Pretty Much Anyone With Any Understanding Of Crypto Tells President Obama That Backdooring Crypto Is Monumentally Stupid
from the basic-understanding dept
Nearly 150 tech companies (including us via the Copia Institute), non-profits and computer security experts have all teamed up to send a letter to President Obama telling him to stop these stupid ideas about backdooring encryption that keeping coming out of his administration. The press headlines will note that big companies -- like Google, Apple, Cisco, Microsoft, Twitter and Facebook -- are signing the letter. But significantly more interesting is the signatures from a huge list of computer security experts, all putting their names down on paper to make it clear what a ridiculously bad idea it is to even think about backdooring encryption. Among those signing on are Phil Zimmermann (who lived through this sort of thing before), Whitfield Diffie (guy who invented public key cryptography), Brian Behlendorf, Ron Rivest, Peter Neumann, Gene Spafford, Bruce Schneier, Matt Blaze, Richard Clarke (long-time counterterrorism guy in the White House), Hal Abelson and many, many more. Basically a who's who of people who actually know what they're talking about.We urge you to reject any proposal that U.S. companies deliberately weaken the security of their products. We request that the White House instead focus on developing policies that will promote rather than undermine the wide adoption of strong encryption technology. Such policies will in turn help to promote and protect cybersecurity, economic growth, and human rights, both here and abroad.There's much more in the full letter which I highly recommend reading. It very nicely summarizes why this is a completely insane idea, and highlights why anyone raising it should be immediately told to move on to some other project instead:
Strong encryption is the cornerstone of the modern information economy’s security. Encryption protects billions of people every day against countless threats—be they street criminals trying to steal our phones and laptops, computer criminals trying to defraud us, corporate spies trying to obtain our companies’ most valuable trade secrets, repressive governments trying to stifle dissent, or foreign intelligence agencies trying to compromise our and our allies’ most sensitive national security secrets.
Encryption thereby protects us from innumerable criminal and national security threats. This protection would be undermined by the mandatory insertion of any new vulnerabilities into encrypted devices and services. Whether you call them “front doors” or “back doors”, introducing intentional vulnerabilities into secure products for the government’s use will make those products less secure against other attackers. Every computer security expert that has spoken publicly on this issue agrees on this point, including the government’s own experts.
The Administration faces a critical choice: will it adopt policies that foster a global digital ecosystem that is more secure, or less? That choice may well define the future of the Internet in the 21st century. When faced with a similar choice at the end of the last century, during the so-called “Crypto Wars”, U.S. policymakers weighed many of the same concerns and arguments that have been raised in the current debate, and correctly concluded that the serious costs of undermining encryption technology outweighed the purported benefits. So too did the President’s Review Group on Intelligence and Communications Technologies, who unanimously recommended in their December 2013 report that the US Government should “(1) fully support and not undermine efforts to create encryption standards; (2) not in any way subvert, undermine, weaken, or make vulnerable generally available commercial software; and (3) increase the use of encryption and urge US companies to do so, in order to better protect data in transit, at rest, in the cloud, and in other storage.”The Washington Post quotes another surprising signatory: Paul Rosenzweig, the former Deputy Assistant Secretary for Policy at Homeland Security. If that name sounds familiar, it's because we've quoted his defense of the NSA, once arguing that "too much transparency defeats the very purpose of democracy." If even he is arguing against backdooring encryption, you know it's an idea that should be killed off. In his case, it's because he recognizes the simple reality that seems to have eluded the FBI director:
The signatories include policy experts who normally side with national-security hawks. Paul Rosenzweig, a former Bush administration senior policy official at the Department of Homeland Security, said: “If I actually thought there was a way to build a U.S.-government-only backdoor, then I might be persuaded. But that’s just not reality.”That's just not reality. And neither should be any policy effort that involves pushing for more backdoors in encryption. It's bad economic policy. It's bad security policy. It's bad crypto policy. It's bad privacy policy. It's just bad policy all around.
And the world would be much better off if all of these security experts and companies could focus on better protecting us from harm, rather than having to join in ridiculous debates about what a bunch of clueless bureaucrats think might be some sort of mythical magic unicorn encryption breaker.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: 4th amendment, backdoors, bruce schneier, crypto, encryption, paul rosenzweig, phil zimmermann, privacy, richard clarke, ron rivest, security, vulnerabilitities, whitfield diffie
Companies: apple, cisco, facebook, google, microsoft, twitter
Reader Comments
Subscribe: RSS
View by: Time | Thread
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
[ link to this | view in chronology ]
What gave you the idea that the UK, France and other governments have no idea about how technology works? They understand very well what they are doing, as does the US administration.
[ link to this | view in chronology ]
Re: What gave you the idea that the UK, France and other governments have no idea about how technology works?
[ link to this | view in chronology ]
So much feedback sends a strong message
[ link to this | view in chronology ]
Removing that is a feature of the backdoors, not a bug.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re:
...but we'll store it under the doormat in the porch. Don't worry, nobody ever looks there and we have a guard who's there most of the time. Nobody will be able to try it without our permission, trust us!
[ link to this | view in chronology ]
It's been well established for decades why deliberate backdoors are an awful idea. Yet clueless Comey and other government officials routinely come back to this and demand it. Government officials, drunk with power, abhor being told no.
Well, no is the only answer they're going to get. They don't need it. They can't have it. Stop demanding it.
[ link to this | view in chronology ]
Re:
There are a lot of smart people in silicone valley. I'm sure they can come up with a way to make up be down and down be up. Black can be white while simultaneously being black. If you can accept this simple fact, then it is no further stretch to accept that systems can be both secure and insecure.
Just because a system is insecure doesn't mean it isn't also secure. When you complain that it is insecure, I can point to the fact that it is also secure. You can be sure it is secure because it is written into the law that way.
Enhanced interrogation isn't torture. Secret trade agreements are for free trade. Corporations are people too.
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re: Re:
Two things wrong made up a right
Unlocked locks were thus secured
Newly polished an old turd
[ link to this | view in chronology ]
Re: Re: Re:
[ link to this | view in chronology ]
Re:
No. Many politicians get votes by appearing to "do something", even if that something would actually make life worse, not better. They also get votes through fear and being "tough on crime", and by fooling the ignorant into thinking that questioning bad decisions is the same as supporting said crime or terrorism.
This will keep coming up until either every politician is tech savvy enough to realise how stupid the request is, those who know what they're doing are completely ignored and the law passes anyway, or someone comes up with a kind of crypto where such a backdoor is impossible or irrelevant. The latter, by the way, would probably get someone locked up for supporting America's enemies.
[ link to this | view in chronology ]
Almost perfect
[ link to this | view in chronology ]
http://dwaterson.com/2015/05/18/dont-mess-with-encryption-mr-cameron/
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
It's not about security it's about control
[ link to this | view in chronology ]
Re: It's not about security it's about control
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Backdoor key
Then design a system that requires each time an encrypted key is used the backdoor key must be registered and the Government, to confirm the key is properly registered, must send a response in writing.
I'm betting you can create and expire the keys faster than the bureaucracy can process the paper.
[ link to this | view in chronology ]
And swear to never hire those "experts" again.
[ link to this | view in chronology ]