FBI director James Comey has been telling everyone that the world will end unless every company around the world provides the FBI and only the FBI a back door to allow them to decrypt your communications. This includes countries we like and ones we don’t like.
So far the world isn’t listening to him, but the Justice Department is not giving up the quest.
In their defense, they will have to use other tactics if they cannot browse through your digital life at will. The evidence shows that they already have done that when they needed to. It is just more complicated and time consuming.
There are two problems with their fantasy of crypto back doors.
The first is to think that they really can abolish software that does not provide a back door. There is an article in Boing Boing, linked below, that talks about the challenge of policing billions of app downloads, some from well known app stores and some from app stores that don’t even have a web site name – only an IP address. Do you think terrorists will voluntarily use software that they know the U.S. government can tap? Maybe the FBI is that foolish, but I am not. The Boing Boing article goes into great detail explaining why this is a pipe dream.
That of course doesn’t stop the FBI from asking for a back door. They are apparently pretty smooth about it according to Nico Sell of Wickr; she talks about it in the PC Magazine article linked below. While Wickr told them to pound sand, apparently AT&T was more than cooperative with the NSA, going back ten years before 9-11 (see second ARS link below). The deal with AT&T was so cozy that the NSA apparently told their agents to be very polite when visiting AT&T facilities.
The second is the fallacy that the government, any government, can keep a secret for any extended period of time.
This past week, the government gave us proof that their goal of keeping secrets secret is unlikely to be successful for very long.
Since 9-11, the TSA has required that passengers traveling by air only use padlocks that have a TSA bypass mechanism so that if the TSA suspects there is a bomb in your suitcase, they can open it and look. This is a backdoor into “physical cyber”, but it is a perfect example of the problems with back doors.
There have been numerous complaints, lawsuits and payments by the TSA as a result of TSA employees stealing things out of passenger’s luggage using these physical back doors.
This past week, the TSA in an amazing act of stupidity allowed the news media to photograph these same master keys. The media, doing what the media does, published the pictures on the web. Within a few days, hobbyists created a CAD file that allowed anyone with access to a $1,000 3D printer could print one of these master keys.
Compare this to the FBI accidentally or maliciously exposing the crypto back door keys. The cost to use these accidentally exposed crypto keys is zero.
But there is a MUCH bigger problem with the crypto back door. With the luggage locks, everyone now knows that these locks are no longer secure and can stop using them. You can’t use those keys to open the suitcases that were in airports last month or last year.
HOWEVER, those purloined or accidentally exposed crypto keys could be used to decrypt files sent years ago. Even if the government were to somehow discover that the keys had been exposed and magically snap their fingers and get every manufacturer of software new keys the next day (think about the logistics of that), every communication ever sent that could be opened using that compromised back door key is compromised. AND, there is no way to undo that because those files and communications are out of your control.
Which is why the idea of a crypto back door is insanity.
Ignoring the fact that the bad guys will continue to use crypto that doesn’t have a back door. Ignoring that minor detail.
Luckily, Congress seems, for the moment, to understand this problem.
You decide. Would you trust a government that can’t even keep a padlock key secret to keep a crypto key that opens billions of communications secret?
Information for this post came from ARS Technica, boing boing, PC Magazine, ARS Technica and Wired.