Nobody Saw This Coming: Now China Too Wants Company Encryption Keys And Backdoors In Hardware And Software
from the zone-of-lawlessness dept
A concerted campaign among officials on both sides of the Atlantic to attack strong encryption has intensified in the wake of the Charlie Hebdo killings. Most recently, we’ve had a leak of a document in which the EU’s “Counter-Terrorism Co-ordinator” recommended that Internet companies should be forced to hand over their crypto keys; and now Leslie Caldwell, an assistant attorney general at the US Justice Department, is reported by Vice.com to have made the following comment:
“We understand the value of encryption and the importance of security,” she said. “But we’re very concerned they not lead to the creation of what I would call a ‘zone of lawlessness,’ where there’s evidence that we could have lawful access through a court order that we?re prohibited from getting because of a company?s technological choices.”
She said that she hopes Apple and Google will consider building in back doors that will allow the companies to decrypt the phones if they are physically mailed back to the manufacturer.
As Techdirt has noted before, this narrative plays right into the hands of repressive governments around the world, which can simply point to the West’s argument, and say: “We agree.” So it will not come as a huge surprise to readers of this site to learn that when it comes to demanding encryption keys and backdoors from computer companies, China now agrees:
The Chinese government has adopted new regulations requiring companies that sell computer equipment to Chinese banks to turn over secret source code, submit to invasive audits and build so-called back doors into hardware and software, according to a copy of the rules obtained by foreign technology companies that do billions of dollars’ worth of business in China.
The New York Times article quoted above gives more details, drawing on a chart that lays out the new requirements for companies wishing to sell equipment to the Chinese banking sector:
For most computing and networking equipment, the chart says, source code must be turned over to Chinese officials. But many foreign companies would be unwilling to disclose code because of concerns about intellectual property, security and, in some cases, United States export law.
The chart also calls for companies that want to sell to banks to set up research and development centers in China, obtain permits for workers servicing technology equipment and build “ports” to allow Chinese officials to manage and monitor data processed by their hardware.
The draft antiterrorism law pushes even further, calling for companies to store all data related to Chinese users on servers in China, create methods for monitoring content for terror threats and provide keys to encryption to public security authorities.
Although there is a clear protectionist element to many of these, as well as a desire to take a look at Western source code, the boldest demands — those for backdoors and encryption keys — are identical to what the US and EU are implicitly calling for. And so, once again, there is no way for the West to claim the moral high ground here, which inevitably undermines any protestations it might make about China’s decision to follow its example.
Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+
Filed Under: backdoors, china, encryption, mobile encryption, surveillance
Comments on “Nobody Saw This Coming: Now China Too Wants Company Encryption Keys And Backdoors In Hardware And Software”
Well, duh!
As a repressive and authoritarian government China wants encryption keys and backdoors so they can keep an eye on what everyone is doing, whenever they want to, so they can take care of any “threats” to their security.
As a government driven by Enlightenment values of personal liberty, the US wants encryption keys and backdoors so they can keep an eye on what everyone is doing, whenever they want to, so they take care of any “threats” to their security.
No one sees the difference?
Re: "A government driven by enlightenment"
I’m pretty sure no one believes that of the US anymore.
Re: Re: "A government driven by enlightenment"
Why do you hate freedom (to be spied upon)?
Re: Re: "A government driven by enlightenment"
“enlightenment”, maybe. But in what direction?
And “personal liberties”? Many disappeared a long time ago.
Re: Re: Re: "A government driven by enlightenment"
“enlightenment”, maybe. But in what direction?
And “personal liberties”? Many disappeared a long time ago.
“It’s not a lie, if you think it’s true”.
– A. Vandelay
I think that sums up the past 13 years nicely.
Ugh, just because it’s digital means they get be morons again. They should try to talk banks into ‘secret’ back door in their vaults which only government officials have the key to. Oh? That would be stupid? What’s the point of a secure vault with a second secret access? Don’t worry, it’s still secure, and you can trust the government. They’re only out to get bad guys, you’re not a bad guy are you? Then there’s nothing to worry about. It’s not like it’s usually bad guys that have secret doors everywhere. What’s that? They do? Oh, well.. then we’ll know exactly where to look for them.
Wow, I see lots of hacks coming to Chinese banks in the near future.
With so many governments attacking software and software development in general we should change the name of the career.
They’re no longer software developers, they’re now ‘freedom fighters’, fighting to protect common everyday practices like encryption, etc.
Wait, I don’t understand…
Is it the repressive governments who are like our own, or our government that is like the repressive ones?
Re: Re:
That’s called a false dichotomy, sir.
China wants their own backdoors. The West wants backdoors. Iran wants their own backdoors. Russia wants backdoors…
Look at the can of worm Mr. Comey, Ms. Caldwell, and PM Blair has opened up. Every repressive dictatorship in the world will demand their own backdoor access to all encrypted communications. Their insatiable lust for mass surveillance has made everyone in the world less safe and completely insecure.
Russian, China, and Iran will hack US backdoors in American technology. America will try to hack back against those countries backdoored technologies. Hacktivist groups will be hacking the backdoors of every country that has backdoors.
I hope Western companies are prepared to have their source codes copied by foreign nations. Thanks to the NSA, nobody trusts American technology anymore. So much for secret ‘Intellectual Property’ rights. The NSA shot the dream all to hell with their mass, untargeted, spying agenda.
Way to go backdoor/mass surveillance enthusiasts. You just screwed over the entire human race for generations to come.
Lets unpack this
I’m quite sure the Gov’t would freak out if workers started using a program with Chinese back doors…and promptly ban it’s usage.
They forget that China and other countries are starting to say “Don’t use software with American back doors”
Re: Lets unpack this
“I’m quite sure the Gov’t would freak out if workers started using a program with Chinese back doors…and promptly ban it’s usage”
I’m not so sure about that. If Chinese equipment manufacturers build in back doors, there is a clear benefit to US spies as they can use the back doors as well — and without getting US citizens quite as on edge as they would be if the US required the back doors to be in place.
Re: Re: Lets unpack this
Are you seriuously considering the possibility that there will be only 1 backdoor?
My guess is that most of these agencies/gov’ts will want their own backdoor.
Remember: if 5 agencies have a (different or same) key to the same door, there are 5 possible sources for leaks and everybody is affected by the closing of the 1 backdoor. If everybody has access via a different door, it doesn’t matter if the other guy’s door gets boarded shut/exposed and removed…
Re: Re: Re: Lets unpack this
“Are you seriuously considering the possibility that there will be only 1 backdoor?”
Not really. I’m seriously considering the possibility that it’s easier for them to use a backdoor that already exists in Chinese equipment than to figure out a way to trick Chinese companies into putting another backdoor in.
Unclear on the concept
“We understand the value of encryption and the importance of security,” she said.
No. You don’t. Not even a little bit.
China insists that US government inserts backdoors for its own use, NSA issue a gag order demanding that they are given access to the same backdoors. Also if different countries insist on only their own backdoors being in software distributed in their country, comparing versions from different countries will reveal the relevant code, giving other countries, and criminals access to the same backdoors.
Somebody has not thought this one through.
Only one answer
Time for scientists to bring back the passenger pigeon!
Re: Only one answer
I believe there’s an RFC about that….
Re: Re: Only one answer
Here it is, rfc 1149. What is more somebody actually implemented it, see the Wikipedia entry
Whats good for the goose is good for the gander
fun
They forget that China and other countries are starting to say “Don’t use software with American back doors”
klmat
They forget that China and other countries are starting to say “Don’t use software with American back doors” http://www.klmat.ws
Governments position amusing...
…especially in light of the fact that they are the least trustworthy most dangerous groups cyber assaulting everyone. In related news: “Link between NSA and Regin cyberespionage malware becomes clearer” (http://www.computerworld.com/article/2875921/link-between-nsa-and-regin-cyberespionage-malware-becomes-clearer.html). Oy!
The price of used mechanical typewriters just soared.
New Kickstarter campaign: Bluetooth-enabled mechanical typewriter.
Re: The price of used mechanical typewriters just soared.
I’d argue Bluetooth is far, FAR to insecure. Line of sight laser links would be more useful. At least, until someone did a audio scan of the typewriter. The pattern wouldn’t be that hard to discern.
That's why they're called "hackdoors"
The Chinese have all seen “When Harry Met Sally”, and their motto is “I’ll have what she’s having”.
We understand the value of encryption and the importance of security,
No, no, you really dont, if you did, you would have stopped there
“We understand the value of encryption and the importance of security,”
No, no, you really dont, if you did, you would have stopped there
A boon for open source...
So, the only logical answer to this is to embrace FOSS – then there is no single corporation that makes these decisions on the basis of government demands – the source is already open, and therefore meets Chinese requirements – it is up to the individual implementors (aka Users) to decide whether to add a backdoor or not – and that is how it should be.
Re: A boon for open source...
That’s only half the solution though. Everyone seems to conveniently forget the gaping security hole introduced by arguably the most popular FOSS encryption library, OpenSSL.
The other half is to take at least some of that money your company would have spent on the proprietary software and donate it to the FOSS tools you are using.
It doesn’t have to be a cash donation (in case the project doesn’t really have a project manager in charge of financials, like, say, OpenSSL); offer to pay a developer’s salary. Offer to pay for infrastructure and set it up.
For some projects, a year of salary or infrastructure might still be cheaper than licenses. For others you could band together with a few other companies and form a joint subsidiary (or whatever) and pool your money.
Re: Re: A boon for open source...
Indeed – the assumption would be that if people stopped using proprietary solutions, more focus would go into improving the FOSS solutions – but OpenSSL proves that isn’t necessarily the case.
It has to go both ways – but at least with FOSS, the users have some say in the matter, whereas with proprietary solutions, there’s no telling what deals and backdoors have been made with governments.
And now some folks will start wondering about any new products/services/parts built in china sold globally, assuming they havent been doing them already as we have already found the western governments like(sic) to do
This is gonna snowball all on its own, governments supplying the materials once again, global paranoia taking its role as the catalyst……..its gonna get to a point unless they all agree to stop before it gets worse, that even if they wanted to, their gonna have to do something extreme because of how far its come and how harder it is
Uk, us, canada,australia,france,korea,china……god knows how many………..the fact they control who can audit their PUBLIC property, means they can say one thing, then transfer operations someplace else with even better evaluated secrecy……….it just takes one to do it, the others would then be obliged(sic) to do the same(snowball)
Short of a global revolution(harder)
And now some folks will start wondering about any new products/services/parts built in china sold globally, assuming they havent been doing them already as we have already found the western governments like(sic) to do
This is gonna snowball all on its own, governments supplying the materials once again, global paranoia taking its role as the catalyst……..its gonna get to a point unless they all agree to stop before it gets worse, that even if they wanted to, their gonna have to do something extreme because of how far its come and how harder it is
Uk, us, canada,australia,france,korea,china……god knows how many………..the fact they control who can audit their PUBLIC property, means they can say one thing, then transfer operations someplace else with even better evaluated secrecy……….it just takes one to do it, the others would then be obliged(sic) to do the same(snowball)
Short of a global revolution(harder)
It’s a dirty shame when the government supposedly for human rights and privacy has to provide the road map for repressive regimes. I think that sums up where the US government today stands. The actions are becoming indistinguishable between countries other than changing the name.
>
The ‘Five Eyes’ are weakening global security for the purpose of spying.
why did no one see this coming then? did the USA and the UK expect to be the only countries that wanted/were allowed to have back doors in hardware and software? what gives them the only right? why would they think that no other country wanted or were entitled to do the same?
the even bigger question is what will be done when these back doors that the likes of that idiot Cameron wants inbuilt are exploited by God knows who and does serious damage to God knows what industry? will he/they be personally held liable? he/they damn well should be! it would be a variation of a theme of ISDS!!
This happens because we don’t live in a free society.
Awesome. I wholeheartedly support the idea. Put backdoors on each and every single device. US afraid China might use it? Too bad, you asked for it. Let the world be an open, transparent book for everybody. Russia is overjoyed!
You heap what you sow. Deal with the unintended consequences of your idiocy, West.
It strikes me that software engineers the world over, both private and public sector, know what a horrible idea it is to have all these backdoors built into systems. Perhaps it’s time for an unwritten agreement that only bogus backdoors will be implemented. The government systems that exploit these backdoors will be written so as to make the users & politicians believe that they’re accessing real data, when in fact they’re playing with nothing but random gibberish.
Remember how the Professor would sometimes set up fake equipment for Gilligan to knock over, thus sparing the real experiment? That.
Re: Re:
“It strikes me that software engineers the world over, both private and public sector, know what a horrible idea it is to have all these backdoors built into systems.”
They do indeed, and know it from experience. In the Good Old Days, it was common practice to build developer back doors into software that included access controls so that they didn’t have to worry about them when they needed to enter the system post-deployment in order to fix things.
The industry did a complete about-face on the practice quite a while back when it became apparent that the chances of a back door being discovered and abused was very high, no matter how obscure or hard-to-use the backdoor was.