While the question of how cypto backdoors would work is unknown since there are no actual proposals on the table at this time, I am concerned that it will turn into a disaster. Partly this is because Congress does not understand technology. Out of 500 plus Congress critters, there are 5 that have a computer science degree. While that is not surprising, it means that mostly lawyers will be writing laws about something they know almost nothing about.
Option 1 – Force Apple and Google to install secret backdoors into their phones. One option would be a skeleton key. That is one single key that unlocks all phones past, present and future. That option would be a disaster since if that key got into the wild, every phone ever made would be compromised. Hopefully, that is not the option chosen. Another option would to have a key per phone. When you make the phone, you create a key for it, put the key in a mayonnaise jar on Funk & Wagnalls back porch (to quote Johnny Carson) and open that mayonnaise jar if asked. If this were done, we would need to securely store around two billion keys and growing by hundreds of millions a year between Apple and Android phones. We could ask the government to store them. I am sure that would be secure. Maybe the OPM could do it for us? Alternatively, the manufacturers might keep them. The third option might be to have the key algorithmly derived such that you would not have to store the keys. I think that would mean that you would have to keep the algorithm secret otherwise anyone could decrypt a phone and that is not likely possible.
I don’t think that anyone has actually come up with a way to do this that would work. I am open to possibilities, but haven’t heard one. Neither have many, many cryptographers who are a lot smarter than I am.
How do we deal with the close to two billion phones that are out there. In this situation, Apple is a little easier to deal with than Android. Since Apple users tend to keep their software more current than Android users, you could, possibly, push an update to the close to a billion iPhones, installing the backdoor. Not to mention the could hundred million iPads. NOT!
In the Android world the problem is harder. There are still hundreds of millions of Android phones running version 2 of the operating system even though version 6 is the current version. Do you really expect each phone manufacturer to dust off their software archives and update that antique software. Not likely.
Then there is the question of who is going to pay for the creation – and more importantly – the ongoing maintenance of this huge intelligence network. I assume Congress doesn’t want to pay for it, but I certainly don’t want to either. The cost would likely be in the billions of dollars if not more.
And what about phones that are not made in the US? Do we really have any leverage to force Chinese manufacturers that sell knock off Android and iPhone clones to do anything that the US wants? I didn’t think so. So maybe the objective is to reduce the sales revenue of US phone manufacturers?
But now the real problem. Encryption is implemented in software in millions of applications. These applications are written by tens of thousands of developers all over the world. Many of them are open source meaning the developers don’t have any money to do anything and do not have a company to force to do anything – assuming you can even find these people.
If you don’t remove the encryption from software, cracking the iPhone or Android phone is basically useless.
Maybe Option2 is to ban all software that does not have an encryption backdoor. How exactly do you do that? There are likely thousands of new applications released every week. Some in the US but many more outside the US. Maybe we should block all non-US IP addresses so that we can make sure that terrorists don’t download software from non US companies or developers. Maybe we should rename the Internet to the USNet. Maybe we should pay someone to check every new application that is available on the Internet to see if it has a backdoor. That would be good for the economy. The government would have to hire tens of thousands of computer experts. nah, that’s not going to happen.
Another issue is cost. When Congress did this the last time in the 1990s, it was called CALEA. It was Congress’ attempt to install a backdoor into all phone switches sold in the United States to commercial phone companies (the Ma Bells in particular). There were a handful of phone companies and another handful of phone switch manufacturers, Congress agreed to pay for the insertion of the backdoors. They allocated a billion dollars in 1990s money and ran out. They had to get another billion to finish the job. And, I think, it took around 10 years to complete.
Fast forward to 2015. Instead of 10 phone switch manufacturers you have, say, 100,000 software developers. Instead of a product that is sold through a sales force, installed in known locations (the phone company central office) and maintained by a paid technical staff, you have products that are given away (open source), by people that do not have any paid staff, that are not physically delivered at all and come from all over the globe. ASSUMING you could do this, how much would this cost? Of course, you can’t do it.
And what about software made in other countries that don’t have laws like whatever this Frankenlaw might be? A few countries – like England for example – might be persuaded to pass a similar law, but other countries – like Germany – are actually moving in the other direction saying that strong encryption is a good thing.
What about software made in Russia? Ukraine? China? and many other countries that are not friendly to the US? They are not likely to comply.
And, already ISIS has released their own software. It is encrypted, of course. Maybe we can ask Daesh (as they do not like to be called) to insert a backdoor for us and give us the keys. Let me think about that. Nope. Not gonna happen.
So, in the end, Congress will be able to thump their collective chests and say how wonderful they are and it will do nothing to help fight terrorism other than to make Bin Laden right even years after his death. Remember that he said that he wanted to bleed us to death? Well, he certainly is succeeding. Even in death he is succeeding.
Stay tuned because no one knows how this play will end – tragedy or comedy? Not clear.
Information for this post came from Network World.