No one expects politicians to be experts on every subject. Elected officials and agency directors have to make decisions on dozens of complicated issues, many of which lie far outside their areas of expertise. That’s why public discussion and expert opinions have always played key roles in shaping our laws and policies.
Here at PKWARE, we’re deeply involved in the ongoing debate about strong encryption, and whether governments can (or should) require backdoors for encrypted communications and devices. While some politicians have advocated against backdoors, many others in Congress and law enforcement continue to call for measures that would make our data less private and less secure.
At PKWARE’s recent Cyber Wars event in Washington, D.C., the topic of encryption backdoors sparked intense discussion among panelists from the public and private sectors. The consensus was overwhelmingly against the use of backdoors, for the simple reason that any backdoor introduces a fatal flaw in an encryption system. As Merritt Baer, a cybersecurity expert who previously worked in the Department of Homeland Security’s Office of Cybersecurity and Communications, put it, “Things are either end-to-end encrypted, or they’re not.”
Always A Bad Idea
Unfortunately, not everyone in Washington sees things that way. Since replacing James Comey last year, FBI Director Christopher Wray has followed his predecessor’s lead in calling for access that is only possible through the use of backdoors, while saying he does not want backdoors. In his recent comments at an FBI cybersecurity conference, Wray said, “We’re not looking for a ‘back door’—which I understand to mean some type of secret, insecure means of access. What we’re asking for is the ability to access the device once we’ve obtained a warrant from an independent judge, who has said we have probable cause.”
The problem, of course, is that any method of facilitating third-party access to encrypted data is by definition insecure. Encrypted data is only secure if (a) the data cannot be deciphered without knowledge of the decryption key, and (b) knowledge of the decryption key is restricted to authorized users. Compromise on either of those points defeats the entire purpose of encryption.
In his speech, Director Wray cited an example from 2015, in which several large banks agreed to retain copies of encrypted communications involving bank employees, along with the keys needed to decrypt the data, in order to address concerns raised by the New York State Department of Financial Services. This process is known as key escrow, and it’s a common practice used by employers to ensure their own access to sensitive data, whether the government asks them to do it or not.
Expanding the concept of key escrow to the country at large, however, would create unacceptable risks to privacy and security. Escrowed keys, whether they were associated with encrypted devices or encrypted communication channels, would be highly vulnerable to misuse within the government and to attacks from outside. As one PKWARE expert said at the Cyber Wars conference, “It’s not just a backdoor for law enforcement. It’s a backdoor for everybody.” Corporations and individuals would inevitably find that their encrypted data was being accessed not only for authorized purposes, but also by thieves, spies, and everyone else who managed to hack into the repository of escrowed keys.
The Debate Continues
Twenty-five years ago, the US government tried to implement a backdoor via the Clipper Chip program, which would have used key escrow to compromise encrypted voice and data communications. The initiative never gained traction and was cancelled after a few years, thanks in large part to technology experts who pointed out the system’s inherent weaknesses. This time around, the stakes are higher, and the debate is even more important. As long as the discussion goes on, PKWARE will continue to raise awareness of the dangers of backdoors and the benefits that strong encryption provides for individuals, businesses, and the government itself.
Keep your data protected with the PK Protect suite. Request a free demo now.