Privacy vs The Government: Why backdoors are a security nightmare

I recently viewed the following debate regarding individual privacy against the government:

Debate | Technological Privacy OxfordUnion | 6 videos


There are indeed valid arguments for why the government should have access to data necessary to ensure public safety and stop terrorism. But the question is at what cost does the government obtain this information? If I were debating for the proposition I might have referenced the fact that companies' infrastructure regularly gets compromised by both individuals and nation-state attackers. Are we really willing to have our information stored in a manner that can be obtained by stalkers, cybercriminals, terrorists, and nation-state adversaries?

It's not a matter of whether the government can access data. It's a matter of whether anyone can access it. There's no way to design a system such that only the “good guys” have access. It's a question of security vs insecurity. This is the opinion of most people who deal professionally with cryptography and communications security, and the government would do well to finally start taking the advice of these security people. What the government has expressly stated they want is not only access to information held by technology companies, but also a backdoor into information that technology companies don't have access to.

End-to-end encryption is designed to prevent companies providing service from reading messages. This is not an accident. This is a measure to ensure security against all attackers, government or otherwise, since it has been proven that it's too much to expect companies to store this data securely. Governments will have to deal with this, because the alternative is everything everyone says being vulnerable.

When one realizes individuals can compromise the databases of large companies, it becomes a matter of common sense that companies should not have such databases to begin with. Security online is, in its current state, an all-or-nothing thing. Attempts to introduce backdoors will not improve security, but worsen it.


While I'm on the topic of government backdoors into communications, I will use this opportunity to publicize communications made between myself and a representative in my state. The communication was first established when I submitted a letter opposing EARN IT to my state's representative.


While I appreciate the view that EARN IT could be used to combat child predators, terrorism, and crime in general, I wish to state a few practical and historical concerns:
I would also like to mention a few notable examples of governments attempting to backdoor modern cryptography in the past, and failing:
To quote Wikipedia on Dual_EC_DRBG, "Sometime before its first known publication in 2004, a possible kleptographic backdoor was discovered with the Dual_EC_DRBG's design, with the design of Dual_EC_DRBG having the unusual property that it was theoretically impossible for anyone but Dual_EC_DRBG's designers (NSA) to confirm the backdoor's existence. Bruce Schneier concluded shortly after standardization that the 'rather obvious' backdoor (along with other deficiencies) would mean that nobody would use Dual_EC_DRBG."
Also see this EU Draft Council Declaration Against Encryption and the associated comments, as well as this Guardian post opposing EARN IT.

While the intention of EARN IT may be benign, the unintended consequences are simply too problematic to accept. Instead, I would like to propose a solution that don't compromise national security and public safety: better law enforcement training.

The majority of cases can be solved within existing law enforcement procedures. However, law enforcement officers often have insufficient technical expertise to deal with online threats. This could be more reasonably solved by means of digital literacy training. Civilian "ethical hackers" and forensic investigators, have shown to have the skills law enforcement seems to lack, and various security conferences, such as DEFCON and Black Hat, can be used as training for both law enforcement and civilian security personnel. Also, the anonymity solutions generally marketed as impenetrable by law enforcement and governments, such as Tor, are widely known among the security community to be less-than-anonymous. For example, a forensics expert Dr. Neal Krawetz has publicized articles showing that an individual person can identify the real-world identities of people running large hidden services, and law enforcement has in the past been able to use such hidden services to deanonymize their users (by embedding tracking code in the service itself, which gets run by anyone who visits). See this article explaining a few of the various means of digital tracking, and how they have been used to catch criminals in the past, as well as Hacker Factor's series on the "Tor 0-day", a set of articles explaining how law enforcement can deanonymize and identify criminals who use services like Tor to cover their tracks. To quote some relevant excerpts from Dr. Neal Krawetz' articles:

In summary, law enforcement currently has the required tools to identify and catch criminals such as pedophiles. The infrastructure is already in place to catch such criminals without compromising national security and public safety. I propose law enforcement receive better technology literacy training, in order to obtain the investigative capabilities needed to combat modern criminal threats. I also propose that EARN IT must not pass, due to the associated risks to national security and public safety.

I thank you for your time in reading this, and hope to see you publicly oppose EARN IT.

Sent with ProtonMail Secure Email.

‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Thursday, December 3, 2020 8:30 PM, Representative Debra Haaland <NM01DHima@mail.house.gov> wrote:



December 3, 2020


Dear Mr. Anderson,


Thank you for contacting me to discuss the Eliminating Abusive and Rampant Neglect of Interactive Technologies (EARN IT) Act of 2020. I appreciate you taking the time to write and helping me serves as your representative. Your input is valuable.


The Internet is no longer merely a helpful tool to supplement research or watch videos; it has become a necessity for living in the modern world. Without access to the internet, New Mexico’s people, educational institutions, and businesses cannot compete with the rest of the world. End-to-end encryption has established itself as an essential tool to keep private information secure, allowing us to use the internet for education and telehealth services and to support small businesses through e-commerce. Unfortunately, encryption makes it easier for predators and criminals to carry out their operations.


Over time, sexual predators have used the internet and its encryption to increasingly trade in illicit material. Senators Graham, Blumenthal, Hawley, and Feinstein introduced the Eliminating Abusive and Rampant Neglect of Interactive Technologies (EARN IT) Act in an attempt to combat this increase in crime. This legislation mandates the creation of best practices related to identifying and reporting online child sexual exploitation, which would be approved by the Attorney General and Secretary of Homeland Security. Companies that fail to comply with these best practices would be liable to lawsuits. I understand your concerns that this legislation may unjustly censor online speech and allow the Attorney General to mandate government backdoors in encryption. Please rest assured I take these concerns seriously and I will work to find legislative solutions that can put an end to sexual predation online while not infringing on the rights of legitimate users of the internet. As we approach the 117th Congress, I am eager to work alongside the Biden Administration to enact comprehensive reforms that do just that.


Again, thank you for sharing your thoughts on this important subject. Please contact me again in the future as Congress debates issues that we all care about.



If you are interested in following my work for you more closely, please sign up for my newsletter here. You can also follow me @RepDebHaaland on Twitter, Facebook, and Instagram. I look forward to working for you and hope to hear from you again in the future.


Sincerely,

Deb Haaland
Member of Congress



 








image

All original non-code/non-software content is committed to the public domain, except where otherwise explicitly stated. Code/software is licensed under the BSD 3-clause license, except where otherwise explicitly stated. Content not originally created by Serpent Security may be subject to separate licensing terms.