The last 10 years have seen a great number of advancements in the sophistication and usability of strong encryption programs, and many people now use encrypted messaging services by default. This has made it much simpler for people to keep their private thoughts and data private and secure, and now the government is working diligently to roll back all of that progress with a naive, ill-conceived effort to cripple secure communications networks in the name of national security.
These are disheartening times for those who value security and privacy. E-commerce companies, advertisers and marketers of all stripes have shown that they have little regard for the privacy concerns of users, tracking them at every turn and gathering every bit of available data in an effort to gain an extra morsel of insight into consumers’ behavior. The term privacy policy has become a punch line and looking to Washington for help in regulating this chaos is a lot like waiting for a good book from Dan Brown: It’s a waste of time. Like everyone else in this mess, the regulators, congressmen and lobbyists are out for themselves.
The news this week that the Obama administration is pushing hard on a bill that would require the operators of all communications services to figure out a way to give law enforcement agencies access to customers’ messages in order to comply with wiretap orders has put this all into sharp focus. As the New York Times reported, this is essentially a throwback to the way that the government handled telephone intercepts in decades past. It’s easy–and convenient for the administration–to use the telephone analogy when talking about the need for law enforcement to have access to encrypted email, text messages and VoIP calls, but it’s a false comparison.
Leaving aside the complex political and legal issues in play here, the idea of intentionally introducing security weaknesses into these systems as a way of somehow making the country more secure is a horrendous mistake.
As Seth Schoen of the Electronic Frontier Foundation wrote in an analysis of this plan, it’s not just legally iffy, but technically messy.
“As the Internet security community explained years ago, intentionally weakening security and including back doors is a recipe for disaster. ‘Lawful intercept’ systems built under current laws have already been abused for unlawful spying by governments and criminals. Trying to force technology developers to include back doors is a recipe for disaster for our already-fragile on-line security and privacy,” Schoen wrote.
The really sad part is that this isn’t the first time the government has tried this. The first time around, during the famous “crypto wars” of the 1990s, the Clinton administration was fighting hard to prevent U.S. companies from exporting strong ecryption software, on the grounds that putting it in the hands of foreign governments and citizens would cripple the ability of the U.S. to eavesdrop on its enemies’ electronic communications.
To help solve this “problem,” they hit upon the idea of allowing software and hardware makers to export their wares as long as they agreed to use key escrow, giving the government access to encryption keys for supposedly private messages. The security and privacy community fought hard against this idea, as well as the equally inane Clipper Chip proposal, and eventually both were abandoned. PGP creator Phil Zimmermann made it a moot point soon after when he uploaded his encryption software to the Internet and made it available for free. [1]
Things are more complicated this time around, but the same silliness is in play. The government is worried that as people continue to move away from email and phone calls and toward social networks, texts, VoIP systems and other technologies, its ability to monitor the activities of criminals and terrorists will be in serious jeopardy. To compensate, they want to tap into all of these networks and require that operators of secure communications systems maintain a way to decrypt users’ messages and P2P software developers redesign their applications to enable intercepts.
It’s difficult enough to build a piece of software that does what it’s supposed to do without the worry of having to go back in and add a mechanism for complying with a wiretap order. That kind of redesign is almost guaranteed to introduce unexpected security problems that could then be exploited by attackers down the road.
What part of that sounds like it will work?
“I think it’s a disaster waiting to happen,” Steve Bellovin told the New York Times. “If they start building in all these back doors, they will be exploited.”
Not only will those back doors be exploited, but so will the rapidly eroding rights of U.S. citizens who should expect better from their government.
[1] For the complete story of the Clipper Chip, key escrow and the crypto wars, read Steven Levy’s excellent book “Crypto.”