Cripple encryption and you weaken global and national security

Net Results: Evidence does not support EU plan for encryption backdoors for social apps

There are long-standing, sound reasons why encryption backdoors have failed to get the green light any time they have been proposed in the US or EU
There are long-standing, sound reasons why encryption backdoors have failed to get the green light any time they have been proposed in the US or EU

In the midst of the hullabaloo last week over Brexit and article 50 trigger-pulling, not many noticed that EU Commissioner for Justice Vera Jourová proposed the EU-wide introduction of encryption backdoors for popular social apps such as WhatsApp.

Just in case you missed it (and most people likely did, as Jourová’s speech to this effect was made on March 28th, the day before the UK’s article 50 letter was delivered to EU officials), she said she will announce “three or four options” in June to allow law enforcement agencies to access encrypted communications.

These will include proposals for binding legislation, as well as voluntary, yet, she suggested, nonetheless mandatory or enforceable compliance from technology companies.

Jourová noted: “At the moment, prosecutors, judges, also police and law enforcement authorities are dependent on whether or not providers will voluntarily provide the access and the evidence. This is not the way we can facilitate and ensure the security of Europeans, being dependent on some voluntary action.”

READ MORE

She said she intended to “introduce clear, simple rules into the European legislation” to let law enforcement demand access from technology companies to communications “and to do this with swift, reliable response.”

However, she said in her speech to the EU Justice and Home Affairs Council that nonlegislative solutions would be needed initially, because legislative solutions, such as a requirement for backdoors, could take years to bring in.

She wouldn’t go into details on how that would all work, but we can all look forward now to June, when the proposals arrive in this fresh reconsideration of business, economic, security and, of course, human rights lunacy.

EU shenanigans

Perhaps we will need some EU shenanigans to exasperate us in June, now that Jourová also has just announced that the joint US-EU review of transatlantic data transfer agreement Privacy Shield won’t occur in June, as had been presumed, but has been pushed into September.

Well, proposing encryption backdoors yet again will certainly exasperate.

Backdoors are a secret method of bypassing the normal authentication needed to access the contents of an encrypted file or message. They are built into the application, so that every instance of the application ends up with this secret tunnel. In short, backdoors are deliberate security flaws to cripple a security product.

For example, when you download and install WhatsApp, your messages are automatically encrypted when sent, and can only be decrypted by the user you send them to. But a backdoor would enable law enforcement authorities to also see the message.

Which might seem a good idea given security concerns about terrorism and criminal activity, and Jourová, of course, referenced recent attacks in Europe. And that's why a consideration of backdoors is again on the EU table.

Officials in the UK, France and Germany have been pressing for months for European law enforcement to have a method of accessing encrypted communications. As recently as March 26th, UK home secretary Amber Rudd said the companies that produce encrypted apps should be forced to give police access to contents of messages when asked.

But the problem with encryption is that once you build in a deliberate vulnerability, the application is no longer secure. Even if the key to the backdoor is designed to only be in the possession of security agencies and law enforcement, every shred of evidence in the digital world to date indicates it won’t remain a secret and will eventually be located and exploited. Vulnerabilities tend to get found out, one way or another.

And it won’t be the good guys that do the exploiting. No, it will of course be the same dark side actors that encryption exists to protect against.

Ubiquitous

Maybe you are thinking that you don’t care if security agencies can read your WhatsApp discussions with your friends if it helps prevent a suicide bomber. But it isn’t just about you.

Encryption is ubiquitous, needed for the basic functioning of banks, governments, businesses large and small, utilities, the military, citizen transactions and interactions, just about everything you can think of. Weaken it, and you weaken national and international security, national grids, global transactions, the world’s economies.

Meanwhile, the bad guys will of course just switch to – or themselves create – something other than WhatsApp (or Signal, or iMessage, any other service forced to install a backdoor).

There are thus long-standing, sound reasons why encryption backdoors have failed to get the green light any time they have been proposed in the US or EU. They can be summed up simply: if you cripple encryption, then you cripple security overall.

That’s not to say legislators are impervious to eventually doing something truly catastrophic. But I wouldn’t wager that Europe will bring in backdoors any time soon.

The evidence is far too strong that backdoors would be extraordinarily risky, for little payback. In addition, there’s a steep, perhaps impossible challenge of figuring out even some kind of voluntary scheme, given the way encryption services work (secret is secret).

So, the June proposals will be interesting to see. Expect to be exasperated.