Computers

Should companies be forced to build encryption backdoors into services?

Should companies be forced to ...
The controversial debate over whether tech companies should implement backdoors that allow governments access to encrypted information on digital devices has arisen once again
The controversial debate over whether tech companies should implement backdoors that allow governments access to encrypted information on digital devices has arisen once again
View 1 Image
The controversial debate over whether tech companies should implement backdoors that allow governments access to encrypted information on digital devices has arisen once again
1/1
The controversial debate over whether tech companies should implement backdoors that allow governments access to encrypted information on digital devices has arisen once again

British authorities recently revealed that the Westminster Bridge attacker, who killed four people and injured scores of others, may have sent or received messages through the encrypted WhatsApp service minutes before launching the horrific attack. The revelation has rekindled the controversial debate over whether tech companies should implement backdoors that allow governments access to encrypted information on digital devices.

The UK's home secretary, Amber Rudd, threw down the gauntlet on the issue in an interview with the BBC. "We need to make sure that organizations like WhatsApp, and there are plenty of others like that, don't provide a secret place for terrorists to communicate with each other," Rudd said ahead of her upcoming meetings with several technology firms.

Last year, WhatsApp instituted end-to-end encryption across all of its communications. This essentially rendered all messages sent through the app unreadable by anyone other than the sender and recipient.

"No one can see inside that message," WhatsApp announced last year when unveiling the encryption update. "Not cybercriminals. Not hackers. Not oppressive regimes. Not even us."

The current UK/WhatsApp conflict recalls a similar situation last year when the FBI demanded Apple unlock an iPhone recovered from one of the perpetrators of the mass shooting in San Bernardino. Apple resisted the order from the FBI insisting that creating a backdoor into its iPhones would compromise the security of millions of customers.

"The government suggests this tool could only be used once, on one phone," Apple CEO Tim Cook wrote in a message to the company's customers last year. "But that's simply not true. Once created, the technique could be used over and over again, on any number of devices. In the physical world, it would be the equivalent of a master key, capable of opening hundreds of millions of locks."

After several months of legal stoushes the FBI withdrew its demands, claiming to have unlocked the phone through the services of a "third-party."

Some have dubbed this 21st century encryption battle a redux of the infamous 1990s "Crypto Wars." These centered around the NSA's determination to define strong cryptography as a munition. This determination essentially allowed authorities to strongly regulate civilian use of cryptographic algorithms.

In 1995, the Electronic Frontier Foundation began a long legal battle, ultimately winning with a ruling declaring that cryptographic algorithms are not weapons, but in fact should be classified as free speech or expression, and therefore protected under the First Amendment.

It was a groundbreaking result that has allowed us all a degree of unfettered access to encryption protocols for many years. But our developing smart devices, crossing paths with the modern fear of terrorism, have caused governments to rekindle the encryption battle.

The controversy over a company's responsibility to be able to decrypt its users' communications is heating up in the UK. Amber Rudd's latest declarations follow the passing of a bill in November 2016 called the Investigatory Powers Act (euphemistically known as the Snooper's Charter).

Among several other contentious provisions, the Act stipulated that communications service providers must have the ability to remove encryption applied by their services. The current Act notably only covers providers operating from within the UK and does not include foreign companies. It's also unclear how this provision would relate to a WhatsApp-styled service. What is clear, though, is that provisions such as these certainly pave the way for laying pressure on companies to ensure they cannot create "uncrackable" services or devices.

While it's fair to argue that governments should be able to protect their citizens through responsible and targeted surveillance, it is hard to find a convincing stance on forcing companies to add backdoors to their software or devices. When WhatsApp rolled out its end-to-end encryption in 2016 it was forcing the situation out of its hands.

This kind of blanket encryption is secure because it has no backdoor. It is secure because the company itself has no way to crack it. Despite the long-standing privacy versus security debate, there is no way the integrity of an encrypted service can be broken without it compromising the data of all users.

Apple CEO Tim Cook succinctly summed it up at a conference in 2015 when he proclaimed, "You can't have a backdoor that's only for the good guys."

8 comments
Anne Ominous
Betteridge's Law applies here: The answer is a simple "no".
akarp
Agree completely.
James Scott
This is a very nice article. As for me I already deinstalled whatsapp and now use signal or the swiss app "Threema". I don't think the swiss governement will be as harsh as ours.
Steve Jones
Thing is, if the legit companies started building-in backdoors to their encryption, the "bad guys" would start using black-market stuff which doesn't have one. Sure, you could then go after the black-market manufacturers to stop them, and so on, and yes it would be one more hoop for the bad guys to have to jump through, but if you think that passing this sort of legislation would allow us to read everything that ISIS are thinking - it's not that simple. And all the while, the rest of us would be using flawed encryption that any determined criminal could break in a matter of hours. On the other hand, the security services have very powerful computing arrays which can brute-force one key once in a fairly practical timeframe anyway (this would be the "third-party" solution they used on that iPhone), so what's the big difference that a backdoor would make anyway? I bet the security services would prefer the bad guys to keep using "good" encryption which they feel is secure enough for their most important secrets.
VirtualGathis
I have to agree with Anne Ominous: No Time and again it has been proven that any system with a "master key" will be exploited. Buick had this issue in the 80's. They built locks with a master key. Someone copied it and the replica master keys made it into the hands of car thieves. The same will happen to any system compromised in such a way. The "bad actors" will get the key and use it to steal and exploit, every time with no exceptions.
DaveLangley
Encryption backdoors should absolutely NOT be created!!!!
f8lee
So does anyone know if or how often the NSA makes use of the backdoor it allegedly placed on all hard drives that give it access regardless of hardware or OS used? Here's a story on that from a couple of years ago: https://www.techpowerup.com/209925/nsa-hides-spying-backdoors-into-hard-drive-firmware
Aussie_2017
Does't exist anything in the digital world that's 100% secure, that's the reason at Black Hat Conference doesn't have any way to buy or make a reserve using PCs, smartphones or any other digital equipment. Everything it's just 'in loco', with cash in hands and no questions asked. If you want to secure your information the best is in a external hd in a locker. When you want to read/write to/from it you use a never connected PC or device. Then from there you can copy to a memory device and then to anywhere you want. Just learn the devices can't and will not be safe everything is just a matter of time to be cracked. Every app you use (specially those free ones) has a potential to be stealing your information or/and other things stored in the device/PC. Not all OS developer really care about the user, if any of those really care about the user at all. So if you want be safe don't put anything that is a secret in any device that has connections to the outer world, period. There's always that saying "Better safe than sorry".