Backdoors – How Absolutely Stupid!

I have not written on this subject because I just see everyone else is banging on Congress about how stupid it would be to install “backdoors” in commercial email and software services. But honestly, I’m a bit concerned right now because government pressure is being stepped up.

A “backdoor” is a mechanism that allows a service provider or government to access the contents of a system without knowing users’ passwords and without their knowledge. It is essentially a universal key that opens everything.

We hear government officials crying out that this is the only way they can protect the nation against attack. In other words, the government wants to have universal access to every electronic communication, or we will all die in flaming terrorist attacks.

So just why is this the stupidest idea in the world?Well it’s so incredibly stupid because it is impossible to guarantee that a “universal key” that decrypts everything can be kept secret. The government’s argument make it sounds like there’s a little physical key (like a little golden metallic key, let’s say) that could be kept safe in a place like Fort Knox and only brought out when needed. And yes, would be separate keys or processes for each provider or company (one for Apple, one for Dell, one for AT&T, one for Facebook) But encryption does NOT rely upon physical keys—that’s a dangerous argument.

There would be additional processes and safeguards on these keys, but essentially once a key is figure out, an entire company, entire industry, entire set of encryption processes, could be compromised.

With encryption, the  key is a sequence of numbers. You don’t have to break into a vault and “steal” the key to have universal access — you just have to figure out what the key is, even independent of the guys who created it in the first place, and once you figure it out, you’re in and you have access to everything—past, present, future.

Here are some common-sense reasons why this just can’t possibly work:

1. If someone were to find a way to independently generate or figure out the key(s), they’d be able to read every encrypted message ever created. (It’s a bit more complex than this, but it’s close.)
2. The key(s) would immediately become the target of every foreign government’s security services. If one of them discovered the key (stole it, recreated it, hacked an easier way of duplicating it), you’d probably not know. Just suddenly everything would become transparent to them.
3. Crooks will immediately attempt to discover the secret key(s). Don’t underestimate these guys. They are superb hackers and they have many millions of dollars to spend working on this. They might succeed.
4. It’s even easier, however. The key(s) would be stored somewhere on computers. If crooks could hack into that computer, they could probably extract the key.
5. A disgruntled government employee might release the key(s). Think about Edward Snowden if you want to argue that any government anywhere is really capable of keeping everything secret all the time, and forever.
6. Once the key is “out” it’s out forever. There’s no calling it back. (There could be mitigating circumstances on this one, but it would still be a terrible meltdown.)
7. The key(s) doesn’t affect just crooks and terrorists. It would also affect commercial transactions, banking, credit cards, stock markets … in short everything that depends upon encryption could be compromised if the key(s) were hacked.
8. Oh, and public key encryption has existed for years. If the government were to require that in the future there be backdoors for universal decryption, any of the existing encryption systems (which would not have backdoors) could continue to be used. (As far we we know there is no universal key for today’s systems.)
9. You know the phrase “If guns are outlawed only outlaws will have guns.” Well if commercial operators are required to provide the government with backdoors into their systems, you can be sure that outlaws will not, and from then on, only the outlaws will have secure communications.

Convinced yet?

Is that enough? Do you trust any government to do this, let alone to understand the magnitude of this Pandora’s Box?

[1] Interesting Infoworld article about this.

[2] Problems with backdoors Infoworld article