The Institute of Electrical and Electronics Engineers (IEEE) has added its voice to the chorus of security experts, privacy advocates, lawmakers and other prominent individuals who are against the idea of mandated encryption backdoors.
“We oppose efforts by governments to restrict the use of strong encryption and/or to mandate exceptional access mechanisms such as ‘backdoors’ or ‘key escrow schemes’ in order to facilitate government access to encrypted data,” the professional association stated.
“Governments have legitimate law enforcement and national security interests. IEEE believes that mandating the intentional creation of backdoors or escrow schemes – no matter how well intentioned – does not serve those interests well and will lead to the creation of vulnerabilities that would result in unforeseen effects as well as some predictable negative consequences.”
Many reasons for their official position
The reasons for their position are as follows:
- “Exceptional access mechanisms” would allow malicious actors to find them and exploit them, and as far as centralized key escrow schemes are concerned, they would allow adversaries to compromise the security of both targets and non-targets.
- Not all encryption schemes can be fitted with backdoors, and malicious actors can simply switch to using those.
- Encryption backdoors or key escrow schemes can have long-term negative effects on the privacy, security and civil liberties of citizens. “Encryption is used worldwide, and not all countries and institutions would honour the policy-based protections that exceptional access mechanisms would require,” they pointed out.
- Exceptional access mechanisms can also have a negative effect on companies’ ability to innovate and compete in the global market.
“Measures that reduce security of information or that facilitate the misuse of secure information and control systems can damage trust. Loss of trust will impede the ability of those technologies to achieve much broader societal benefits,” the IEEE noted.
US and UK law enforcement and intelligence agencies have been clamouring for years now that they need that type of access.
But the IEEE pointed out that law enforcement agencies have a range of alternative methods for getting into systems and accessing data, when legally allowed to do so.
“Techniques include legal mechanisms for accessing data stored in plaintext on corporate servers, targeted exploits on individual machines, forensic analysis of suspected computers, and compelling suspects to reveal keys or passwords.”