Encryption and back doors

21 02 2016

A lot has been written over the past few months about demands that the providers of encryption software provide ‘backdoors’ so that law enforcement can decrypt information that the ‘bad guys’ want to hide. So I thought I’d add my h’app’enth worth into the debate.

As is so often the case in technical matters, much of what has been written is biased or just plain wrong, with vested interests (on both sides of the debate) trying to promote their angle though misinformation and the spread of FUD (fear, uncertainty and doubt).

The current FBI vs Apple law suit is just another thread in this saga, and whilst it is not explicitly about the encryption on the device, the ‘backdoor’ argument is the same.

So lets strip this debate back to it’s bare bones, by posing a few very simple questions.

  1. Is encryption a fundamental necessity for the way we use computing in the 21st Century?
  2. Do we believe that, in the age of ubiquitous social media and the proliferation of computing devices and technologies across the globe, a secret (such as the backdoor key) can be kept out of the hands of those not meant to know it?
  3. Do we trust those in posession of the secret to only use it for the intended purpose, and that all of the checks and balances introduced to manage the use of the secret will be adhered to by all parties?

Starting with the first question, I believe the answer is “absolutely”. Trillions of £’s worth of transactions occur every day across the globe, ranging from international finance down to buying a book off Amazon. Personal details (medical, political, sexual orientation etc) of individuals are stored and shared by and between companies and the wider population to make our services function. Trade secrets are stored to provide long term security to companies and their employees, and so the list goes on. All of these require the information to be secure and trusted and encryption is the only way we can go anyways towards achieving this in the computer age.

The second one is even easier to answer. Edward Snowdon, Chelsea Manning and a host of other less well known whistleblowers have shown that Governments cannot keep their secrets safe, however hard they try. Companies lose hundreds of millions of customer records every year from within their boundaries, and people (who are what everything comes down to in the end) continue to do stupid things, sharing their passwords, downloading viruses and falling for social engineering scams. To my mind this proves that secrets cannot be kept. People will always make mistakes or leak information that they believe should be in the public domain. And that does not even begin to cover the likelihood of threats of violence or extortion to make people reveal information against their will.

The final one is slightly harder to answer. Conspiracy theorists and libertarians will answer with a resounding “No!”. Government spokespeople will offer all sorts of assurances, and the truth lies somewhere in between. To my mind the important point is that ‘governments’, ‘law enforcement’ and ‘secret services’ are not things. They are made up from the people who work there, the same people who do stupid or bad things, often for what they consider to be the right reasons. So in my view there will always be those who can find a justification for bypassing the rules which makes this control unreliable.

So, in summary.

In my opinion, the encryption that we rely on must be secure and effective; we can’t expect the secrets to remain secret; and we can’t reasonably expect all of those in possession of the secret to only use it when legally permitted. That means the argument for mandatory backdoors is fundamentally flawed, even before you consider the technical challenges of trying to create one.

Everything else just becomes noise around the edges. Yes, of course bad guys will use encryption, but as the totally failed attempt of the USA to ban the export of encryption tools a few years back demonstrated, they will always find a tool where the government does not have the backdoor key.

At the end of the day an old secruity truism comes to the fore. “The wall is not there to keep you out, it’s there to see how badly you want to come in”. We know that when law enforcement REALLY want to get something they will, and the absence of a backdoor won’t stop them, but that’s a discussion for another day.

Happy surfing, and remember, just because you’re paranoid it does not mean the bad guys are not out to get you.

If you agree with me or think I’m totally missing the point please feel free to share your thoughts in the commnets section.






One response

22 02 2016
Adrian Wright

Indeed David. Encryption back doors are the modern equivalent of leaving a door key under the mat. Just with a few more mats the burglar needs to look under. Snowden also showed us that keeping top secret things secret (which obviously extends to what ‘mat’ to look under) isn’t possible unless you can trust *all* the keepers of that knowledge 100%, and 100% of the time. Which we clearly cannot. If recent events have taught us anything, its that we need to completely overhaul our old notions of Trust, which means in many cases euthanizing it altogether.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: