Pretty Much Anyone With Any Understanding Of Crypto Tells President Obama That Backdooring Crypto Is Monumentally Stupid

from the basic-understanding dept

Nearly 150 tech companies (including us via the Copia Institute), non-profits and computer security experts have all teamed up to send a letter to President Obama telling him to stop these stupid ideas about backdooring encryption that keeping coming out of his administration. The press headlines will note that big companies — like Google, Apple, Cisco, Microsoft, Twitter and Facebook — are signing the letter. But significantly more interesting is the signatures from a huge list of computer security experts, all putting their names down on paper to make it clear what a ridiculously bad idea it is to even think about backdooring encryption. Among those signing on are Phil Zimmermann (who lived through this sort of thing before), Whitfield Diffie (guy who invented public key cryptography), Brian Behlendorf, Ron Rivest, Peter Neumann, Gene Spafford, Bruce Schneier, Matt Blaze, Richard Clarke (long-time counterterrorism guy in the White House), Hal Abelson and many, many more. Basically a who’s who of people who actually know what they’re talking about.

We urge you to reject any proposal that U.S. companies deliberately weaken the security of their products. We request that the White House instead focus on developing policies that will promote rather than undermine the wide adoption of strong encryption technology. Such policies will in turn help to promote and protect cybersecurity, economic growth, and human rights, both here and abroad.

Strong encryption is the cornerstone of the modern information economy?s security. Encryption protects billions of people every day against countless threats?be they street criminals trying to steal our phones and laptops, computer criminals trying to defraud us, corporate spies trying to obtain our companies? most valuable trade secrets, repressive governments trying to stifle dissent, or foreign intelligence agencies trying to compromise our and our allies? most sensitive national security secrets.

Encryption thereby protects us from innumerable criminal and national security threats. This protection would be undermined by the mandatory insertion of any new vulnerabilities into encrypted devices and services. Whether you call them ?front doors? or ?back doors?, introducing intentional vulnerabilities into secure products for the government?s use will make those products less secure against other attackers. Every computer security expert that has spoken publicly on this issue agrees on this point, including the government?s own experts.

There’s much more in the full letter which I highly recommend reading. It very nicely summarizes why this is a completely insane idea, and highlights why anyone raising it should be immediately told to move on to some other project instead:

The Administration faces a critical choice: will it adopt policies that foster a global digital ecosystem that is more secure, or less? That choice may well define the future of the Internet in the 21st century. When faced with a similar choice at the end of the last century, during the so-called ?Crypto Wars?, U.S. policymakers weighed many of the same concerns and arguments that have been raised in the current debate, and correctly concluded that the serious costs of undermining encryption technology outweighed the purported benefits. So too did the President?s Review Group on Intelligence and Communications Technologies, who unanimously recommended in their December 2013 report that the US Government should ?(1) fully support and not undermine efforts to create encryption standards; (2) not in any way subvert, undermine, weaken, or make vulnerable generally available commercial software; and (3) increase the use of encryption and urge US companies to do so, in order to better protect data in transit, at rest, in the cloud, and in other storage.?

The Washington Post quotes another surprising signatory: Paul Rosenzweig, the former Deputy Assistant Secretary for Policy at Homeland Security. If that name sounds familiar, it’s because we’ve quoted his defense of the NSA, once arguing that “too much transparency defeats the very purpose of democracy.” If even he is arguing against backdooring encryption, you know it’s an idea that should be killed off. In his case, it’s because he recognizes the simple reality that seems to have eluded the FBI director:

The signatories include policy experts who normally side with national-security hawks. Paul Rosenzweig, a former Bush administration senior policy official at the Department of Homeland Security, said: ?If I actually thought there was a way to build a U.S.-government-only backdoor, then I might be persuaded. But that?s just not reality.?

That’s just not reality. And neither should be any policy effort that involves pushing for more backdoors in encryption. It’s bad economic policy. It’s bad security policy. It’s bad crypto policy. It’s bad privacy policy. It’s just bad policy all around.

And the world would be much better off if all of these security experts and companies could focus on better protecting us from harm, rather than having to join in ridiculous debates about what a bunch of clueless bureaucrats think might be some sort of mythical magic unicorn encryption breaker.

Filed Under: , , , , , , , , , , , ,
Companies: apple, cisco, facebook, google, microsoft, twitter

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Pretty Much Anyone With Any Understanding Of Crypto Tells President Obama That Backdooring Crypto Is Monumentally Stupid”

Subscribe: RSS Leave a comment
Brian Gregory (user link) says:

Re: Re: What gave you the idea that the UK, France and other governments have no idea about how technology works?

Do you think they realise that this will only allow them to spy on the innocent? Anyone who really has something to hide will easily be able to get old style encryption without a back-door. It is, you must agree, impossible to un-invent it.

Anonymous Coward says:

And then there’s the government’s hypocrisy that insists that encryption is sacrosanct –and eternal– when it comes to Hollywood corporations locking up their media (or at least pretending to) even after they sell it, yet argues the opposite for the citizenry who want the most basic protections of encryption.

DannyB (profile) says:

Re: Re:

Only the Big Brother divinely appointed by the Administration can pull the Golden Key from the Stone. No other will be able to perform this remarkable act. Only the Administration has the quantum superposition Holy Grail of secure but insecure cryptography. All Subjects of the Administration are henceforth commanded to use only this most worthy form of encryption.

Anonymous Coward says:

Will this be enough to end the debate? It should be, but considering that we went through this in the 90s and again now, I’m not so sure.

It’s been well established for decades why deliberate backdoors are an awful idea. Yet clueless Comey and other government officials routinely come back to this and demand it. Government officials, drunk with power, abhor being told no.

Well, no is the only answer they’re going to get. They don’t need it. They can’t have it. Stop demanding it.

Anonymous Coward says:

Re: Re:

I’m no cryptography expert, but I’ll open my ignorant mouth anyway.

There are a lot of smart people in silicone valley. I’m sure they can come up with a way to make up be down and down be up. Black can be white while simultaneously being black. If you can accept this simple fact, then it is no further stretch to accept that systems can be both secure and insecure.

Just because a system is insecure doesn’t mean it isn’t also secure. When you complain that it is insecure, I can point to the fact that it is also secure. You can be sure it is secure because it is written into the law that way.

Enhanced interrogation isn’t torture. Secret trade agreements are for free trade. Corporations are people too.

PaulT (profile) says:

Re: Re:

“Will this be enough to end the debate?”

No. Many politicians get votes by appearing to “do something”, even if that something would actually make life worse, not better. They also get votes through fear and being “tough on crime”, and by fooling the ignorant into thinking that questioning bad decisions is the same as supporting said crime or terrorism.

This will keep coming up until either every politician is tech savvy enough to realise how stupid the request is, those who know what they’re doing are completely ignored and the law passes anyway, or someone comes up with a kind of crypto where such a backdoor is impossible or irrelevant. The latter, by the way, would probably get someone locked up for supporting America’s enemies.

Jason says:

Almost perfect

I wish they would have also included a phrase or two addressing the “Silicon Valley people are smart, they can figure this out if they wanted to” statements that some of the people pushing backdoors have made–something that would highlight the difference between “hard” and “not mathematically possible”–but even without that this is excellent and I hope the message gets through.

If I only had a heart! says:

It's not about security it's about control

There will still be backdooring, anyone remember the debate about ECHELON? we won that one right?, RIGHT? wait no, the state just said they weren’t going to do it and then went ahead and implemented it and worse anyway, this is about the ability to commit arbitrary violence to people, because fuck you that’s why, it’s psychopaths having having murder fantasies, it will not stop, it will not get better they have the guns.

James Burkhardt (profile) says:

Re: It's not about security it's about control

Given that backdooring requires the consent of the companies involved, and those companies stated aversion to including intentional backdoors, and the fact that if we ‘win’ this fight people can release their own encryption algorithims, I dont see how backdooring encryption will become a mainstay if we win this fight.

alternatives() says:

Backdoor key

Fine. Let ’em.

Then design a system that requires each time an encrypted key is used the backdoor key must be registered and the Government, to confirm the key is properly registered, must send a response in writing.

I’m betting you can create and expire the keys faster than the bureaucracy can process the paper.

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...