backdoor (think Snowden or Manning or the leak of CIA hacking tools); the phishing, scamming, conning, or blackmailing of the custodians of the backdoor; and the possibility of stumbling across the backdoor. Granted, the last one is highly unlikely, even more so than the others…but so are the chances of winning the lottery. And there have been hundreds, maybe thousands, of them across the world.
The point is that the chances of the backdoor being compromised are higher than one would expect.
Moral Hazard = FBI’s Pursuit of the Impossible?
One has to wonder why the FBI is so insistent on pursuing the impossible dream of an encryption backdoor that doesn’t compromise on security. It would be easy to dismiss it as a case of legal eggheads not knowing math and science, or not having the imagination to ponder how badly things could go wrong.
But perhaps it’s an issue of moral hazard. Basically, there is very little downside for the FBI if a backdoor is implemented. Everyone knows that, if the FBI gets what it wants, they won’t have direct access to the backdoor; it wouldn’t be politically feasible. For example, prior to suing Apple in 2016, they suggested that Apple develop a backdoor and guard access to it. When the FBI presents an iPhone and a warrant, Apple unlocks the device. The FBI is nowhere near the backdoor; they’re by the water-cooler in the lobby.
The arrangement sounds reasonable until you realize that the FBI doesn’t take responsibility for anything while reaping the benefits. The FBI does not have to develop, test, and implement the backdoor. Once implemented, it doesn’t have to secure and monitor it. If there is a flaw in the backdoor’s design, the FBI dodges direct criticism: they didn’t design it, don’t control it, etc. Last but not least, the onus is on the tech companies to resist foreign governments’ insistence on being given access to encrypted data. Which you know will happen because they know the capability is there.
It’s a classic case of heads, I win; tails, I don’t lose much.
Related Articles and Sites: