So-called “backdoors” built into application software, hardware, and operating systems can be the breaking point for end-to-end and device-based encryption, access controls, and other security measures put in place to protect desktop and mobile devices. And they’re a mechanism that government and law enforcement agencies across the globe are putting increasing pressure on manufacturers, vendors, and online service providers to include with their products.
As we’ll see, these moves have been met with criticism and opposition from users and tech companies, alike.
What Are Backdoors?
Backdoors are loophole mechanisms or vulnerabilities, specifically designed and deliberately included in the make-up of a device, software application, or service, which are intended in some way to get past its existing security measures.
At the benevolent end of the scale, a backdoor can provide the owner of a computer with an “emergency entrance”, in the event that they’re accidentally locked out of their own system or device for some reason.
More commonly, however – and at the less savory end of the spectrum – backdoors are included to allow access to a system by external agencies or third parties. These could include not only government or police departments but potentially also hackers and cyber-criminal organizations.
Backdoors – Mechanics for Encryption
Backdoor mechanisms shouldn’t be required for the kind of encryption used by internet protocols such as SSL (Secure Sockets Layer) and TLS (Transport Layer Security), as their encryption protection only occurs at the link or transport layer – that is, up to the point where information reaches a network provider’s servers.
Since the providers hold the encryption keys in these kinds of systems, government or law enforcement can simply compel or subpoena the companies concerned, to get them to release these keys and grant them access to any information they require for their investigations.
What concerns the authorities most of all are end-to-end encryption systems, such as those used on secure messaging platforms like WhatsApp, Signal, or Telegram. Here, even the service provider can’t decipher the information which passes between communicating parties on the network. So it’s for these kinds of systems that backdoors are required.
On the one hand, this could take the form of a key distribution attack (or perhaps, “amendment” might be the terminology used by government). This could be used to target systems like Facetime, Signal, WhatsApp, and iMessage which rely on centralized servers to provide public encryption keys for their users. Governments could attempt to force the providers to distribute illegitimate public keys, or register shadow devices on their users’ accounts that could be accessed by law enforcement.
A “key escrow” system provides another alternative. The idea here is to place decryption keys in storage (i.e., to “escrow” them) with a trusted authority, which is mandated to release those keys on (government) demand. Software code written to enable encryption must be designed from the outset to be able to create decryption keys for the government. This method even works for device encryption systems, which have no key servers involved.
Backdoors – The Downside
From an operational standpoint, the fundamental objection to the engineering of security loopholes and vulnerabilities into devices, applications, and services is precisely that it makes these systems vulnerable. As we’ve already observed, those same mechanisms that make encryption and security-protected systems accessible to government or law enforcement may also grant access to hackers, cyber-criminals, terrorists, or rival governments.
Speaking in April 2018, Apple’s senior vice president of software engineering Craig Federighi put it quite neatly in saying that: “Proposals that involve giving the keys to customers’ device data to anyone but the customer inject new and dangerous weakness into product security. Weakening security makes no sense when you consider that customers rely on our products to keep their personal information safe, run their businesses, or even manage vital infrastructure like power grids and transportation systems.”
Unstated but nonetheless implied in all of this is the damage that technology companies, software developers, and service providers may suffer once it becomes public knowledge that backdoors for government surveillance have been engineered into their systems.
Moves to Resist
Resistance to government calls for the inclusion of backdoors in software, hardware, or online services of the digital era can be traced back to 1997, with the publication by 11 leading researchers in the field of cryptography of the paper The Risks of Key Recovery, Key Escrow, and Trusted Third-Party Encryption. In this document, it’s argued that: “The massive deployment of key-recovery-based infrastructures to meet law enforcement’s specifications will require significant sacrifices in security and convenience and substantially increased costs to all users of encryption.”
Similar sentiments have been expressed in recent times by Reform Government Surveillance (RGS), a privacy-focused coalition which counts Apple, Google, Facebook, Microsoft, Oath, LinkedIn, Dropbox, Evernote, Snap, and Twitter among its membership. Throughout 2018, the group has been fighting attempts by government agencies to force the development of encryption backdoors.
Taking “Ensuring Security and Privacy through Strong Encryption” as one of its core principles, the RGS coalition goes further to say that: “Strong encryption of devices and services protects the sensitive data of our users… Strong encryption also promotes free expression and the free flow of information around the world.”
This follows recent calls for backdoor installation by the Federal Bureau of Investigation (FBI) and the U.S. Department of Justice to stem the flow of internet and mobile device users “going dark” and rendering information inaccessible to law enforcement through the use of device and end-to-end encryption technologies.
Rather than creating backdoors and weakening devices and software, RGS has advised its member companies to focus instead on collaborating with policymakers to “seek out common sense solutions that are consistent with established norms of privacy, free expression, and the rule of law.” Time will tell, if they succeed.
Share this Post