Security experts explain to US, UK governments why mandated encryption backdoors are a bad idea

Today, FBI director James Comey and Sally Quillian Yates, the deputy attorney general at the Justice Department, are scheduled to address the US Senate Judiciary Committee about law enforcement’s need to have access to increasingly encrypted communications.

They are expected to propose the option of the government making companies insert backdoors into their products so that law enforcement can use them when in need, or to make them use a system that will allow a third party to keep their encryption keys in escrow and, again, provide access when law enforcement proves the need for it.

In a post published on Monday, Comey noted some of the things he will likely be addressing in his speech, and said he wished to provide a basis for healthy discussion about encryption use.

A group of security and cryptography experts wish to do the same, and have therefore on Tuesday published a paper in which, based on their knowledge and experiences, they offer explanations on why neither of these solutions is good and are, in fact, dangerous.

The group consists of fourteen highly respected experts, among others public-key cryptography pioneer Whitfield Diffie, security technologist Bruce Schneier, professor of cybersecurity policy at Worcester Polytechnic Institute Susan Landau, and Ronald Rivest (the co-inventor of the RSA public-key cryptosystem).

Eleven of them are also known for penning a similar report in 1997, when the US government was also looking to force tech manufacturers to add the Clipper Chip to its products as a way to create a backdoor that would open only for law enforcement, and to implement a key escrow system.

In 1997, the experts managed to prove that those proposals were a bad idea, and the plan was ultimately dropped. Unfortunately, similar plans are now again being contemplated, both by US and UK governments, and luckily the experts felt the need to offer their opinion again.

One of the main problems is that these proposals are not concrete. The government would like access, but wants the companies to devise a way to provide it.

“Our strong recommendation is that anyone proposing regulations should first present concrete technical requirements, which industry, academics, and the public can analyze for technical weaknesses and for hidden costs,” the researchers say.

The current proposals are “unworkable in practice, raise enormous legal and ethical questions, and would undo progress on security at a time when Internet vulnerabilities are causing extreme economic harm,” they added. Also, many questions still remain unanswered.

“This report’s analysis of law enforcement demands for exceptional access to private communications and data shows that such access will open doors through which criminals and malicious nation-states can attack the very individuals law enforcement seeks to defend,” they explained.

“The costs would be substantial, the damage to innovation as citizens need law enforcement to protect themselves in the digital world, all severe, and the consequences to economic growth difficult to predict. The costs to developed countries’ soft power and to our moral authority would also be considerable. Policy-makers need to be clear-eyed in evaluating the likely costs and benefits.”