“Encryption Backdoors and the Fourth Amendment”

Law journal article that looks at the Dual_EC_PRNG backdoor from a US constitutional perspective:

Abstract: The National Security Agency (NSA) reportedly paid and pressured technology companies to trick their customers into using vulnerable encryption products. This Article examines whether any of three theories removed the Fourth Amendment’s requirement that this be reasonable. The first is that a challenge to the encryption backdoor might fail for want of a search or seizure. The Article rejects this both because the Amendment reaches some vulnerabilities apart from the searches and seizures they enable and because the creation of this vulnerability was itself a search or seizure. The second is that the role of the technology companies might have brought this backdoor within the private-search doctrine. The Article criticizes the doctrine­ particularly its origins in Burdeau v. McDowell­and argues that if it ever should apply, it should not here. The last is that the customers might have waived their Fourth Amendment rights under the third-party doctrine. The Article rejects this both because the customers were not on notice of the backdoor and because historical understandings of the Amendment would not have tolerated it. The Article concludes that none of these theories removed the Amendment’s reasonableness requirement.

Tags: , , , ,

Posted on July 22, 2025 at 7:05 AM13 Comments

Comments

Paul July 22, 2025 7:14 AM

As an outsider looking in, it seems to me that the idea that the US constitution matters any more is sort of touching!

Ian Stewart July 22, 2025 9:11 AM

Stories like this come round often; I read many years ago that Microsoft had given the FBI a back door. Whether it’s true or not I don’t know. However I have never trusted most technology companies. When I do trust a company I still encrypt information saved on secure cloud servers, even if they based in Switzerland or Norway. I trust these companies but government laws may change as they have recently in Germany and Holland.

I am not a constitutional lawyer but surely this also comes under the other privacy amendments, such as the fifth.

TimH July 22, 2025 10:44 AM

It comes back to “don’t talk to law enforcement”.

Anything you admit, no matter how insignificant it appears to you (such as your location), is something that they have to prove that they discovered in a lawful way.

Lawful usually means that firstly you were suspected for an articularable (!) reason, and that a judicial warrant was obtained to get the confirmation. In that order.

Winter July 22, 2025 11:59 AM

@Paul

As an outsider looking in, it seems to me that the idea that the US constitution matters any more is sort of touching!

I had the same “question”. Then someone made me realize.

Consider it this way. Would the Catholic Church, or any Orthodox church decide the bible does not matter anymore?

Without The Constitution, the whole idea if The United States does not make sense anymore.

Clive Robinson July 22, 2025 12:15 PM

@ Paul,

With regards,

“As an outsider looking in, it seems to me that the idea that the US constitution matters any more is sort of touching!”

Also as an outsider, I take a more extreme view of what is being done to the Constitution.

Put bluntly,

“There is no profit in the constitution.”

For those “self entitled” who view their views and incomes to be of the first importance.

About half of the US “economic activity” is based on the five or so Silicon Valley Mega Corps like Microsoft, Alphabet, Meta, Amazon and even Apple.

Thus what they say gets “legislator attention” in ways few of us can get our heads around.

If just one of those Corps was to fail then what happened with the Sub-Prime Mortgage will be considered just an economic side note. And as we know Sub-Prime led to a global recession we are still trying to climb out of and failing miserably to do so.

Most of those Mega Corps make their income from surveillance of their users, packaging their personal and private information up and pushing it out into what is laughingly called the “Advertising Market”.

Of course US legislation is going to ensure this continues as much as possible. But there is of course a cut out… To benefit from legislative protection the Mega Corps have to hand the “personal and private” user data across to the Government for no cost…

Bad for the 350million bodies in the US but consider the 8billion in the rest of the world who don’t even get the fig leaf of the shadow of the constitution.

My view point is in effect two fold,

1, Reliably encrypt everything you type that is even remotely personal and private.
2, Do not connect your computers you use for personal and private to any external communications.

Also be circumspect about what you do on line because it will be recorded and analysed.

Remember what was attributed to Cardinal Richelieu,

“If you give me six lines written by the hand of the most honest of men, I will find something in them which will hang him.”

Well these days it’s rather more than that, in that it’s not what you write or say by which you will be hanged, it’s also where your eyes may wander.

All this “think of the children” nonsense with “age verification” has next to nothing to do with protecting anyone including children. In fact it is the very opposit, it’s being used to extract all sorts of personal and private data for profit.

https://www.theregister.com/2025/07/21/opinion_column_age_verification/

mrex July 22, 2025 3:02 PM

Honest Services Fraud (18 U.S. Code § 1346) would seem to apply, here. I was a little taken aback to see no mention of it.

not important July 23, 2025 6:02 PM

Trump unveils AI plan that aims to clamp down on regulations and ‘bias’
https://www.bbc.com/news/articles/c4g8nxrk207o

=President Donald Trump is expected to sign three related executive orders on Wednesday. One order will promote the international export of US-developed AI technologies, while another aims to root out what the administration describes as “woke” or ideologically biased AI systems.=

lurker July 23, 2025 8:08 PM

@not important
“We believe we’re in an AI race, and we want the United States to win that race,”

It could get scary if they win or not …

John July 24, 2025 7:05 AM

@Winter

“Without The Constitution, the whole idea if The United States does not make sense anymore.”

Agreed. The Americans are like the cartoon character who has run off the edge of the cliff into the air but hasn’t realised it yet.

Bloated Cow July 26, 2025 3:24 PM

It may be worth mentioning that our gracious host’s name is sprinkled throughout the footnotes of the referenced document.

Clive Robinson July 27, 2025 3:57 AM

@ Bloated Cow,

With regards,

“… host’s name is sprinkled throughout the footnotes of the referenced document.”

True, but most importantly you have not said why, or what you are hoping others will read into it?

So to correct that,

Bruce had a strong working relationship with Niels Ferguson “the man at Microsoft” who realised the mathematics of the backdoor and it’s properties.

As a result back in 2004 Bruce publicly gave voice to what had been upto that point more or less private suspicions by those close to or involved with the standards process. And continued to do so.

As a result Bruce became in many peoples eyes “the name” associated with it. As time moved forward almost a decade later the Ed Snowden revelations/trove in 2013 showed that the suspicions were more than justified.

Thus Bruce’s name had became synonymous with the not just the Public MSM side of it, but the academic papers side as his name got quoted over and over the “snow ball effect” happened.

Then the likes of the RSA got skewered for “taking a coercion from the NSA” and more and more evidence of the NSA badly “finessing” the Dual EC DRBG into NIST standards came out.

This in turn gave rise to others pointing out other crypto being pushed hard towards being put into NIST standards by the NSA was at best inadequate if not actually deficient.

Eventually NIST had no choice but to issue a revised standard without Dual EC, and stopped other standardisation processes where the NSA had been lets just say,

“Bullish with nonsense, rudeness, and arrogance”.

The thing is others who post to this blog had likewise been pointing out the historical progression of back doored crypto from even before the US NSA and UK GCHQ formerly existed. The man behind much of it in the US was William Friedman. And given time and FOI requests and similar his work on backdooring the worlds crypto became ever more clear[1].

If you look back in this blog you will find I detailed what was going on from the early days of mechanical field cipher machines with backdoored key-space strengths (C35/6)[1], through the NSA rigging the AES contest to make most implementations weak with side channels. How they encouraged Microsoft to make file formats predominately “known plaintext” at the begining such that attacking ciphertext was considerably easier and so on.

I also pointed out that if it was me doing the same thing, I’d go onto attacking “protocols” and “standards” both of which it later transpired the NSA and GCHQ did.

I even listed it as a hierarchy of attacks,

1, Standards
2, Protocols
3, Implementations
4, Plaintext
5, Key Space

And you can find it in various places on this blog and other documentation.

If you look, you will find much on this blog that was on average eight years ahead of the game. With some people getting upset about it and attacking posters on the blog, the blog it’s self, and the blogs host.

However Bruce has stuck with it, and if you look at Bruce’s work, you will see the roots of much of it in this blog and how it has influenced his thinking and in certain ways his direction in life.

As for Dual EC you will find he gives credit to the others involved where they are known to him and not scared of being named.

[1] Boris Hagelin in the 1930’s designed the method of what became the C-35 and C-36 US field cipher machines of WWII. It was based on a vending machine mechanical “coin counting” mechanism he had obtained the rights to. And from there he went on to set up Crypto AG in Zug Switzerland. That later became the subject of much intrigue possible assassination of his son and much controversy some of which involved the CIA and other SigInt and Intelligence agencies.

Less well known is the reason Boris got the break that nobody else did… It was William Friedman, who not just promoted the design but gave “suggestions” to Boris all through the history of Crypto AG’s mechanical cipher machines. In fact there is evidence that “other agencies” ensured that only Crypto AG “prospered” and made cipher machines for the second and third world countries to use. Hence the US through the US and UK SigInt agencies “back doored the world”.

ResearcherZero July 31, 2025 11:07 PM

There are no chips in my backdoor says NVIDIA. Bias may be added later, with security tacked on as an afterthought, once we work out how to do it. Foreign exports may have additionally capabilities, not for security, but rather for other purposes …

Don’t worry. The idea has been thought up by very important people. 😂

‘https://www.reuters.com/world/china/nvidia-says-its-chips-have-no-backdoors-after-china-flags-h20-security-concerns-2025-07-31/

ResearcherZero July 31, 2025 11:14 PM

@Clive Robinson, @ALL

None of those Silicon Valley companies got their start-up funding because they were concerned with customer privacy or security. Government contracts were the only concern.

Leave a comment

Blog moderation policy

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.