Nominee US attorney-general senator Jeff Sessions has said the new administration will seek to “overcome encryption” in remarks that have been interpreted as a veiled reference to backdoors.
It’s worth stressing that at no point during his recent confirmation hearings did Jeff Sessions actually mention the term ‘backdoor‘ although he is on record as strongly supporting efforts by law enforcement to bypass encryption during police investigations.
Answering a question about the importance of encryption in protecting the US from cyberattack, Sessions wrote:
Encryption serves many valuable and important purposes. It is also critical, however, that national security and criminal investigators be able to overcome encryption, under lawful authority, when necessary to the furtherance of national-security and criminal investigations.
It’s a response that leaves Sessions trapped in the same contradictory world as his predecessors: he must simultaneously extol encryption as a security virtue but also rail against it as a vice that thwarts law and order.
It sums up the orthodoxy built up by over recent US administrations that the world’s leading tech superpower can have it both ways by unlocking fundamental security protections at its convenience.
The high point of this thinking was the NSA’s 1993 Clipper chip, a hardware backdoor that allowed eavesdropping on conversations sent over any telecoms networks using it. Every device containing Clipper was to have a symmetric encryption key assigned to it and stored in a secure system called an escrow. If the Feds fancied a wiretap, the key would be sent to them – and only them.
The idea eventually imploded as critics pointed out the absurdity of a backdoor the entire world knew about. How stupid would a criminal have to be to use such as system? By the time experts started worrying about criminals finding vulnerabilities in its makeup – unintended backdoors in the official backdoor, if you will – the idea had flatlined.
Today, the mere suggestion of encryption backdoors alarms tech companies who market themselves on security. This is one reason why many of them are today busily building layers of end-to-end encryption into the software their customers use.
As was seen during the 2016 court case between the FBI and Apple for access to the encrypted storage on the iPhone of the St Bernardino shooter, it also shifts the focus from them to the individual user.
According to reports, the FBI eventually found a way around the iPhone’s encryption by exploiting a software vulnerability in the way encryption had been implemented.
With mandated backdoors discredited, this is probably how intelligence services now approach the issue of backdoors. It’s not perfect because finding flaws big enough to give complete access are bound to be rarities, more so as software development improves.
But this doesn’t mean that the US government under Sessions will give up on the intellectual and legal arguments still seen as essential to lend credibility to whichever techniques they choose to use to bypass encryption.
It is the battle of ideas that will define the future for both the attackers and defenders of encryption. As Sophos says in its argument against backdoors:
Backdoors in encryption would undermine freedom of speech and the freedom to conduct our affairs without interference or fear.
For now at least, the world can’t be sure whether the next US attorney-general agrees.
Jonathon
Over-reaching encryption-disabling laws are the equivalent of over-reaching self-defense-prosecution laws: They harm the general public much, much more than criminals, who are ready, willing, and able to take advantage of any weakness in encryption.
Solid encryption generally leaves law enforcement to clean up the mess after an incident, but that’s better than them being able to use bad encryption to catch one incident, followed by more incidents with planning that is protected by “illegal” high-quality encryption, once the general criminal population comes to grips with the bad encryption. Then you’ll see solid, “illegal” encryption tools being distributed in malware-for-hire services and malware development kits. And because law enforcement expects everyone to use the bad encryption, they will be completely unprepared to counter an opponent that doesn’t use it.
Every law-abiding citizen has their good name… until they don’t. Once the identity theives steal your identity, you no longer have your own good name. It takes years to clean that up. We don’t need bad encryption making white-collar crime like that easier.
Roc RIzzo
Jeff Sessions wants to know what EVERYONE is doing, so that he can control them. He wants a master key and a secret back door to your house, for cryin’ out loud. Then, if you are not a white Christian, he wants to take away your right to vote, to start (as he did when he was a US District Court Judge in Alabama).
I wouldn’t trust him to clean toilets.
anon
One good thing may come from this attack on our freedoms and democracy itself. Just as gun sales rise every time our politicians focus on restrictions to gun ownership (rather than focusing on the root causes of crime), use of encryption products will increase. These products may not be made in America but they will be so much more effective than what we have now. Better encryption will encompass more devices and apps for more secure business and social transactions. Ultimately, encryption will become easier to use when more of us demand it and begin using it. Encryption is less of a tool for crime than it is a defence against crime.
Billy Reuben
This is an important reminder that the enemy to freedom is not a particular sitting president, or party in power; it’s liberty v oppression. The battle is the same, only the players change.
RichardD
“at no point during his recent confirmation hearings did Sessions not actually mention the term”
The (accidental?) double-negative in that sentence means that you’re saying he was *constantly* mentioning the term. “At no point did he NOT mention it.”
I assume you meant either, “at no point … did Sessions actually mention”, or “during … Sessions did not actually mention”.
Paul Ducklin
Fixed, thanks!