Government-mandated crypto backdoors are pointless, says report

Cyber Chief Magazine brings you the tactics to uncover and neutralize the insider threat

If you needed another confirmation that government-mandated backdoors in US encryption products would only serve to damage US companies’ competitiveness without actually bringing much benefit to the country’s security, you only need to look at a recent report by security researchers Bruce Schneier, Kathleen Seidel, and Saranya Vijayakumar.

crypto backdoors

The report shows the results of a worldwide survey of encryption solutions – file, email, message, voice encryption products, and VPN solutions – and they are as follows:

  • Of the 865 hardware or software products incorporating encryption, 546 (or two-thirds of the total) are from outside the US. Of these 546, 56% are available for sale and 44% are free, 66% are proprietary, and 34% are open source.
  • 587 entities sell or give away encryption products. Of those, 374 (again, about two-thirds) are outside the US – at the top are Germany (112 products), the UK (54), Canada (47), France (41), and Sweden (33), but there is a considerable number of smaller countries like Algeria, Tanzania, Cyprus, etc. that produce at least one encryption product.

The quality of foreign encryption products is believed to be no better or worse than that of those created in the US, even though all are likely to have security vulnerabilities.

“With regard to backdoors, both Germany (with 113 products) and the Netherlands (with 20 products) have both publicly dis- avowed backdoors in encryption products. Another two countries—the United Kingdom (with 54 products) and France (with 41 encryption products)— seem very interested in legally mandating backdoors,” the researchers noted.

“Some encryption products are jurisdictionally agile. They have source code stored in multiple jurisdictions simultaneously, or their services are offered from servers in multiple jurisdictions. Some organizations can change jurisdictions, effectively moving to countries with more favorable laws,” they also pointed out.

With the “going dark” metaphor so loved by law enforcement already being effectively discredited, the release of this report will hopefully add some much-needed insight into the “mandatory government backdoor” debate currently going on in the US, UK and several other countries.

“Proposed mandatory backdoors have always been about modifying the encryption products used by everyone to eavesdrop on the few bad guys,” they explained. “That is, the FBI wants Apple—for example—to ensure that everyone’s iPhone can be decrypted on demand so the FBI can decrypt the phones of the very few users under FBI investigation. For this to be effective, those people using encryption to evade law enforcement must use Apple products. If they are able to use alternative encryption products, especially products created and distributed in countries that are not subject to US law, they will naturally switch to those products if Apple’s security weaknesses become known.”

This survey shows that criminals can easily switch to alternative encryption methods if they want to sidestep backdoors. “Any US law mandating backdoors will primarily affect people who are unconcerned about government surveillance, or at least unconcerned enough to make the switch. These people will be left vulnerable to abuse of those backdoors by cybercriminals and other governments,” they concluded.