Over a million developers have joined DZone.

Why We Can’t Have Encryption Backdoors : Why Do We Try?

Further exploring why we can't have backdoor encryption, we'll look at why we even care and try.

Download Forrester’s “Vendor Landscape, Application Performance Management” report that examines the evolving role of APM as a key driver of customer satisfaction and business success, brought to you in partnership with BMC.

The first few articles in this series covered why backdooring encryption technology isn’t realistic. If we try, because encryption algorithms are well known, the fact that anybody with the appropriate resources can build an encrypted communication system quickly leads us to a place where governments need to have access to everything that happens on all computing devices. And yes, that includes your phones, your desktops, your notebooks, anything that has computing capability that can run software. They’d need to be able to turn that eavesdropping capability on or off, for any reason, at any time.

I know that, in the US at least, our leaders are claiming that there’s some way that Silicon Valley can fix these problems. Because, you know, smart people.

This isn’t going to happen. Not in a way that ISIS or similar organizations can’t circumvent. And we’re not even talking about criminal organizations with real money (I’m looking at you drug cartels).

So why are these folks pushing for encryption limitations? I’ve seen a couple of ideas floating about, at various places on the paranoia scale. I think it’s more complicated that people are willing to admit.

It’s easy to look at politics today with a skeptical eye. But governments, everywhere, are filled with people, and these people work together to come to a consensus. When an FBI director says that we need to limit encryption technologies, he’s saying this because people have told him he must. It’s not that he can’t understand these issues, it’s that he doesn’t have time. He doesn’t technically understand how encryption works, but he does know that folks his people are trying to surveil can use it to hide what they’re saying. And that makes him really nervous.

Understandably so. Until today, wiretapping was technically simple. And it’s become legally more simple over the years as well. But encryption changes all that, and from his perspective, for the worse. The ability to tap criminal communication has been a key technique law enforcement has used for years. But even though the Director, in this case, doesn’t understand the technical details of encryption, he certainly has people who do. And they also realize that you can’t do anything about encryption use by the upper end of the criminal hierarchy.

So why are public figures pushing for encryption limitations? Personally, I think there’s two major reasons. First, I think law enforcement is scared. I think that when you’re scared, you tend to reach for whatever might help, and legislating encryption use is better than nothing. After all, even if you have encrypted messaging, who’s to say that a terrorist will always use it? all it takes is one mistake, right? and, after the paris attacks, we know that terrorists have been using unencrypted communication when encrypted communication was available. People do make mistakes, and they tend to use what they’re comfortable with when stressed. And I expect ramping up for a suicide bombing is pretty stressful, personally. But that said, I’m not sure that intelligence gathered in this way can be acted on quickly enough for it to have much value, and I think that these kinds of organizations will become much better about using their own crypto if they need to, hollowing this hope a quite bit. And the cost, putting backdoors in every computer system everywhere, is very high. Can I tell someone who’s lost a sister or a father or a daughter that the cost isn’t worth it? of course I can’t. But I can tell you, realistically, it’s not going to work.

The second reason is a bit more machiavellian. Well-resourced organizations can build their own cryptosystems, but low-level criminals can’t - for now anyway. Making lower-level criminal communications interceptable would help local law enforcement, no doubt. But is it worth it in this case? is it worth exposing everyone everywhere to identity theft to bust a marijuana dealer in Terre Haute Indiana?

Well, we really don’t have to answer that question. The fact is, there’s a thriving internet black market trading in credit card information, email addresses, credentials, and personal records, as well as other less virtual things. Criminals can rent botnets by the hour. They can buy malware development environments, and lease malware command and control systems. These markets aren’t on the open internet, but they’re not hard to find either. You or I could boot up Tor and hit one of these forums in minutes. If you can, and I can, criminals can too. And it won’t be long until peer-to-peer crypto systems are for sale or lease, I promise, once criminals know that they’re available.

The fact is that we’re not going to be able to get around encryption. It’s here today, and here to stay.

See Forrester’s Report, “Vendor Landscape, Application Performance Management” to identify the right vendor to help IT deliver better service at a lower cost, brought to you in partnership with BMC.


The best of DZone straight to your inbox.

Please provide a valid email address.

Thanks for subscribing!

Awesome! Check your inbox to verify your email so you can start receiving the latest in tech news and resources.

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}