Debate: Do we need backdoors for police & co. in encrypted services?01-04-2021 Author: Jan Tissler
Everyday services like messengers are now as well-protected as only explosive documents used to be. This is great for both private individuals and companies. But it also helps criminals and terrorists. How should we deal with this dichotomy? This is an ongoing debate that we'd like to explain here.
The same encryption used by U.S. authorities for "secret" and "top secret" documents, is now found on computers and smartphones. It is activated with a click and is sometimes even standard. Messengers available to everyone, such as «Signal» or «Threema», offer protection good enough even for whistleblower Edward Snowden. In short, we can all protect our communications to a degree that was once only possible for government agencies or large corporations.
The positive side is that security is guaranteed – quite automatically and daily. No special knowledge is required. And this is a good thing: After all, data protection is now more important than ever. . Encrypted communication and data is a defensive measure against cyber attacks, which now need to find other entry points.
Criminals and terrorists also benefit
The bad news is that this also helps criminals and terrorists. Because even if authorities get a provider like Signal to hand over information, the result is almost worthless. Since the conversations are end-to-end encrypted, even Signal itself cannot read them. Authorities might even seize a smartphone from a suspect, but won't be able to search it because it's both locked and encrypted. In light of this, U.S. Senator Tom Cotton noted that technology companies and their offerings have become a "lawless playground for criminal activity."
Consequently, the need to build "backdoors" into services and encryptions is an issue that keeps coming up. The idea is that for law enforcement purposes, suitably authorized institutions should be able to demand access to otherwise secured information. Manufacturers and providers would therefore need to find a way to bypass encryption on request.
Experts warn against undermining encryption
However, data protectionists, IT experts and even intelligence services are often not happy about this. One of the main arguments is that sooner or later, this type of backdoor would also be exploited by criminals or foreign intelligence services. The encryption itself would then be invalid and ineffective.
"Installing backdoors in encrypted apps is like giving law enforcement a key to every citizen's house," wrote several software vendors in an appeal to EU politicians. On the issue of encryption, they said, there is no room for compromise: "Data is either encrypted or it's not."
Swiss software manufacturer totemo ag also stated in a press release:
«Governmental exception access would essentially weaken encryption and privacy protection because attackers – such as hackers, intelligence agencies, or authoritarian states – would now only need to go to one central location to get the keys.»
At the same time, terrorists and criminals would simply switch to other tools. Moreover, "open source" projects often do not have official headquarters and therefore cannot be forced to cooperate like companies and corporations.
In other words, these backdoors would weaken data security primarily for citizens, businesses, and other organizations. "You're creating a world where criminals have a higher level of security than law-abiding citizens," commented Riana Pfefferkorn, a surveillance and cybersecurity expert at the Stanford Center for Internet and Society.
And this is precisely the problem envisaged by intelligence agencies: If encryption were to be weakened, it would affect their own communications as well. Former FBI General Counsel Jim Baker writes in an essay:
«It's time for government agencies – including law enforcement – to embrace encryption because it is one of the few mechanisms the U.S. and its allies have to more effectively protect themselves from existential cybersecurity threats, particularly from China.»
Similar voices can be heard from Europe. The German Federal Data Protection Commissioner Ulrich Kelber sees a "culture of fundamental encryption" as an important goal. He is in favor of establishing a "right to encryption”.
Access also possible without a general backdoor
Furthermore, the security of services and devices is already not as insurmountable as is sometimes thought. A study by John Hopkins University for example, found that much of the data on an iPhone is permanently decrypted once it is turned on and first unlocked. Locking the device therefore makes direct access more difficult, but doesn't always reactivate all encryption.
In addition, the report states that Apple fails to clarify in what form "iCloud" backups are secured. One of the study's authors, Matthew Green, told Wired magazine, "So why do we need a backdoor for law enforcement if the protection these devices actually provide is so poor?"
What's more, there are already cases , whereby criminals have been caught who had relied on "secure" applications and devices. In these instances, malware is often used to intercept keystrokes or data traffic directly on the device. However, this approach leads to yet another debate given the exploitation of security vulnerabilities that have not been made public, and which in turn make other attacks possible.
The pros and cons of generally available, secure encryption is ultimately not something that can be explained in a few short sentences. As is often the case, the reality is quite complicated. Law enforcement agencies obviously have good reasons to demand access to communications and data. At the same time, a compromise or fair balance seems impossible according to numerous experts, for whom encryption is either secure or it's not.