European Information Security Advisory Says Mandating Encryption Backdoors Will Just Make Everything Worse
from the solving-little,-breaking-lots dept
More and more entities involved in government work are coming out in support of encryption. (Unfortunately, many governments are still periodically entertaining backdoor legislation...) While recognizing the limits it places on law enforcement and surveillance agencies, they're not quite willing to sacrifice the security of everyone to make work easier for certain areas of the government.
The European Union for Network and Information Security (ENISA) has just released its report [PDF] on encryption and finds it to be pretty much essential for everyone's security. Any efforts to undermine this harms the public more than it helps them. (h/t Tom's Hardware)
There is a legitimate need to protect communications among individuals and between individuals and public and private organisations. Cryptography provides the electronic equivalent of letter cover, seal or rubber stamp and signature. In the light of terror attacks and organised crime, law enforcement and intelligence services have requested to create means to circumvent these protection measures. While their aims are legitimate, limiting the use of cryptographic tools will create vulnerabilities that can in turn be used by terrorists and criminals, and lower trust in electronic services, which will eventually damage industry and civil society in the EU.
Mandating backdoors will hurt the countries where they're implemented, sending customers in search of secure computer equipment and services elsewhere. Beyond that, there's the fact that all backdoors can be exploited. Thousands or millions of device users could be negatively affected while very few criminals will suffer adverse effects. If a backdoor exists, it can be exploited by either "side," but only the criminal side will be able to protect itself from unwanted intrusion. Because if you're going to break a few laws, why not break one that forbids you from owning or operating devices with non-backdoored encryption?
Or you could just roll your own...
Technology is changing at a very fast pace. It is questionable if solutions such as backdoors will be effective given that criminals can develop their own encryption technologies.
As ENISA points out, it's not just exploitation by criminals that's the problem. It's also exploitation by government agencies, which may use the handy backdoors to collect/intercept far more than they're legally allowed to.
Judicial oversight may not be a perfect solution as different interpretations of the legislation may occur.
One agent's facially-invalid search warrant is the same agent's legally-unassailable judicial order. This is enough of a problem in the US, where multiple federal districts have resulted in contradictory opinions on identical legal arguments. In the European Union, the problem is only exacerbated. Not only are there multiple courts, but also multiple nations, all with their own laws. Sure, there's an attempt to unify guidance on technical/legal issues under the EU, but only so much can be done. Deciding what is or isn't abusive use of government-mandated backdoors is going to be far from consistent. And that, of course, requires a unified European stance on encryption backdoors, which isn't likely to happen either.
Ultimately, ENISA concludes that tech advancements do pose legitimate challenges to law enforcement/national security efforts, but backdoors are no way to solve the problem. But the solution it does suggest isn't much better. Here in the US, courts routinely defer to Congress when the remedy sought isn't within their power. Over in the EU, ENISA suggests legislative measures are the wrong approach.
Other procedural approaches should be explored that focus on the power of the judicial process to find solutions.
Unfortunately, ENISA does not drop any hints about how EU courts might be able to address government agencies' complaints about encryption. This suggests some sort of All Writs Ordering might be the way around being locked out of devices and computers -- blanket court orders that compel assistance from service providers and manufacturers under the threat of whatever the court can come up with. While this would cause less damage to security than mandated backdoors, a court-ordered backdoor is still a backdoor, and judicial oversight wouldn't be enough to prevent government abuse of these "one time only," purposefully-induced security holes.