Encryption backdoors: The brief history of an oxymoron

Over the past year, we’ve heard politicians the world over discussing the need for governments to be able to bypass encryption. Major Silicon Valley powers like Apple and Google have repeatedly told lawmakers that they can’t be given access to the encrypted services they provide for their users, with or without a warrant, because they don’t have that access themselves – only the user has the encryption key.

That’s where we see pushback from law enforcement and intelligence agencies who claim that this standard is unacceptable and allows criminals and terrorists to plot freely, away from the eyes of the law. Their solution? Create a backdoor into encryption that allows the government to access encrypted data, while still keeping it safe for everyone else.

A backdoor is for everyone, not just a government

It feels as if every month or so we see the US and UK governments pushing for a new encryption backdoor. The flavor of the month is currently Feinstein and Burr’s draft encryption bill which would essentially make all encryption illegal in the US. Under a new name or repackaged into a new bill, we see this same proposal emerge again and again, no matter how often tech companies, cybersecurity experts, and even the White House, have to bat it away as fantasy.

We need to be clear about something: there is no backdoor that only lets the government into encryption and no one else. A backdoor for one person or one group is a backdoor for everyone. Even putting aside the ethical argument about allowing the government implicit access into each person’s digital privacy, the fact is that allowing law enforcement and intelligence agencies exclusive access into an encrypted service undermines that service’s ability to protect anyone’s information from any cyberthreat.

But the usual suspects, GCHQ and the NSA, either don’t seem to understand this or don’t care, and have aggressively pursued the backdoor option over and over again.

Let’s take a trip down memory lane…

September 2014

In the wake of the Edward Snowden revelations about the NSA’s mass surveillance programs, Apple reveals a new encryption method for iOS8 that would make it impossible for user information stored on Apple devices to be accessed by the government, even with a warrant. Google follows suit by rolling out similar full-disk encryption with Android 5.0 in October 2015.

October 2014

FBI Director James Comey warns that 'encryption threatens to lead all of us into a very dark place' and will be used as a 'means of evading detection' by criminals and suspected terrorists, with 'very serious consequences for law enforcement and national security agencies at all levels'. Comey notes that he and the FBI don’t seek a backdoor into encrypted services, but rather full 'front door' access, 'with clarity and transparency, and with clear guidance from the law'.

May 2015

Apple and Google petition the Obama administration to reject backdoor encryption proposals.

September 2015

With opposition against encryption backdoors mounting, and law enforcement softening its approach from pursuing an across-the-board legislation to solutions tailored on a company-by-company basis, the Obama administration begins shifting behind the anti-backdoor movement.

November 2015

The Paris terror attacks reignite the encryption debate. The FBI again argues that encryption provides a cover for terrorists, seeking a plan that would force companies to download user data when given a warrant. The tech industry is again forced to fight back against the calls for backdoors.

December 2015

The FBI reframes the encryption debate, challenging tech executives to rethink their entire business model regarding encrypted data. Meanwhile, Congress slips a new version of the previously defeated Cybersecurity Information Sharing Act (CISA) into a must-pass spending bill, which eases cybersecurity protections to grant law enforcement greater data access. The bill passes.

And that’s just over the past year! The NSA andthe British Government have managed to successfully turn 'encryption backdoor' from an opaque concept into a repeatable meme, an easy-to-understand shortcut that, even if it doesn’t make any technological or practical sense, makes for a good soundbite.

But, how many times do we have to play this game? How many times have we seen Congress pass laws – from the Patriot Act to CISA – and Theresa May push for increased powers in her Snooper’s Charter? These laws are enacted quickly, in the interest of national security, without most people really realising what they were supporting until the damage to their privacy had already been done.

A backdoor for one is a backdoor for all; there is no magic bullet that only hits the bad guys. Suggesting otherwise over and over again, while maybe an effective rhetorical strategy, is not going to make that any less false.

Rafael Laguna, CEO of Open-Xchange