Back when I started at Infosecurity Magazine in late 2015, the concept of adding a backdoor to end-to-end encrypted messaging applications was being discussed by politicians around the world, specifically those from the Five Eyes nations – United States, Canada, United Kingdom, Australia and New Zealand.
Now it seems that this subject has reappeared and, once again, we’re talking about the implementation of backdoors to some apps or even the ‘weakening’ of encryption.
In a statement issued on October 11 this year, government representatives of the Five Eyes, along with India and Japan, claimed they “support strong encryption” due to its purpose in “protecting personal data, privacy, intellectual property, trade secrets and cybersecurity.” The seven nations also said they do not “support counter-productive and dangerous approaches that would materially weaken or limit security systems.”
However, as some “implementations of encryption” pose significant challenges to public safety, the statement urged industry to “address our serious concerns where encryption is applied in a way that wholly precludes any legal access to content.”
In particular, the seven nations called on technology companies to work with governments to take the following steps in order to “focus on reasonable, technically feasible solutions:”
- Embed the safety of the public in system designs, thereby enabling companies to act against illegal content and activity effectively with no reduction to safety, and facilitating the investigation and prosecution of offences and safeguarding the vulnerable
- Enable law enforcement access to content in a readable and usable format where an authorization is lawfully issued, is necessary and proportionate, and is subject to strong safeguards and oversight
- Engage in consultation with governments and other stakeholders to facilitate legal access in a way that is substantive and genuinely influences design decisions
Of course, the focus here is on messaging apps that use end-to-end encryption and have not buckled under the demands for access to encrypted messages in the past. Sam Curry, CSO of Cybereason, told Infosecurity that he recalls the pressures back in 1996, when “clipper chips” came under scrutiny, while the ethics of tapping phone lines was also debated. “The founding principle is that liberty is more important than safety,” he said, and that there is a notion that people are the product “and if you’re not paying, you’re the product.”
Curry said there are three parties involved here: the users of tools, governments and those in the corporate space. “The relations between them are far from determined,” he added, stating that the right to privacy is one of the defining debates of modern society.
Paul Bischoff, privacy advocate with Comparitech, argued that it is impossible to create an encryption backdoor that only law enforcement can take advantage of. “If backdoors are in place, criminals will move on to other end-to-end encrypted messaging apps, while legitimate users suffer security and privacy violations,” he said.
Brian Honan, CEO of BH Consulting, agreed, explaining that encryption can be used for good, but also abused for bad. “As a society, we need to understand the implications of how we plan to secure the internet and how those tools can be used for good and for bad,” he said.
Honan claimed the ongoing encryption debate is often pitched as the privacy of individuals against the enablement of criminals and terrorists to plan and commit their crimes, but in reality, encryption is just a fundamental building block in securing our personal and business lives online. “So we can have encryption and accept that the cost will be its abuse by criminals while the internet is made more secure, or we can weaken encryption and accept that the cost will be its abuse by criminals while the internet is made insecure.”
So, why is the debate around encryption backdoors one that continues to be had? Honan said it is because people who do not understand the technology behind the internet and encryption want to replicate the interception capabilities that law enforcement currently has for phone calls.
He added: “Encryption has been designed to keep messages and data secure. Algorithms are developed in such a way that they cannot be reversed, because once they can be reversed, they are no longer secure. So, encryption is either secure or it is not secure. There is no middle ground.”
So, it is a case of being secure, or having weakened encryption completely. Honan said if we choose the latter, “then we are exposing our communications and business activities to abuse by the very criminals, terrorists and rogue nations that we are trying to stop.
“To me, the question should not be about whether we want backdoors or golden keys built into encryption platforms, as this is too esoteric for many to understand the implications,” Honan argued. “Rather, the question should be: do we want a secure internet or an insecure one?”
It is a strange situation, where one of the foundations of cybersecurity that we rely on for so much for our everyday work has come under frequent political scrutiny so often. Will this be resolved anytime in this decade? It seems that encrypted networks are not the target, but secure communications are.