The Dangers of Government-Mandated Encryption Backdoors
In late June, two pieces of legislation were introduced to the U.S. Congress, each offering its own requirements for mandating encryption backdoors—which would effectively put an end to end-to-end encryption. The LAED Act, introduced by three Republican senators, would force tech companies to assist the government in decrypting user data if so ordered by a court, while the bipartisan EARN IT Act would establish a government commission for security best practices headed by longtime encryption opponent Bill Barr. Both bills have met staunch opposition from encryption advocates, who astutely note that intentionally weakening encryption capabilities only makes it easier for cybercriminals to accomplish their goals.
Encryption Backdoors Help Law Enforcement—and Cybercriminals
One of the primary justifications for encryption backdoors is to help law enforcement search the electronic devices of accused criminals or terrorists. A prominent example of when such a law might come into play is the 2015 San Bernardino terror attack. In the aftermath of this incident, the FBI demanded that Apple help the agency unlock the perpetrator’s iPhone by creating a new version of iOS that would allow an unlimited number of password guesses until successful. Apple refused, citing both consumer privacy and concerns that such a piece of software would present a public danger if it ever was leaked.
Ultimately, Apple won the battle and forced the FBI to pursue other alternatives to unlock the phone, but the incident was an important bellwether in the encryption battle. Apple’s stance is one that encryption and privacy advocates have widely adopted: Although backdoors may help law enforcement, they also create new and significant inroads for cybercriminals. While those backed by well-funded nation-states and organized crime groups—which recent studies have shown remain the main drivers behind cyberattacks—are of particular concern, weakened encryption makes it feasible for anyone with the determination, knowledge and resources to gain access to protected data or secure communications.
Consider this issue in the physical realm. If you add a hidden door to a building, a criminal may discover it and find a way to get inside—even if the police have the only key. Now consider mandating that hidden door as a known and public requirement. Now the criminals know it exists, and they will find it and gain access to the building. Networks and devices are much the same. Backdoors make VPNs less safe and weaken protections for stored data on encrypted devices, making phones, secure USB drives, and other devices easier to compromise. Protecting 100% of backdoors is impossible, and a law mandating their inclusion would almost certainly result in a surge in criminal activity arising from compromised backdoors.
On the other side of the issue, sophisticated criminals will simply find new ways to prevent their own devices from being compromised. Many will sideload third-party or open source encryption software to secure data inside encrypted containers, preventing decryption even in systems with mandated storage-based encryption backdoors. They will likely stop using devices or apps with mandated backdoors altogether, rendering the point largely moot.
Furthermore, such laws would only apply to U.S. manufacturers. Companies outside the U.S. would be free to create devices without backdoors and make them readily available to consumers. These would almost certainly become the devices of choice for cybercriminals. Even today, mobile phones operating on world bands are commonly bought through Amazon or overseas and used in the U.S., and this type of gray market purchase would only become more common.
Ultimately, while backdoors might help stop small-time criminals, smarter, more advanced operators will continue to find ways to sidestep law enforcement. The only effect will be to harm American device manufacturers since many users outside of the U.S. will avoid U.S.-manufactured devices with weakened encryption.
Unfortunately, the Risk of Abuse Remains High
Americans value privacy, so granting additional powers to law enforcement that may infringe on that privacy will always be a difficult proposition. Besides, recent events have underscored the fact that trust in law enforcement has eroded among a significant portion of the population, making the question of encryption backdoor abuse a highly significant one.
The U.S. would not be the first country to mandate encryption backdoors, but an examination of those that have previously experimented with such measures reveals that it has rarely gone well. Not long ago, the Kazakhstan government announced its intention to capture all inbound and outbound internet traffic, with the intent to use these new powers for large-scale spying operations on its citizens. Although the operation ultimately failed (only because the largest browsers unilaterally instituted measures to combat it), it highlights the potential for serious misuse when circumventing encryption.
Though less all-encompassing than the Kazakh measures, the government of Australia also recently passed a law circumventing end-to-end encryptio, and the government there has used it to erode protections for journalists. Although—like the American proposals—the law was initially intended specifically to help law enforcement, it didn’t take long for the government to expand its provisions. Ultimately, the danger posed by encryption backdoors comes not just from the cybercriminals who may find ways to use it to their advantage, but also from those with the potential to abuse the power it grants them.
Stronger Encryption = A Safer Internet
The goal of strong encryption is to make the internet a safer place. Encryption protects everything from our networks and devices to our emails and banking transactions. And while law enforcement officials may have the best of intentions surrounding their desire to crack the phones of suspected criminals or terrorists, the implications of effectively destroying end-to-end encryption reach far beyond enforcing the law. Without reliable encryption, the internet becomes a more fertile ground for cyberattackers. Their targets become more vulnerable. Private information becomes less private. In America, the right to privacy is a fiercely held belief. Any legislation that enables the government to strip Americans of that right is a dangerous mistake.
