Once again the topic of backdooring cryptography is in the news. The same people will fight the same fight. Again. So far sanity has prevailed every time we do this, but that doesn’t mean anyone should sit this one out. Make sure you tell everyone to pay attention and care. Trustworthy cryptography is too important.
Given the language used it sounds a lot like what’s really being discussed is having the ability to view chat apps, view emails, and unlock phones. All things with a consumer focus. They’ve lost this fight more times than we can count now, no doubt this direction change is an attempt to spread confusion.
I also want to look at this from a slightly different angle this time. Generally we talk about how the technology behind a backdoor doesn’t work. That’s still true, but let’s pretend the technology could work. Maybe some grad student is finishing up a paper and next month we’ll hear about a new form of cryptography that can be backdoored without any technical problems. It actually can’t because people are the problem. This is like insisting we build a rocketship out of cardboard to go to the moon. Just no. But in this post, we’re going to pretend we have a technical solution. Put on your cardboard space helmet, it’s time to get real.
Geography
So let’s start with the easiest problem to understand. Geography. We live on a planet that is pretty big. It has a lot of countries and a lot of people. Even inside of countries there are different rules and jurisdictions. There are also a huge number of laws and departments that all do things differently. What happens when you visit another country? What about when someone comes to your country? If only one country has these laws, what happens? What if every country decided to do something like this? Have you ever seen two countries agree on anything this complex? They can’t even agree on simple things to be honest.
Geography is the easiest to understand and biggest hurdle here. There will no doubt be talk of how this will only affect American companies. Or only people in America, maybe even only American citizens. The problem with this is we live in a connected society. There’s no such thing as an “American company” anymore. Even small companies have staff and customers all over the globe. Do you think another country is going to do nothing if America decides it can spy on their citizens? This is not going to have a pleasant ending.
The fringe
What about the non mainstream apps? There are hundreds of chat apps in any of the app stores. There are thousands of email providers. Many of us only know about a few of the options, but those who wish to do us harm know about all the non mainstream options.
There are two possible ways this plays out with all the fringe solutions. One possibility is we don’t force the smaller players to include a backdoor. That would naturally drive the criminals to those apps and services. Word gets out pretty fast what is and isn’t safe. Crime is an opportunistic industry, they will use whatever they can to their advantage.
The other possibility is small competitors are driven out of the market because they can’t possibly comply with a law like this. Adding a backdoor is going to be difficult. Ignoring the technical arguments, when you’re small adding a feature that would have zero impact on the user experience is wasted resources. Small companies won’t be able to afford to innovate. This will effectively result in worse options as the big players have less competition.
Trust
Trust is starting to become really important. Is anyone going to really trust this process? This isn’t going to be like a wiretap law. Our phones are part of our life now. Many people would rather lose their wallet than their phones. Will you trust a phone or app that could leak all your secrets because you are suddenly a person of interest in an investigation?
It’s well known people act differently when they know they are being watched. If you know you can’t trust your phone, your chat application, or even your email that will change how you communicate and what you do. Modern free societies are built on trust, we forget that sometimes.
The why
The most important question we should be asking is the why. Why do they need this? Is there some huge number of unsolved crimes because WhatsApp chats couldn’t be viewed? Is there a warehouse of locked phones somewhere that’s stopping law enforcement from doing their jobs? We will of course never know the real why, but it’s not because law enforcement can’t do their job. In a healthy democracy law enforcement works to ensure the innocent are not charged with crimes they didn’t commit. Even with the current process there are problems. Do we honestly believe this program will result in fewer problems?
A program that gives the state access to our data isn’t going to make us safer. It’s not going to put more criminals behind bars. Why would we do something this disruptive that won’t drastically change things for the better? And if there is a compelling why, let’s hear it. The risk vs reward here doesn’t look very good.
The economics
The last and most important point is the economics that ties everything together. Technology that allows data to be encrypted on the Internet is why we trust the Internet. It’s what has driven most economic growth over the last decade. The positive change we have seen thanks to trustworthy encryption vastly outweighs the possible negative repercussions if we weaken our encryption. Think of it this way. If we give law enforcement the access they want, it comes with a real cost. Will that cost be offset by the crimes this would stop? I have a very strong suspicion the answer is “probably not”.
While we all have new and interesting technology today, law enforcement has new technology too. Rather than trying to recycle old ideas, figure out how you can leverage what you have and move the needle forward by innovating. This isn’t innovation, this is short sighted nonsense.
Open Source Security 