Do you own your data? Is it private? Or are you happy to let someone sneak in the backdoor? Governments have long argued that they require the magic key to access data on encrypted devices in order to combat new threats that are emerging. It’s no secret that players with malicious intent are using encrypted devices to communicate. Government says that they are acting for ‘the greater good’ when they request a encryption backdoor to that data. However, there is a problem with this logic. They may very well be acting in a manner that will protect their electorate – but it also means that those players with malicious intent also can pry open that encryption backdoor. However small the chance – it does exist.
It’s a fine line.
And that line is drawn in the sand. Sand that is continually being eroded by the relentless tide of government concerns around access to encrypted devices. The situation is further complicated by the fact that each of the states in the U.S. has its own legal framework surrounding the ability of the state to force a manufacturer developer or seller to build encryption backdoors in their devices. This may have led to some players overstepping that line in the sand.
In a rare example of bipartisan cooperation, Republicans and Democrats have banded together to propose the ENCRYPT Act (Ensuring National Constitutional Rights for Your Private Telecommunications) which would stop any government agencies from demanding that “a manufacturer, developer, or seller of covered products design or alter the security functions in its product or service to allow the surveillance of any user of such product or service, or to allow the physical search of such product, by any agency.” It is meant to preempt state and local government efforts to implement disparate policies around backdoors to encrypted devices. In essence a national standardized policy.
The bill also requires that “no agency may mandate or request that a manufacturer, developer, or seller of covered products design or alter the security functions in its product or service to allow the surveillance of any user of such product or service, or to allow the physical search of such product, by any agency.”
But the conversation surrounding the necessity for a secure data act is more complicated than it may appear on the surface. There are two schools of thought about encryption and backdoor access.
Encryption backdoor – A difference of opinion
In 2017 U.S. Deputy Attorney General Rod Rosenstein argued that “Encrypted communications that cannot be intercepted and locked devices that cannot be opened are law-free zones that permit criminals and terrorists to operate without detection by police and without accountability by judges and juries.”
His stance was that “responsible encryption” would solve the problem. “Responsible encryption” he claimed could “involve effective, secure encryption that allows access only with judicial authorization.”
This is all well and good. In an ideal world where malicious players are not continually probing for weaknesses in an encryption backdoor the idea has merit. Unfortunately, we do not live in an ideal world. If law enforcement can bypass encryption, that encryption backdoor can be exploited by anyone else. A malicious player would only have to discover the bypass to gain the same access as law enforcement agencies.
Organizations such as The Internet Society disagree with the idea of “responsible encryption”.
Mark Buell, North American Regional Bureau Director of the society went on record as saying that strong encryption is essential for an individual’s security, not a barrier. In his words “It makes everyone more secure from threats from criminals, terrorists, and other adversaries. Weakening encryption may seem like an attractive option, a quick fix to a real security challenge.”
They are not alone in this opinion.
Gabriel Gumbs, vice president of product strategy at STEALTHbits Technologies commented, “The re-introduction of legislation to not force technologies to implement security backdoors is an unfortunate necessity. Undoubtedly any backdoor that is introduced will be available to both law enforcement and bad actors alike, collectively making us less secure.”
The challenge of national policy
But there is another challenge that faces law enforcement and government regulators in the U.S. This is the fact that there is no national policy regarding encryption backdoors.
The current regulatory framework regarding encryption backdoors and just how law enforcement and other players can co-opt that framework is causing headaches for both device manufacturers and law enforcement. As it stands, each state has its own framework for how its law enforcement representatives can access encrypted information. This situation has been characterized as a “patchwork system” by lawmakers, including Jim Jordan (R-Ohio). He commented; “Encryption exists to protect us from bad actors and can’t be weakened without also putting every American in harm’s way. We know federal agencies have abused warrantless surveillance in the past.” He noted that “the current patchwork system for encryption makes it easier for further abuses of the system and increases the problem by creating potential opportunities for abuse by third party actors.”
The issue of access via encryption backdoors was brought into sharp focus when the encryption issue surfaced after the deadly San Bernardino massacre in 2015. This resulted in the FBI and Apple battling in court for access to the shooter’s locked phone.
Reaction to Secure Data Act mixed
Craig Young, computer security researcher for Tripwire’s Vulnerability and Exposure Research Team (VERT) lauded the proposed move but wondered why it was only being applied to the manufacturer developer or seller of devices.
“This is a nice direct bill to protect state governments from compelling companies to take actions which dilute or circumvent security functions in their products or services. This includes that states are not allowed to ban products or services on the basis that they employ strong encryption.
“This is an incredibly important set of protections, but I am left wondering why they couldn’t take this a step further by applying the same restrictions to the federal government. The risk of government mandated backdoors can have serious detriment for companies looking to compete in the global technology markets regardless of what level of government is demanding the backdoor.”
Other industry pundits were of the opinion that it is the end user who must take responsibility for access their own devices and the data stored on those devices or in the Cloud.
Anthony James, CMO at CipherCloud is one expert who believes that although government is well intentioned in seeking an encryption backdoor, a codified and nationally implemented (and enforced) secure data act may infringe on the individual’s right to privacy – and opinion that is hard to refute.
“The trend towards government access to your encrypted data has picked up speed. Many states within the U.S. are moving forward on policies that would essentially enable ‘back doors’ into encrypted data sets. At the top of their well-intended agenda is support for law enforcement on a variety of challenges including, of course, terrorism. This new legislation for a national encryption policy is trying to avoid the various states from implementing their own legislation and instead, position one clear and more easily implemented national policy.
“Despite the noble objective of nationally standardized encryption in support of law enforcement and counter-terrorist activity, the use by government of forced disclosure, whether at the state level or the federal level, can move the control of your data into someone else’s hands. “Back doors,” or special API’s that access your data at various points of being used within applications, can also easily circumvent basic protection such as “at rest” encryption for your databases.
“The only way to maintain firm control over your confidential data is to implement Zero Trust end-to-end encryption. This level of protection, for example, will not allow anyone using a backdoor into one of your 3rd party provided cloud applications to access your data without your explicit knowledge, and approval. Only your decision to deliver your data encryption keys to the requesting party will expose the data.”
For many, the argument boils down to an emerging conflict between the government and the organizations that manufacture and market devices. There is a worry that an encryption backdoor, if enforced, may lead to certain states banning those devices that do not conform to the new standards of protection and encryption mandated by a secure data act. This may have the unintended consequence of stifling innovation.
Getting the encryption backdoor balance right
The proposed legislation seems on the face of it to be a step in the right direction. A standardized approach to the issue of an encryption backdoor and the ability of the federal government to police such a backdoor is one that has definite merit. However, the vexing is issue is balance. The right to privacy vs. the greater good and the functions of law enforcement. There is no doubt that bad actors will attempt to use the encryption backdoor to access private data. There is also no doubt that malicious players will fight tooth and nail to ensure that federal government does not have access to data which may serve to incriminate them. ENCRYPT is a step in the right direction as far as a secure data act is concerned – but the devil is in the detail.
The last word goes to Willy Leichter, vice president of marketing at Virsec.
“It seems like a positive move to have a standardized national encryption policy. However, this doesn’t solve the basic collision of interests around encryption – law enforcement wants broader access, while privacy experts (and most of the security industry) don’t want to neuter the effectiveness of encryption. This group seems to understand that encryption is a fundamental building block of most digital business, and weakening it, for whatever reasons, can be disastrous.”