The existing state of affairs in which government agencies and intelligence services work to insert backdoors into various hardware, software and networks is not only a problem in terms of civil rights but also represents a serious security risk to most users and the Internet itself, a recent report by the Citizen Lab says. And, the revelations of the U.S. surveillance programs of the last few months may also spawn a variety of copycat programs in emerging countries.

Some of the more explosive and troubling revelations to come out of the steady flow of NSA leaks this year have involved the U.S. government’s efforts to compromise encryption standards, software programs and Internet infrastructure used by millions and millions of people as part of intelligence-gathering operations. Documents made public in recent months show efforts by the NSA to influence the standards process at NIST, specifically regarding the Dual EC DRBG random number generator, which NIST has warned developers to stop using. There also have been allegations that the agency and its allies are tapping unencrypted links between data centers owned by Google and Yahoo, a revelation that has infuriated security engineers at Google.

Security experts have long argued that inserting backdoors in widely deployed software or hardware for law-enforcement or intelligence-gathering purposes is not just questionable with regard to civil rights but also harms the security of the entire system. The presence of a vulnerability in an application or piece of hardware opens that target up to exploitation by anyone, not just the people who inserted the backdoor. The Citizen Lab report, called “Shutting the Backdoor“, by Ron Deibert of the University of Toronto, argues that the NSA revelations have brought this problem into sharp focus.

“Quite apart from these concerns about privacy and potential abuse of unchecked power is an additional concern around the security implications of backdoors. Building backdoors into devices and infrastructure may be useful to law enforcement and intelligence agencies, but it also provides a built-in vulnerability for those who would otherwise seek to exploit them and in doing so actually contributes to insecurity for the whole of society that depends on that infrastructure,” Deibert says in the report.

“In 2008 Citizen Lab researchers discovered that the Chinese version of the popular VOIP product, Skype (called TOM-Skype) had been coded with a special surveillance system in place such that whenever certain keywords were typed into the chat client, data would be sent to a server in mainland China (presumably to share with China’s security services).20 Upon further investigation, it was discovered that the server onto which the chat messages were stored was not password protected, allowing for the download of millions of personal chats, many of which included credit card numbers, business transactions, and other private information.”

In addition to the unintended consequences these programs can produce, the Citizen Lab report also says that Edward Snowden’s revelations of the NSA’s methods and techniques could provide a blueprint for regimes in emerging countries that are interested in exerting more control over their communications infrastructure.

“No doubt one implication of Snowden’s revelations will be the spurring on of numerous national efforts to regain control of information infrastructures through national competitors to Google, Verizon, and other companies implicated, not to mention the development of national signals intelligence programs that attempt to duplicate the US model,” Deibert writes in the report.

“Already prior to the revelations, numerous companies faced complex and, at times, frustrating national ‘lawful access’ requests from newly emerging markets. Many countries of the global South lack even basic safeguards and accountability mechanisms around the operations of security services, and their demands on the private sector could contribute to serious human rights violations and other forms of repression.”

Deibert argues that while there are legitimate uses for lawful intercept technologies, they should be deployed sparingly and with great oversight.

“Those lawful access provisions that are still required should be infrequent and strictly controlled with rigorous oversight and public accountability provisions. Direct tapping of entire services wholesale should be eliminated. Not only will this protect civil liberties and prevent the concentration of power in unchecked hands, it will ensure that we are not doing more to undermine our own security in an overzealous surveillance quest,” he writes.

Image from Flickr photos of anyjazz65.

Categories: Cryptography, Government, Malware