Security news that informs and inspires

Crypto Backdoor Law Unlikely Soon

There’s an old saying that you can’t always get what you want. There may even be a song about it. It turns out that holds true even for some of the more powerful governments in the world.

In the last week, the Five Eyes governments have been making quite a bit of noise about their desire for technology vendors to provide “assistance” in granting law enforcement agencies access to encrypted devices and data. The group, which comprises the United States, United Kingdom, Canada, Australia, and New Zealand, issued a statement saying that “there are some challenges arising from the increasing use and sophistication of encryption technology in relation to which further assistance is needed”, and warning that national laws may be the next step if help isn’t forthcoming.

But policy experts say there’s little sentiment in Washington right now to move any kind of legislation like that forward.

“I don’t think anything is moving in D.C. I don’t see it,” said Nate Cardozo, a senior staff attorney with the Electronic Frontier Foundation, who follows this issue closely. “But Australia thinks it’s in a security crisis. They have a bill in parliament right now. The chances of them succeeding with that are relatively good. Chances in the U.K. are relatively high too, unfortunately.”

The call for a legislative answer to this problem is a familiar refrain, especially in the U.S. and U.K., where the issue of backdoors and exceptional access to encrypted communications and data has surfaced on a regular basis for the last 20 years. But this go-round feels different, pitched against an unstable global political backdrop and coming with the combined heft of the Five Eyes countries rather than just one or another. Even with that in mind, the fundamental tenets of the argument haven’t changed: Law enforcement agencies claim strong encryption is causing their evidence collection efforts to “go dark” and therefore they need a backdoor for encrypted communications and devices. But policy experts and cryptographers say neither part of that argument holds up.

“It’s just factually not true. It’s simply false that law enforcement isn’t getting what it needs. It may be a little harder because of encryption, but look at the San Bernardino case. They got into that phone,” said Cardozo. “It may be true that encryption frustrates your local county sheriff.”

The San Bernardino case involved an encrypted iPhone that was used by one of the terrorists in the mass shooting in California in 2015. The FBI seized the phone but couldn’t access its contents, so the agency asked Apple for help, asking the company to create a new, backdoored version of iOS the FBI could install on the device. Apple refused and a lengthy court battle followed, but the FBI eventually dropped its suit after finding a third-party contractor that was able to get into the iPhone using a custom exploit.

There are many lower-profile cases like that each year in which law enforcement hits a roadblock with encryption. But earlier this year FBI officials said the bureau had inadvertently exaggerated the number of encrypted phones it couldn’t access in fiscal year 2017. Top bureau officials had said several times that the FBI was locked out of about 7,800 phones, but the real number turned out to be fewer than 2,000.

"It’s simply false that law enforcement isn’t getting what it needs."

The second half of the exception access argument--that tech companies should be able to install secure, unique backdoors in their products for law enforcement--is the part that most people in the security community usually focus on. Like the going dark claim, the idea of a secure backdoor in encrypted systems has been caroming around the industry for decades. It doesn’t have many, if any, supporters in the cryptography community and people who have looked at various designs and proposals for key escrow or other backdoor schemes say there’s no way to make such a system work securely. In a 2015 paper on the topic, a group of computer scientists and cryptographers, including Steven Bellovin of Columbia University, Bruce Schneier, Susan Landau of Worcester Polytechnic University, and Ron Rivest of MIT, said exceptional access systems present too many risks to be used in practice.

“We have found that the damage that could be caused by law enforcement exceptional access requirements would be even greater today than it would have been 20 years ago. In the wake of the growing economic and social cost of the fundamental insecurity of today’s Internet environment, any proposals that alter the security dynamics online should be approached with caution,” the paper says.

“Exceptional access would force Internet system developers to reverse 'forward secrecy' design practices that seek to minimize the impact on user privacy when systems are breached. The complexity of today’s Internet environment, with millions of apps and globally connected services, means that new law enforcement requirements are likely to introduce unanticipated, hard to detect security flaws.”

The EFF’s Cardozo said some of the Five Eyes governments pushing for assistance from tech vendors and using legislation as a hammer may have miscalculated, at least in part.

“We’ve seen some pretty strong statements from [Apple CEO] Tim Cook on this. Apple has the most cash on hand of any company in history. If Australia gets in a game of chicken with Apple, it’s not clear to me that Australia would win,” Cardozo said.

“These companies’ other option is to capitulate and give every petty dictatorship a backdoor so they can do business there.”