The real problem with encryption backdoors

protonmail-encryption-backdoor

With appeals to “national security,” governments around the world are pushing for encryption backdoors that would allow them to break into the secure data of suspected criminals. Simply put, this is a terrible idea.

 

For decades, law enforcement agencies have lobbied to force technology companies to weaken their own security protocols by adding an encryption backdoor. The FBI has even recently come up with a catchy brand for its anti-encryption campaign: “Going Dark.” Testifying before US Congress last year, FBI Director Christopher Wray called encryption “corrosive” and a challenge to “public safety and the rule of law.” A bill has also been introduced in Australian Parliament that would compel tech companies to give police access to encrypted data.

Far from disrupting criminals, these proposals endanger anyone who depends on encryption to stay safe online—that is, everyone. On the other hand, there is very little evidence (if any) that mass surveillance stops terrorism. In fact, those who perpetrated the most recent attacks in Paris and Belgium were already known to intelligence agencies. An encryption backdoor would not have stopped them, and it would not stop future attacks. However, an encryption backdoor would put millions of innocent people at risk of cyber attack.

What kind of encryption are we talking about?

There are many forms of encryption available today. Most encryption is performed on servers around the world, and data encrypted in this way is designed to be easily decrypted. This also makes it much less secure. A stronger form of encryption is end-to-end encryption, which encrypts data even before it is sent to a server. The result of this is that only the sender and the intended recipient are able to decrypt the data. This is the form of encryption that secure communication systems like ProtonMail or Signal employ, and this is great for protecting your privacy and keeping your data secure.

When you use end-to-end encrypted services, only you and the other “end” of your conversation have the ability to read your messages. Neither the service provider nor the government nor anyone else can access your data, which is why some government agencies are keen to have backdoor access to end-to-end encrypted services.

What is an encryption backdoor?

An encryption backdoor is a deliberate weakness in encryption intended to let governments have easy access to encrypted data. There are a few kinds of encryption backdoors, but one simple method is called “key escrow.” Under a key escrow system, the government creates and distributes encryption keys to tech companies while retaining the decryption keys in escrow. This is why “key escrow” is also sometimes known as “key surrender,” because you are surrendering the privacy of your data.

This is essentially how any encryption backdoor would work: The government retains some form of master key that would allow it to unlock anyone’s personal data.

Why encryption backdoors are dangerous and don’t work

Unfortunately, there is no such thing as a backdoor that only lets the good guys in. If there’s a “master key” that unlocks millions of accounts, every hacker on the planet will be after it. A compromised encryption backdoor could give cyber criminals access to your bank account, your personal messages and other sensitive information. Don’t think hackers can steal the master key? Think again. Both the CIA and the NSA were breached in 2017 by mysterious organizations that stole and published the spy agencies’ hacking tools. The same year, cyber criminals stole an NSA exploit and used it in a massive, worldwide ransomware attack. The fact is, if the government or anyone else controls a master key, eventually it will get out.

Hackers aren’t the only threat: Governments may also use encryption backdoors for harm. The US government has already revealed its willingness to spy on citizens without a warrant. If liberal democracies cannot be trusted, what about China, Russia, Saudi Arabia, or countless other authoritarian states? Encryption backdoors could be used by repressive regimes to help them persecute journalists, dissidents, religious minorities, the LGBT community, and anyone else they please.

Moreover, encryption backdoors do not prevent criminals from using encryption some other way. The software to use end-to-end encryption is already out there, and criminals will always have access to strong cryptography. Weakening encrypted services will only put ordinary citizens at risk while doing remarkably little to stop tech-savvy criminals.

It’s time to put the encryption backdoor debate to rest. Any system with a backdoor is fundamentally insecure. If everyday applications and hardware were forced to implement an encryption backdoor, it would jeopardize the basic security of millions of people. Backdoor advocates surely have good intentions—we all want to stop terrorists—but their approach is misguided and dangerous.

We must defend the universal right to security and privacy online. Security starts with education, and that’s why it is important for policymakers to have a basic understanding of encryption so that their decisions can be based on facts, not fear.

Best Regards,
The ProtonMail Team

Why does privacy matter? Watch the TED Talk by ProtonMail Founder and CEO Andy Yen to learn more about this issue.

You can get a free secure email account from ProtonMail here.

About the Author

Ben Wolford

A journalist by training, Ben has reported and covered stories around the world. In 2014, he founded a magazine, Latterly, devoted to international reporting on human rights. He joined ProtonMail to help lead the fight for data privacy.

 

Leave a Reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

5 comments on “The real problem with encryption backdoors

  • Quite a convoluted matter i should say. I personally cannot address this particular conglomerate of issues with an extensive input outlining every area concomitant to its core, as i would be entirely out of my depth. But, what i can guarantee is that only strength in numbers can succour people’s right to privacy, freedom of speech and association. Such a crusade can only be waged with PSYOP’s (such a portentous term, i know). Something terrorists (autistic psychopaths) entirely misunderstood in its application, by waging indiscriminate violence in opposition to their ideological dissenters.

    Who are we facing, one might ask? The answer is obvious. Just follow the money, it seldom misleads one’s enquiries. The counteroffensive? Complete and utter political overthrow of the cancerous duplicitous individuals. It’s just about time to decide whether do we want corporations using political pull in order to achieve their profit targeted objectives, or if we want power to people. Non-subversive education is just about the most powerful threat to oppressive powers that be.

    Everyone wants a share of the cake in order to keep quiet and cooperate, right? The only kind of man who is truly dangerous is the one who refuses a pay-off larger than he can afford not to. It’s up to these men to set the standards for the kind of society in which we wish to raise our children. The brightest and most capable of which must be protected at all costs with our lives, for they are the future of humanity.

    I wish not to drag this subject for both yours and my sake, as i averted any intention not to expand over the subject in the beginning of my introduction. Besides, who would care for one too many truisms. In essence, what we do need at this early stage is an even larger torrent of sensitization targeted at the masses. Many people live in cyber-nihilism, but corporate and governmental privacy and freedom to exercise one’s essential rights within legal boundaries do matter, no what you think of it and the extent of which it affects you at present time.

    Reply
  • Quite a convoluted matter i should say. I personally cannot address this particular conglomerate of issues with an extensive input outlining every area concomitant to its core, as i would be entirely out of my depth. But, what i can guarantee is that only strength in numbers can succour people’s right to privacy, freedom of speech and association. Such a crusade can only be waged with PSYOP’s (such a portentous term, i know). Something terrorists (autistic psychopaths) entirely misunderstood in its application, by waging indiscriminate violence in opposition to their ideological dissenters.

    Who are we facing, one might ask? The answer is obvious. Just follow the money, it seldom misleads one’s enquiries. The counteroffensive? Complete and utter political overthrow of the cancerous duplicitous individuals. It’s just about time to decide whether do we want corporations using political pull in order to achieve their profit targeted objectives, or if we want power to people. Non-subversive education is just about the most powerful threat to oppressive powers that be.

    Everyone wants a share of the cake in order to keep quiet and cooperate, right? The only kind of man who is truly dangerous is the one who refuses a pay-off larger than he can afford not to. It’s up to these men to set the standards for the kind of society in which we wish to raise our children. The brightest and most capable of which must be protected at all costs with our lives, for they are the future of humanity.

    I wish not to drag this subject for both yours and my sake, as i averted any intention not to expand over the subject in the beginning of my introduction. Besides, who would care for one too many truisms. In essence, what we do need at this early stage is an even larger torrent of sensitization targeted at the masses. Many people live in cyber-nihilism, but corporate and governmental privacy and freedom to exercise one’s essential rights within legal boundaries do matter, no what you think of it and the extent of which it affects you at present time.

    Reply
  • This was an excellent and important article. I agree with all of your points with one exception; “Backdoor advocates surely have good intentions.” I respectfully disagree. For government agencies, politicians, bureaucrats, and so-called intelligence and law-enforcement, deception, theft, and malfeasance are tools of the trade and standard operating procedure.

    Reply
  • sometimes i think the real problem behind this recurring campaign of stupidity is the use of the word “backdoor”.
    a door implies that its something that can be opened and then shut again after. in reality its more like a small hole in a wall and the only reason people cant find it easily is because the building is a huge maze. once someone finds it then all they have to do is share the location with others.

    another problem with “backdoors” becoming mandatory is that hackers will know for certain that there is a hole somewhere, and all they have to do is keep looking and eventually they will find it

    Reply