European Information Security Advisory Says Mandating Encryption Backdoors Will Just Make Everything Worse

from the solving-little,-breaking-lots dept

More and more entities involved in government work are coming out in support of encryption. (Unfortunately, many governments are still periodically entertaining backdoor legislation...) While recognizing the limits it places on law enforcement and surveillance agencies, they're not quite willing to sacrifice the security of everyone to make work easier for certain areas of the government.

The European Union for Network and Information Security (ENISA) has just released its report [PDF] on encryption and finds it to be pretty much essential for everyone's security. Any efforts to undermine this harms the public more than it helps them. (h/t Tom's Hardware)

There is a legitimate need to protect communications among individuals and between individuals and public and private organisations. Cryptography provides the electronic equivalent of letter cover, seal or rubber stamp and signature. In the light of terror attacks and organised crime, law enforcement and intelligence services have requested to create means to circumvent these protection measures. While their aims are legitimate, limiting the use of cryptographic tools will create vulnerabilities that can in turn be used by terrorists and criminals, and lower trust in electronic services, which will eventually damage industry and civil society in the EU.

Mandating backdoors will hurt the countries where they're implemented, sending customers in search of secure computer equipment and services elsewhere. Beyond that, there's the fact that all backdoors can be exploited. Thousands or millions of device users could be negatively affected while very few criminals will suffer adverse effects. If a backdoor exists, it can be exploited by either "side," but only the criminal side will be able to protect itself from unwanted intrusion. Because if you're going to break a few laws, why not break one that forbids you from owning or operating devices with non-backdoored encryption?

Or you could just roll your own...

Technology is changing at a very fast pace. It is questionable if solutions such as backdoors will be effective given that criminals can develop their own encryption technologies.

As ENISA points out, it's not just exploitation by criminals that's the problem. It's also exploitation by government agencies, which may use the handy backdoors to collect/intercept far more than they're legally allowed to.

Judicial oversight may not be a perfect solution as different interpretations of the legislation may occur.

One agent's facially-invalid search warrant is the same agent's legally-unassailable judicial order. This is enough of a problem in the US, where multiple federal districts have resulted in contradictory opinions on identical legal arguments. In the European Union, the problem is only exacerbated. Not only are there multiple courts, but also multiple nations, all with their own laws. Sure, there's an attempt to unify guidance on technical/legal issues under the EU, but only so much can be done. Deciding what is or isn't abusive use of government-mandated backdoors is going to be far from consistent. And that, of course, requires a unified European stance on encryption backdoors, which isn't likely to happen either.

Ultimately, ENISA concludes that tech advancements do pose legitimate challenges to law enforcement/national security efforts, but backdoors are no way to solve the problem. But the solution it does suggest isn't much better. Here in the US, courts routinely defer to Congress when the remedy sought isn't within their power. Over in the EU, ENISA suggests legislative measures are the wrong approach.

Other procedural approaches should be explored that focus on the power of the judicial process to find solutions.

Unfortunately, ENISA does not drop any hints about how EU courts might be able to address government agencies' complaints about encryption. This suggests some sort of All Writs Ordering might be the way around being locked out of devices and computers -- blanket court orders that compel assistance from service providers and manufacturers under the threat of whatever the court can come up with. While this would cause less damage to security than mandated backdoors, a court-ordered backdoor is still a backdoor, and judicial oversight wouldn't be enough to prevent government abuse of these "one time only," purposefully-induced security holes.

Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: backdoors, encryption, enisa, eu, europe, security


Reader Comments

Subscribe: RSS

View by: Time | Thread


  1. icon
    Seegras (profile), 21 Dec 2016 @ 3:44am

    Surveillance is the biggest threat to security

    The question is simple:

    Do you really want to be responsible for terrorists taking down the electrical grid, using a backdoor you inserted, or a vulnerability you kept secret, because you wanted your surveillance capabilities?

    https://seegras.discordia.ch/Blog/the-biggest-threat-to-cyber-security-is-surveillance/

    link to this | view in thread ]

  2. This comment has been flagged by the community. Click here to show it
    icon
    ahmet (profile), 21 Dec 2016 @ 4:01am

    education

    Beylikdüzü Teog Kursu Beylikdüzü’nde butik eğitim, bire bir özel ders merkezi, etüt merkezi, eğitim koçluğu, Butik Dersane hizmetleri veren profesyonel bir eğitim kurumudur. 2011 yılından beri uzman eğitimcilerle hizmet veren kurumumuz her sene başarılarına yenilerini katmaktadır.

    link to this | view in thread ]

  3. identicon
    Anonymous Coward, 21 Dec 2016 @ 5:06am

    Re: Surveillance is the biggest threat to security

    "The Electrical Grid" should not be made accessible to the internet. This is basic stuff here, not sure why some people don't get it.

    If it is critical infrastructure, it should remain air gapped and address most sigint precautions.

    link to this | view in thread ]

  4. identicon
    Anonymous Coward, 21 Dec 2016 @ 5:06am

    Re: education

    Seriously?

    link to this | view in thread ]

  5. icon
    Ninja (profile), 21 Dec 2016 @ 5:20am

    "This suggests some sort of All Writs Ordering might be the way around being locked out of devices and computers"

    I call this the "we-the-government-are-damn-lazy-and-reek-of-totalitarianism" option.

    link to this | view in thread ]

  6. identicon
    I.T. Guy, 21 Dec 2016 @ 5:57am

    Re: education

    But... Do they serve beer?

    link to this | view in thread ]

  7. identicon
    Anonymous Coward, 21 Dec 2016 @ 6:12am

    Re:

    do you know of any other government?

    link to this | view in thread ]

  8. icon
    Machin Shin (profile), 21 Dec 2016 @ 6:16am

    What really makes this even worse the more I think about it is just how it would have to be put in place. It is bad enough to think about the US wanting a back door, but that is just one country. When you start thinking about it though and thinking about the US, and then EU, then Russia and so on. Suddenly it is not just a little backdoor it is a huge mess.

    Just think about that for a bit. I have serious doubts about the US security agencies being able to protect a backdoor key. You give copies of that key to 30 countries and each of them gives copies to who knows how many agencies inside the country..... suddenly your backdoor key can be found in hundreds of locations and all a hacker needs to do is break into the weakest location and it all falls.

    link to this | view in thread ]

  9. icon
    DannyB (profile), 21 Dec 2016 @ 6:21am

    A few nits

    Page 16.

    Conclusion 1.
    "While their [law enforcement] aims are legitimate, . . . ."

    [Citation Needed]
    One should no longer assume that the aims of law enforcement are legitimate. That ship has long since sailed.


    Conclusion 3.
    "given that criminals can develop their own encryption technologies"

    Criminals don't need to develop their own encryption technologies. There are already several good algorithms, well known, published in textbooks, and that do not have a back door and are unlikely to have a trap door.


    Conclusion 4.
    "New technologies which generate once off encryption keys between end users are now being deployed. These keys are not stored centrally by the operator. These types of technologies make lawful interception in a timely manner very difficult. There is every reason to believe that more technology advances will emerge that will continue to erode the possibility of identifying or ecrypting electronic communications."

    Oh, hey! I've got one! Let me try!
    Carry two devices. A regular phone with a mobile plan, just like most people. This provides network access either via WiFi or cellular. A second device, which has no SIM, and is always in Airplane mode, is used to run the communications app which does the encryption. They bad guys [eg, NSA, etc] might hack your phone, but it is only being used to pass already encrypted communications from the other device which has the app you use to communicate, and little else.

    link to this | view in thread ]

  10. identicon
    Donal Trump, 21 Dec 2016 @ 6:25am

    WRONG!

    link to this | view in thread ]

  11. identicon
    Anonymous Coward, 21 Dec 2016 @ 6:27am

    Re: Re:

    They go hand in hand with their corporate counterparts.

    If corporations are people, are any of them gay?

    link to this | view in thread ]

  12. identicon
    Anonymous Coward, 21 Dec 2016 @ 6:28am

    Re:

    Sniff

    link to this | view in thread ]

  13. identicon
    Anonymous Coward, 21 Dec 2016 @ 6:36am

    Online banking – it was good while it lasted.

    link to this | view in thread ]

  14. identicon
    Anonymous Coward, 21 Dec 2016 @ 6:50am

    I am sick and tired of the need for the terrorist and criminal excuse for every single thing... in this case for NOT getting backdoor encryption!
    Don't get me wrong here, it is great and all, but it should be enough that we, the people, don't want it, and that quite a lot of smart people with extensive knowledge in the area have agreed!
    A majority have spoken and still it seems to require Terrorists and criminals in the reasoning to even be considered valid.

    link to this | view in thread ]

  15. icon
    DannyB (profile), 21 Dec 2016 @ 8:10am

    Re:

    Security is always the justification for creating a police state.

    Police work is easy in a police state.

    link to this | view in thread ]

  16. icon
    Arthur Moore (profile), 21 Dec 2016 @ 2:05pm

    Re: Re: Surveillance is the biggest threat to security

    The problem is that costs money.

    Plus, the embedded and process control people are still new to this whole "security" thing. Stuxnet and the IOT security disaster should be proof enough of that.

    No really, I'll bet you good money that if you go to any large plant or refinery and hook into a data bus you'll see large amounts of un-encrypted traffic. That's the data keeping machines and tanks from exploding.

    link to this | view in thread ]

  17. identicon
    Anonymous Coward, 21 Dec 2016 @ 2:47pm

    Re: Re:

    Here it is being used for a purpose that I like (no holes in encryption), but it just shouldn't be necessary to stoop to the level where we have to use terrorism as an argument.
    An informed people will and have come out against such insane proposals, together with pretty much every expert in the field, and still it seems like "nah, if you don't have terrorists in your wording, we are just gonna do it anyway."

    link to this | view in thread ]

  18. identicon
    Anonymous Coward, 22 Dec 2016 @ 12:59am

    Re: Re: Re: Surveillance is the biggest threat to security

    I'll bet you good money that if you go to any large plant or refinery and hook into a data bus you'll see large amounts of un-encrypted traffic.

    If that is air gapped from the Internet, it needs physical access to get at, and with physical access data security is the least of their worries. An attacker just needs to know which valve to jam open, or which relay to jam in or out to do a lot of damage, and need not worry about how to use the data bus to do that.

    link to this | view in thread ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.